Perlboy"/>

Seekbrain.com

Jump to content.

Home Network Setup, Part 4

This is the fourth part of a multipart series on how to setup a home/office using CentOS4. If you’ve just dropped in I’d recommend taking a squiz at parts 1, 2 & 3. Using the original requirements specified in Part 1 we can determine what we have left to achieve:

  • Reliable shared internet access with either automatic or manual failover to an alternate means of connectivity (ala iBurst Wireless or ick, !dialup!).
  • A method of handing out IP addresses to all “dynamic” clients on the network. That is to say, we’re looking for a DHCP server.
  • Optimisation of possible bottle necks associated with a home based broadband connection. DNS & HTTP caching come to mind.
  • Reliable, fast central mail storage. This will be pulled from the internet servers into which the mail comes into, stored into users mailboxes and accessed by IMAP/POP3.
  • Outbound SMTP relay setup as a smarthost relaying to the ISPs upstream SMTP server. This is mainly necessary because occasionally the upstream ISP may differ (if for instance the connection drops) and updating 1 smart host is much easier than updating numerous settings per machine.
  • Web based access to the central mail storage.
  • A large house wide storage system. This is primarily to accomodate a significant amount of “in development” stuff I work on (like PHP & MySQL RPMs for instance).
  • Local DNS zone for local hostname resolution. I find it difficult to remember IP addresses so a DNS server is fairly essential (and it looks nice).
  • Wireless internet access should be available throughout the house.
  • Centralised authentication. Ie. House wide username/password combinations.
  • Centralised home directories without risking long downtimes should a key server fail.
  • Internal Network monitoring. This is purely to keep an eye on general statistics (like for instance disk space usage etc.) to avoid any disruptions.

So in this article I hope to achieve the following:

  • Setup NIS Authentication system on Tethys
  • Setup NIS Slave on Dione using Tethys as the source
  • Modify associated clients to utilise this authentication scheme

Setting up a NIS Master System

First we need to install the yp-tools, ypserv & ypbind daemons. These are basically the client & server components of NIS.

[root@tethys ~]# yum -y install ypbind yp-tools ypserv
Setting up Install Process
Setting up repositories
update 100% |=========================| 951 B 00:00
base 100% |=========================| 1.1 kB 00:00
addons 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
–> Populating transaction set with selected packages. Please wait.
—> Downloading header for yp-tools to pack into transaction set.
yp-tools-2.8-7.i386.rpm 100% |=========================| 9.6 kB 00:00
—> Package yp-tools.i386 0:2.8-7 set to be updated
—> Downloading header for ypbind to pack into transaction set.
ypbind-1.17.2-3.i386.rpm 100% |=========================| 8.3 kB 00:00
—> Package ypbind.i386 3:1.17.2-3 set to be updated
—> Package ypserv.i386 0:2.13-5 set to be updated
–> Running transaction check

Dependencies Resolved

==========================
Package Arch Version Repository Size
==========================
Installing:
yp-tools i386 2.8-7 base 63 k
ypbind i386 3:1.17.2-3 base 32 k
ypserv i386 2.13-5 base 127 k

Transaction Summary
==========================
Install 3 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 222 k
Downloading Packages:
(1/2): yp-tools-2.8-7.i38 100% |=========================| 63 kB 00:00
(2/2): ypbind-1.17.2-3.i3 100% |=========================| 32 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: ypbind ######################### [1/3]
Installing: yp-tools ######################### [2/3]
Installing: ypserv ######################### [3/3]

Installed: yp-tools.i386 0:2.8-7 ypbind.i386 3:1.17.2-3 ypserv.i386 0:2.13-5
Complete!
[root@tethys ~]#

First we need to define what “domain name” is used when doing NIS lookups. Effectively this allows us to define multiple “areas” of authentication (per departments for instance) with differing information but in our situation we’re only worried with one authentication domain. I use “nis.seekbrain.com” as the name and add the following line to /etc/sysconfig/network:

NISDOMAIN=nis.seekbrain.com

Now we need to define where the NIS client looks for answers for queries it covers.

Since I intend to setup a master/slave arrangement for NIS I specify both tethys.seekbrain.com & dione.seekbrain.com. These hostnames resolve courtesy of our master/slave DNS setup. I added the following lines to the end of /etc/yp.conf (it’s worth reading the comments in that file too):

domain nis.seekbrain.com server tethys.seekbrain.com
domain nis.seekbrain.com server dione.seekbrain.com

Next we need to tell the NIS server (ypserv) which networks can access it’s database of information. I added the following lines to /var/yp/securenets:

host 127.0.0.1
255.255.255.0 192.168.128.0
255.255.255.0 192.168.50.0

The first line lets the NIS server update itself while the next 2 give access to our local subnets. For some reason it’s also necessary to update our server list in a second location:

/var/yp/ypservers:

tethys.seekbrain.com
dione.seekbrain.com

Next we start ypserv & the ypbind daemon:

[root@tethys ~]# service yppasswdd start
Starting YP passwd service: [ OK ]
[root@tethys ~]# service ypxfrd start
Starting YP map server: [ OK ]
[root@tethys ~]# service ypserv start
Starting YP server services: [ OK ]
[root@tethys ~]# service ypbind start
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server.
[root@tethys ~]# chkconfig –level 345 ypbind on
[root@tethys ~]# chkconfig –level 345 ypxfrd on
[root@tethys ~]# chkconfig –level 345 ypserv on
[root@tethys ~]# chkconfig –level 345 yppasswdd on

Now it’s necessary to create our “export” into NIS format. This is handled with a standard Makefile arrangement:

