SCIENTIFIC-LINUX-USERS Archives

August 2015

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: starting ypbind with systemctl in SL7
From:
Nico Kadel-Garcia <[log in to unmask]>
Reply To:
Nico Kadel-Garcia <[log in to unmask]>
Date:
Sat, 8 Aug 2015 16:23:50 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (110 lines) 
I've got to ask: in this day and age, why are you using ypbind? I know
it can be a lot lighter weight than a Kerberos/LDAP combination, but
Samba 4.2 is avaialble for full-blown Windows Active Directory
replacement, if you apply my published patches to activate the full
domain controller services in Scientific Linux 7. And that can provide
full blown DNS, full-blown host registration for specific services,
full account and group management with far more sophistication than
NIS, and includes Kerberos components to support genuine
single-sign-on account authentication.

So, why are you using NIS?

On Sat, Aug 8, 2015 at 2:58 PM, Vladimir Mosgalin
<[log in to unmask]> wrote:
> Hi Nathan Moore!
>
>  On 2015.08.08 at 12:45:44 -0500, Nathan Moore wrote next:
>
>> I took the easy way out and disabled selinux.  So far so good with the NIS
>> server, however the client nodes still don't work.  See below
>
> Just for ypbind, I hope!
>
>> I'm not sure I understand the audit2allow command,
>>
>> [root@toulouse ~]# grep ypbind /var/log/audit/audit.log | audit2allow
>> unable to open (null):  Bad address
>
> If grep doesn't ouput any lines, you are probably aren't running auditd.
> In that case you can find AVC messages in some other log file (I think).
> It's best to keep it up and running, though.
> You can always switch back ypbind policy to "enforcing" and run it as a
> service once more to generate AVC message again. And feed it to
> audit2allow.
>
> If the problem is with something else, well.. Not sure. You can just
> post grep output, there will be few long lines; it's not a problem to
> run audit2allow on these lines after that.
>
>> On the client node
>>
>> [root@toulouse ~]# rpcinfo -p localhost
>>    program vers proto   port  service
>>     100000    4   tcp    111  portmapper
>>     100000    3   tcp    111  portmapper
>>     100000    2   tcp    111  portmapper
>>     100000    4   udp    111  portmapper
>>     100000    3   udp    111  portmapper
>>     100000    2   udp    111  portmapper
>> [root@toulouse ~]# systemctl enable ypbind
>> [root@toulouse ~]# systemctl start ypbind
>> Job for ypbind.service failed. See 'systemctl status ypbind.service' and
>> 'journalctl -xn' for details.
>>
>> [root@toulouse ~]# systemctl -l status ypbind.service
>> ypbind.service - NIS/YP (Network Information Service) Clients to NIS Domain
>> Binder
>>    Loaded: loaded (/usr/lib/systemd/system/ypbind.service; enabled)
>>    Active: failed (Result: exit-code) since Sat 2015-08-08 12:25:54 CDT;
>> 1min 23s ago
>>   Process: 4531 ExecStartPost=/usr/libexec/ypbind-post-waitbind
>> (code=exited, status=1/FAILURE)
>>   Process: 4527 ExecStart=/usr/sbin/ypbind -n $OTHER_YPBIND_OPTS
>> (code=exited, status=0/SUCCESS)
>>   Process: 4524 ExecStartPre=/usr/sbin/setsebool allow_ypbind=1
>> (code=exited, status=1/FAILURE)
>>   Process: 4519 ExecStartPre=/usr/libexec/ypbind-pre-setdomain
>> (code=exited, status=0/SUCCESS)
>>  Main PID: 4527 (code=exited, status=0/SUCCESS)
>>    Status: "Processing requests..."
>>
>> Aug 08 12:25:09 toulouse setsebool[4524]: setsebool:  SELinux is disabled.
>> Aug 08 12:25:54 toulouse systemd[1]: ypbind.service: control process
>> exited, code=exited status=1
>> Aug 08 12:25:54 toulouse systemd[1]: Failed to start NIS/YP (Network
>> Information Service) Clients to NIS Domain Binder.
>> Aug 08 12:25:54 toulouse systemd[1]: Unit ypbind.service entered failed
>> state.
>>
>> [root@toulouse ~]# journalctl -xn
>> -- Logs begin at Sat 2015-08-08 10:58:14 CDT, end at Sat 2015-08-08
>> 12:25:54 CDT. --
>> Aug 08 12:25:09 toulouse systemd[1]: Starting NIS/YP (Network Information
>> Service) Clients to NIS Domain Binder...
>> -- Subject: Unit ypbind.service has begun with start-up
>> -- Defined-By: systemd
>> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> --
>> -- Unit ypbind.service has begun starting up.
>> Aug 08 12:25:09 toulouse setsebool[4524]: setsebool:  SELinux is disabled.
>> Aug 08 12:25:09 toulouse ypbind[4532]: Binding NIS service
>> Aug 08 12:25:54 toulouse ypbind[4615]: Binding took 45 seconds
>> Aug 08 12:25:54 toulouse ypbind[4617]: NIS server for domain
>> natural_philosophy is not responding.
>> Aug 08 12:25:54 toulouse ypbind[4618]: Killing ypbind with PID 4527.
>> Aug 08 12:25:54 toulouse ypbind[4619]: Try increase NISTIMEOUT in
>
> You can always run ypbind on client under strace to see what REALLY goes
> wrong, but before heavy artillery - why not just check firewall settings
> on server? Run rpcinfo -p <server hostname> on client; if it doesn't
> work, then port 111 (TCP/UDP, you need both) is closed on server. If it
> does work, check that ypbind/ypserv/etc ports that it shows are open.
>
> You probably know that securing NIS with firewall requires binding its
> ports to fixed values first, if you need to go that route.
>
> --
>
> Vladimir

ATOM RSS1 RSS2