LISTSERV - SCIENTIFIC-LINUX-USERS Archives

Hi everyone -

the selinux boolean is now called nis_enabled. I think allow_ypbind is
still accepted, but not published in the getsebool -a list.
We use ypbind behind a firewall for our linux accounts on a protected
subnet (clients: SL7, server: SL6.6) without any problems. It is super easy
to set up and maintain for an environment with a thousand accounts, 30
client machines, and many account changes nightly and where we use
NFS-mounted home directories. Those qualities make automation with LDAP
much more difficult.

I know its security is poor, but here's a few suggestions to help at least
a bit with the most onerous security issues:

   - restrict uid/gid subset you export
   - dont publish the shadow map
   - restrict who can connect using the securenets file

If anyone else has any words of wisdom to try to help tighten NIS in these
environments (other than 'why are you still using it?') I'd love to hear it.

On Sat, Aug 8, 2015 at 4:00 PM, David Sommerseth <
[log in to unmask]> wrote:

> On 8 August 2015 15:36:24 CEST, Nathan Moore <[log in to unmask]> wrote:
> >Working through a SL7 migration.
> >
> >Right now, I can't get ypbind to start, or rather, it starts in a
> >clunky
> >way.
> >
> >Using systemctl,
> >[root@pilgrim ~]# systemctl enable ypbind
> >[root@pilgrim ~]# systemctl start ypbind
> >Job for ypbind.service failed. See 'systemctl status ypbind.service'
> >and
> >'journalctl -xn' for details.
> >
> >but, I can get the daemon to start by running the bare command,
> >[root@pilgrim ~]# /usr/sbin/ypbind
> >[root@pilgrim ~]# rpcinfo -p localhost | grep ypbind
> >    100007    2   udp    785  ypbind
> >    100007    1   udp    785  ypbind
> >    100007    2   tcp    788  ypbind
> >    100007    1   tcp    788  ypbind
> >
> >Any ideas?  Is this a known bug?  The output below makes it seem like
> >this
> >is a conflict with selinux?
>
> IIRC, you just need to flip a NIS/ypbind related SELinux boolean and it
> should just work.  See the output of 'semanage boolean --list | grep yp'
> for some clues.
>
> The reason ypbind starts outside of systemctl is that it most likely is
> then started unconfined, somewhat similar to disabling SELinux on the
> system.  While running ypbind via systemctl will restrict the powers of
> ypbind, confining it to a specific NIS related SELinux context.  However,
> it usually requires more privileges than most non-NIS systems requires,
> hence the need to flip an SELinux boolean.  The reason this isn't the
> default these days is probably due to people preferring something more
> modern than NIS.
>
>
>
> --
> kind regards,
>
> David Sommerseth
>



-- 
-- greg
[log in to unmask]
Instructor, Computer Science
http://fog.ccsf.edu/~gboyd