Hi Nathan Moore!
On 2015.08.08 at 12:45:44 -0500, Nathan Moore wrote next:
> I took the easy way out and disabled selinux. So far so good with the NIS
> server, however the client nodes still don't work. See below
Just for ypbind, I hope!
> I'm not sure I understand the audit2allow command,
>
> [root@toulouse ~]# grep ypbind /var/log/audit/audit.log | audit2allow
> unable to open (null): Bad address
If grep doesn't ouput any lines, you are probably aren't running auditd.
In that case you can find AVC messages in some other log file (I think).
It's best to keep it up and running, though.
You can always switch back ypbind policy to "enforcing" and run it as a
service once more to generate AVC message again. And feed it to
audit2allow.
If the problem is with something else, well.. Not sure. You can just
post grep output, there will be few long lines; it's not a problem to
run audit2allow on these lines after that.
> On the client node
>
> [root@toulouse ~]# rpcinfo -p localhost
> program vers proto port service
> 100000 4 tcp 111 portmapper
> 100000 3 tcp 111 portmapper
> 100000 2 tcp 111 portmapper
> 100000 4 udp 111 portmapper
> 100000 3 udp 111 portmapper
> 100000 2 udp 111 portmapper
> [root@toulouse ~]# systemctl enable ypbind
> [root@toulouse ~]# systemctl start ypbind
> Job for ypbind.service failed. See 'systemctl status ypbind.service' and
> 'journalctl -xn' for details.
>
> [root@toulouse ~]# systemctl -l status ypbind.service
> ypbind.service - NIS/YP (Network Information Service) Clients to NIS Domain
> Binder
> Loaded: loaded (/usr/lib/systemd/system/ypbind.service; enabled)
> Active: failed (Result: exit-code) since Sat 2015-08-08 12:25:54 CDT;
> 1min 23s ago
> Process: 4531 ExecStartPost=/usr/libexec/ypbind-post-waitbind
> (code=exited, status=1/FAILURE)
> Process: 4527 ExecStart=/usr/sbin/ypbind -n $OTHER_YPBIND_OPTS
> (code=exited, status=0/SUCCESS)
> Process: 4524 ExecStartPre=/usr/sbin/setsebool allow_ypbind=1
> (code=exited, status=1/FAILURE)
> Process: 4519 ExecStartPre=/usr/libexec/ypbind-pre-setdomain
> (code=exited, status=0/SUCCESS)
> Main PID: 4527 (code=exited, status=0/SUCCESS)
> Status: "Processing requests..."
>
> Aug 08 12:25:09 toulouse setsebool[4524]: setsebool: SELinux is disabled.
> Aug 08 12:25:54 toulouse systemd[1]: ypbind.service: control process
> exited, code=exited status=1
> Aug 08 12:25:54 toulouse systemd[1]: Failed to start NIS/YP (Network
> Information Service) Clients to NIS Domain Binder.
> Aug 08 12:25:54 toulouse systemd[1]: Unit ypbind.service entered failed
> state.
>
> [root@toulouse ~]# journalctl -xn
> -- Logs begin at Sat 2015-08-08 10:58:14 CDT, end at Sat 2015-08-08
> 12:25:54 CDT. --
> Aug 08 12:25:09 toulouse systemd[1]: Starting NIS/YP (Network Information
> Service) Clients to NIS Domain Binder...
> -- Subject: Unit ypbind.service has begun with start-up
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit ypbind.service has begun starting up.
> Aug 08 12:25:09 toulouse setsebool[4524]: setsebool: SELinux is disabled.
> Aug 08 12:25:09 toulouse ypbind[4532]: Binding NIS service
> Aug 08 12:25:54 toulouse ypbind[4615]: Binding took 45 seconds
> Aug 08 12:25:54 toulouse ypbind[4617]: NIS server for domain
> natural_philosophy is not responding.
> Aug 08 12:25:54 toulouse ypbind[4618]: Killing ypbind with PID 4527.
> Aug 08 12:25:54 toulouse ypbind[4619]: Try increase NISTIMEOUT in
You can always run ypbind on client under strace to see what REALLY goes
wrong, but before heavy artillery - why not just check firewall settings
on server? Run rpcinfo -p <server hostname> on client; if it doesn't
work, then port 111 (TCP/UDP, you need both) is closed on server. If it
does work, check that ypbind/ypserv/etc ports that it shows are open.
You probably know that securing NIS with firewall requires binding its
ports to fixed values first, if you need to go that route.
--
Vladimir
|
