I'm using NIS (or have been at least) because I'm not a full-time sysadmin. The cluster (~5 machines) is only used for teaching, its behind a firewall, and there's nothing important stored on it. NIS was the easiest thing that allowed for shared home directories & logins at the time (without spending two weeks learning LDAP...) Is LDAP easy to configure? On Sat, Aug 8, 2015 at 3:23 PM, Nico Kadel-Garcia <[log in to unmask]> wrote: > I've got to ask: in this day and age, why are you using ypbind? I know > it can be a lot lighter weight than a Kerberos/LDAP combination, but > Samba 4.2 is avaialble for full-blown Windows Active Directory > replacement, if you apply my published patches to activate the full > domain controller services in Scientific Linux 7. And that can provide > full blown DNS, full-blown host registration for specific services, > full account and group management with far more sophistication than > NIS, and includes Kerberos components to support genuine > single-sign-on account authentication. > > So, why are you using NIS? > > On Sat, Aug 8, 2015 at 2:58 PM, Vladimir Mosgalin > <[log in to unmask]> wrote: > > Hi Nathan Moore! > > > > On 2015.08.08 at 12:45:44 -0500, Nathan Moore wrote next: > > > >> I took the easy way out and disabled selinux. So far so good with the > NIS > >> server, however the client nodes still don't work. See below > > > > Just for ypbind, I hope! > > > >> I'm not sure I understand the audit2allow command, > >> > >> [root@toulouse ~]# grep ypbind /var/log/audit/audit.log | audit2allow > >> unable to open (null): Bad address > > > > If grep doesn't ouput any lines, you are probably aren't running auditd. > > In that case you can find AVC messages in some other log file (I think). > > It's best to keep it up and running, though. > > You can always switch back ypbind policy to "enforcing" and run it as a > > service once more to generate AVC message again. And feed it to > > audit2allow. > > > > If the problem is with something else, well.. Not sure. You can just > > post grep output, there will be few long lines; it's not a problem to > > run audit2allow on these lines after that. > > > >> On the client node > >> > >> [root@toulouse ~]# rpcinfo -p localhost > >> program vers proto port service > >> 100000 4 tcp 111 portmapper > >> 100000 3 tcp 111 portmapper > >> 100000 2 tcp 111 portmapper > >> 100000 4 udp 111 portmapper > >> 100000 3 udp 111 portmapper > >> 100000 2 udp 111 portmapper > >> [root@toulouse ~]# systemctl enable ypbind > >> [root@toulouse ~]# systemctl start ypbind > >> Job for ypbind.service failed. See 'systemctl status ypbind.service' and > >> 'journalctl -xn' for details. > >> > >> [root@toulouse ~]# systemctl -l status ypbind.service > >> ypbind.service - NIS/YP (Network Information Service) Clients to NIS > Domain > >> Binder > >> Loaded: loaded (/usr/lib/systemd/system/ypbind.service; enabled) > >> Active: failed (Result: exit-code) since Sat 2015-08-08 12:25:54 CDT; > >> 1min 23s ago > >> Process: 4531 ExecStartPost=/usr/libexec/ypbind-post-waitbind > >> (code=exited, status=1/FAILURE) > >> Process: 4527 ExecStart=/usr/sbin/ypbind -n $OTHER_YPBIND_OPTS > >> (code=exited, status=0/SUCCESS) > >> Process: 4524 ExecStartPre=/usr/sbin/setsebool allow_ypbind=1 > >> (code=exited, status=1/FAILURE) > >> Process: 4519 ExecStartPre=/usr/libexec/ypbind-pre-setdomain > >> (code=exited, status=0/SUCCESS) > >> Main PID: 4527 (code=exited, status=0/SUCCESS) > >> Status: "Processing requests..." > >> > >> Aug 08 12:25:09 toulouse setsebool[4524]: setsebool: SELinux is > disabled. > >> Aug 08 12:25:54 toulouse systemd[1]: ypbind.service: control process > >> exited, code=exited status=1 > >> Aug 08 12:25:54 toulouse systemd[1]: Failed to start NIS/YP (Network > >> Information Service) Clients to NIS Domain Binder. > >> Aug 08 12:25:54 toulouse systemd[1]: Unit ypbind.service entered failed > >> state. > >> > >> [root@toulouse ~]# journalctl -xn > >> -- Logs begin at Sat 2015-08-08 10:58:14 CDT, end at Sat 2015-08-08 > >> 12:25:54 CDT. -- > >> Aug 08 12:25:09 toulouse systemd[1]: Starting NIS/YP (Network > Information > >> Service) Clients to NIS Domain Binder... > >> -- Subject: Unit ypbind.service has begun with start-up > >> -- Defined-By: systemd > >> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > >> -- > >> -- Unit ypbind.service has begun starting up. > >> Aug 08 12:25:09 toulouse setsebool[4524]: setsebool: SELinux is > disabled. > >> Aug 08 12:25:09 toulouse ypbind[4532]: Binding NIS service > >> Aug 08 12:25:54 toulouse ypbind[4615]: Binding took 45 seconds > >> Aug 08 12:25:54 toulouse ypbind[4617]: NIS server for domain > >> natural_philosophy is not responding. > >> Aug 08 12:25:54 toulouse ypbind[4618]: Killing ypbind with PID 4527. > >> Aug 08 12:25:54 toulouse ypbind[4619]: Try increase NISTIMEOUT in > > > > You can always run ypbind on client under strace to see what REALLY goes > > wrong, but before heavy artillery - why not just check firewall settings > > on server? Run rpcinfo -p <server hostname> on client; if it doesn't > > work, then port 111 (TCP/UDP, you need both) is closed on server. If it > > does work, check that ypbind/ypserv/etc ports that it shows are open. > > > > You probably know that securing NIS with firewall requires binding its > > ports to fixed values first, if you need to go that route. > > > > -- > > > > Vladimir > -- - - - - - - - - - - - - - - - - - - - - - Nathan Moore Mississippi River and 44th Parallel - - - - - - - - - - - - - - - - - - - - -