I've got to ask: in this day and age, why are you using ypbind? I know it can be a lot lighter weight than a Kerberos/LDAP combination, but Samba 4.2 is avaialble for full-blown Windows Active Directory replacement, if you apply my published patches to activate the full domain controller services in Scientific Linux 7. And that can provide full blown DNS, full-blown host registration for specific services, full account and group management with far more sophistication than NIS, and includes Kerberos components to support genuine single-sign-on account authentication. So, why are you using NIS? On Sat, Aug 8, 2015 at 2:58 PM, Vladimir Mosgalin <[log in to unmask]> wrote: > Hi Nathan Moore! > > On 2015.08.08 at 12:45:44 -0500, Nathan Moore wrote next: > >> I took the easy way out and disabled selinux. So far so good with the NIS >> server, however the client nodes still don't work. See below > > Just for ypbind, I hope! > >> I'm not sure I understand the audit2allow command, >> >> [root@toulouse ~]# grep ypbind /var/log/audit/audit.log | audit2allow >> unable to open (null): Bad address > > If grep doesn't ouput any lines, you are probably aren't running auditd. > In that case you can find AVC messages in some other log file (I think). > It's best to keep it up and running, though. > You can always switch back ypbind policy to "enforcing" and run it as a > service once more to generate AVC message again. And feed it to > audit2allow. > > If the problem is with something else, well.. Not sure. You can just > post grep output, there will be few long lines; it's not a problem to > run audit2allow on these lines after that. > >> On the client node >> >> [root@toulouse ~]# rpcinfo -p localhost >> program vers proto port service >> 100000 4 tcp 111 portmapper >> 100000 3 tcp 111 portmapper >> 100000 2 tcp 111 portmapper >> 100000 4 udp 111 portmapper >> 100000 3 udp 111 portmapper >> 100000 2 udp 111 portmapper >> [root@toulouse ~]# systemctl enable ypbind >> [root@toulouse ~]# systemctl start ypbind >> Job for ypbind.service failed. See 'systemctl status ypbind.service' and >> 'journalctl -xn' for details. >> >> [root@toulouse ~]# systemctl -l status ypbind.service >> ypbind.service - NIS/YP (Network Information Service) Clients to NIS Domain >> Binder >> Loaded: loaded (/usr/lib/systemd/system/ypbind.service; enabled) >> Active: failed (Result: exit-code) since Sat 2015-08-08 12:25:54 CDT; >> 1min 23s ago >> Process: 4531 ExecStartPost=/usr/libexec/ypbind-post-waitbind >> (code=exited, status=1/FAILURE) >> Process: 4527 ExecStart=/usr/sbin/ypbind -n $OTHER_YPBIND_OPTS >> (code=exited, status=0/SUCCESS) >> Process: 4524 ExecStartPre=/usr/sbin/setsebool allow_ypbind=1 >> (code=exited, status=1/FAILURE) >> Process: 4519 ExecStartPre=/usr/libexec/ypbind-pre-setdomain >> (code=exited, status=0/SUCCESS) >> Main PID: 4527 (code=exited, status=0/SUCCESS) >> Status: "Processing requests..." >> >> Aug 08 12:25:09 toulouse setsebool[4524]: setsebool: SELinux is disabled. >> Aug 08 12:25:54 toulouse systemd[1]: ypbind.service: control process >> exited, code=exited status=1 >> Aug 08 12:25:54 toulouse systemd[1]: Failed to start NIS/YP (Network >> Information Service) Clients to NIS Domain Binder. >> Aug 08 12:25:54 toulouse systemd[1]: Unit ypbind.service entered failed >> state. >> >> [root@toulouse ~]# journalctl -xn >> -- Logs begin at Sat 2015-08-08 10:58:14 CDT, end at Sat 2015-08-08 >> 12:25:54 CDT. -- >> Aug 08 12:25:09 toulouse systemd[1]: Starting NIS/YP (Network Information >> Service) Clients to NIS Domain Binder... >> -- Subject: Unit ypbind.service has begun with start-up >> -- Defined-By: systemd >> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- >> -- Unit ypbind.service has begun starting up. >> Aug 08 12:25:09 toulouse setsebool[4524]: setsebool: SELinux is disabled. >> Aug 08 12:25:09 toulouse ypbind[4532]: Binding NIS service >> Aug 08 12:25:54 toulouse ypbind[4615]: Binding took 45 seconds >> Aug 08 12:25:54 toulouse ypbind[4617]: NIS server for domain >> natural_philosophy is not responding. >> Aug 08 12:25:54 toulouse ypbind[4618]: Killing ypbind with PID 4527. >> Aug 08 12:25:54 toulouse ypbind[4619]: Try increase NISTIMEOUT in > > You can always run ypbind on client under strace to see what REALLY goes > wrong, but before heavy artillery - why not just check firewall settings > on server? Run rpcinfo -p <server hostname> on client; if it doesn't > work, then port 111 (TCP/UDP, you need both) is closed on server. If it > does work, check that ypbind/ypserv/etc ports that it shows are open. > > You probably know that securing NIS with firewall requires binding its > ports to fixed values first, if you need to go that route. > > -- > > Vladimir