I'm using NIS (or have been at least) because I'm not a full-time
sysadmin.  The cluster (~5 machines) is only used for teaching, its behind
a firewall, and there's nothing important stored on it.  NIS was the
easiest thing that allowed for shared home directories & logins at the time
(without spending two weeks learning LDAP...)

Is LDAP easy to configure?

On Sat, Aug 8, 2015 at 3:23 PM, Nico Kadel-Garcia <[log in to unmask]> wrote:

> I've got to ask: in this day and age, why are you using ypbind? I know
> it can be a lot lighter weight than a Kerberos/LDAP combination, but
> Samba 4.2 is avaialble for full-blown Windows Active Directory
> replacement, if you apply my published patches to activate the full
> domain controller services in Scientific Linux 7. And that can provide
> full blown DNS, full-blown host registration for specific services,
> full account and group management with far more sophistication than
> NIS, and includes Kerberos components to support genuine
> single-sign-on account authentication.
>
> So, why are you using NIS?
>
> On Sat, Aug 8, 2015 at 2:58 PM, Vladimir Mosgalin
> <[log in to unmask]> wrote:
> > Hi Nathan Moore!
> >
> >  On 2015.08.08 at 12:45:44 -0500, Nathan Moore wrote next:
> >
> >> I took the easy way out and disabled selinux.  So far so good with the
> NIS
> >> server, however the client nodes still don't work.  See below
> >
> > Just for ypbind, I hope!
> >
> >> I'm not sure I understand the audit2allow command,
> >>
> >> [root@toulouse ~]# grep ypbind /var/log/audit/audit.log | audit2allow
> >> unable to open (null):  Bad address
> >
> > If grep doesn't ouput any lines, you are probably aren't running auditd.
> > In that case you can find AVC messages in some other log file (I think).
> > It's best to keep it up and running, though.
> > You can always switch back ypbind policy to "enforcing" and run it as a
> > service once more to generate AVC message again. And feed it to
> > audit2allow.
> >
> > If the problem is with something else, well.. Not sure. You can just
> > post grep output, there will be few long lines; it's not a problem to
> > run audit2allow on these lines after that.
> >
> >> On the client node
> >>
> >> [root@toulouse ~]# rpcinfo -p localhost
> >>    program vers proto   port  service
> >>     100000    4   tcp    111  portmapper
> >>     100000    3   tcp    111  portmapper
> >>     100000    2   tcp    111  portmapper
> >>     100000    4   udp    111  portmapper
> >>     100000    3   udp    111  portmapper
> >>     100000    2   udp    111  portmapper
> >> [root@toulouse ~]# systemctl enable ypbind
> >> [root@toulouse ~]# systemctl start ypbind
> >> Job for ypbind.service failed. See 'systemctl status ypbind.service' and
> >> 'journalctl -xn' for details.
> >>
> >> [root@toulouse ~]# systemctl -l status ypbind.service
> >> ypbind.service - NIS/YP (Network Information Service) Clients to NIS
> Domain
> >> Binder
> >>    Loaded: loaded (/usr/lib/systemd/system/ypbind.service; enabled)
> >>    Active: failed (Result: exit-code) since Sat 2015-08-08 12:25:54 CDT;
> >> 1min 23s ago
> >>   Process: 4531 ExecStartPost=/usr/libexec/ypbind-post-waitbind
> >> (code=exited, status=1/FAILURE)
> >>   Process: 4527 ExecStart=/usr/sbin/ypbind -n $OTHER_YPBIND_OPTS
> >> (code=exited, status=0/SUCCESS)
> >>   Process: 4524 ExecStartPre=/usr/sbin/setsebool allow_ypbind=1
> >> (code=exited, status=1/FAILURE)
> >>   Process: 4519 ExecStartPre=/usr/libexec/ypbind-pre-setdomain
> >> (code=exited, status=0/SUCCESS)
> >>  Main PID: 4527 (code=exited, status=0/SUCCESS)
> >>    Status: "Processing requests..."
> >>
> >> Aug 08 12:25:09 toulouse setsebool[4524]: setsebool:  SELinux is
> disabled.
> >> Aug 08 12:25:54 toulouse systemd[1]: ypbind.service: control process
> >> exited, code=exited status=1
> >> Aug 08 12:25:54 toulouse systemd[1]: Failed to start NIS/YP (Network
> >> Information Service) Clients to NIS Domain Binder.
> >> Aug 08 12:25:54 toulouse systemd[1]: Unit ypbind.service entered failed
> >> state.
> >>
> >> [root@toulouse ~]# journalctl -xn
> >> -- Logs begin at Sat 2015-08-08 10:58:14 CDT, end at Sat 2015-08-08
> >> 12:25:54 CDT. --
> >> Aug 08 12:25:09 toulouse systemd[1]: Starting NIS/YP (Network
> Information
> >> Service) Clients to NIS Domain Binder...
> >> -- Subject: Unit ypbind.service has begun with start-up
> >> -- Defined-By: systemd
> >> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> >> --
> >> -- Unit ypbind.service has begun starting up.
> >> Aug 08 12:25:09 toulouse setsebool[4524]: setsebool:  SELinux is
> disabled.
> >> Aug 08 12:25:09 toulouse ypbind[4532]: Binding NIS service
> >> Aug 08 12:25:54 toulouse ypbind[4615]: Binding took 45 seconds
> >> Aug 08 12:25:54 toulouse ypbind[4617]: NIS server for domain
> >> natural_philosophy is not responding.
> >> Aug 08 12:25:54 toulouse ypbind[4618]: Killing ypbind with PID 4527.
> >> Aug 08 12:25:54 toulouse ypbind[4619]: Try increase NISTIMEOUT in
> >
> > You can always run ypbind on client under strace to see what REALLY goes
> > wrong, but before heavy artillery - why not just check firewall settings
> > on server? Run rpcinfo -p <server hostname> on client; if it doesn't
> > work, then port 111 (TCP/UDP, you need both) is closed on server. If it
> > does work, check that ypbind/ypserv/etc ports that it shows are open.
> >
> > You probably know that securing NIS with firewall requires binding its
> > ports to fixed values first, if you need to go that route.
> >
> > --
> >
> > Vladimir
>



-- 
- - - - - - -   - - - - - - -   - - - - - - -
Nathan Moore
Mississippi River and 44th Parallel
- - - - - - -   - - - - - - -   - - - - - - -