[root@tethys etc]# make -C /var/yp
make: Entering directory `/var/yp’
gmake[1]: Entering directory `/var/yp/nis.seekbrain.com’
Updating passwd.byname…
Updating passwd.byuid…
Updating group.byname…
Updating group.bygid…
Updating hosts.byname…
Updating hosts.byaddr…
Updating netid.byname…
gmake[1]: Leaving directory `/var/yp/nis.seekbrain.com’
make: Leaving directory `/var/yp’
[root@tethys etc]#

This effectively exports our passwd, group and hosts files. You can add more identities if you require but the passwd/group files should be sufficient for our automated authentication scheme. Now there’s a few changes we need to make to this Makefile. I like to have a common root password for my internal network and since all servers are CentOS4 based I don’t have UID conflicts. THINK CAREFULLY about these updates since in some scenarios they are a dangerous risk (ie. on a public network):

/var/yp/Makefile:

MINUID=0
MINGID=0

The MINUID & MINGID components control which users to export via NIS. I’ve changed this to 0 since I WANT root’s password to be exported. The alternative is to setup a common sudoers but I haven’t much experience with setting these 2 services to cooperate.

If you get errors along the lines of:

dione.seekbrain.com: RPC: Program not registered

This is because our yp* services aren’t running on our slave server. We’ll deal with them soon but the first thing to do is test that our passwd exports are working:

[root@tethys ~]# ypcat passwd
stuart:$1$j:500:500::/home/stuart:/bin/bash
[root@tethys ~]#

It’s also pertinent to make sure we rebuild our NIS databases regularly. I do this via a cronjob:

/etc/cron.hourly/updatenis:

#!/bin/bash
make -C /var/yp &> /dev/null

With the usual bits:

[root@tethys cron.hourly]# chmod 755 updatenis
[root@tethys cron.hourly]# ./updatenis

So now our database will update every hour.

Setting up a NIS slave
Right, so our NIS server is exporting everything correctly. Now it’s time to setup Dione to slave this information from Tethys.

[root@dione ~]# yum install ypserv ypbind yp-tools
Setting up Install Process
Setting up repositories
update 100% |=========================| 951 B 00:00
base 100% |=========================| 1.1 kB 00:00
addons 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
–> Populating transaction set with selected packages. Please wait.
—> Downloading header for yp-tools to pack into transaction set.
yp-tools-2.8-7.i386.rpm 100% |=========================| 9.6 kB 00:00
—> Package yp-tools.i386 0:2.8-7 set to be updated
—> Downloading header for ypbind to pack into transaction set.
ypbind-1.17.2-3.i386.rpm 100% |=========================| 8.3 kB 00:00
—> Package ypbind.i386 3:1.17.2-3 set to be updated
—> Package ypserv.i386 0:2.13-5 set to be updated
–> Running transaction check

Dependencies Resolved

==========================
Package Arch Version Repository Size
==========================
Installing:
yp-tools i386 2.8-7 base 63 k
ypbind i386 3:1.17.2-3 base 32 k
ypserv i386 2.13-5 base 127 k

Transaction Summary
==========================
Install 3 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 222 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): yp-tools-2.8-7.i38 100% |=========================| 63 kB 00:01
(2/2): ypbind-1.17.2-3.i3 100% |=========================| 32 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: ypbind ######################### [1/3]
Installing: yp-tools ######################### [2/3]
Installing: ypserv ######################### [3/3]

Installed: yp-tools.i386 0:2.8-7 ypbind.i386 3:1.17.2-3 ypserv.i386 0:2.13-5
Complete!
[root@dione ~]#

I’ve then made the following Tethys similar changes to Dione plus a few extras:

/etc/yp.conf:

domain nis.seekbrain.com server tethys.seekbrain.com
domain nis.seekbrain.com server dione.seekbrain.com
/etc/sysconfig/network:

NISDOMAIN=nis.seekbrain.com

/etc/hosts

192.168.128.1 dione.seekbrain.com dione
192.168.128.4 tethys.seekbrain.com tethys

/etc/ypserv.conf

trusted_master: 192.168.128.4

Now we setup our services to start on Dione:

[root@dione ~]# service yppasswdd start
Starting YP passwd service: [ OK ]
[root@dione ~]# service ypxfrd start
Starting YP map server: [ OK ]
[root@dione ~]# service ypserv start
Starting YP server services: [ OK ]
[root@dione ~]# service ypbind start
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server.
[root@dione ~]# chkconfig –level 345 ypbind on
[root@dione ~]# chkconfig –level 345 ypxfrd on
[root@dione ~]# chkconfig –level 345 ypserv on
[root@dione ~]# chkconfig –level 345 yppasswdd on

Now since we’re a slave server we init our database specifying Tethys as our master.

In /var/yp:

[root@dione yp]# /usr/lib/yp/ypinit -s tethys.seekbrain.com
We will need a few minutes to copy the data from tethys.seekbrain.com.
Transferring protocols.byname…
Trying ypxfrd … success

Transferring protocols.bynumber…
Trying ypxfrd … success

Transferring mail.aliases…
Trying ypxfrd … success

Transferring group.byname…
Trying ypxfrd … success

Transferring services.byservicename…
Trying ypxfrd … success

Transferring passwd.byname…
Trying ypxfrd … success

Transferring ypservers…
Trying ypxfrd … success

Transferring hosts.byaddr…
Trying ypxfrd … success

Transferring services.byname…
Trying ypxfrd … success

Transferring rpc.bynumber…
Trying ypxfrd … success

Transferring netid.byname…
Trying ypxfrd … success

Transferring group.bygid…
Trying ypxfrd … success

Transferring passwd.byuid…
Trying ypxfrd … success

dione.seekbrain.com’s NIS data base has been set up.
If there were warnings, please figure out what went wrong, and fix it.

At this point, make sure that /etc/passwd and /etc/group have
been edited so that when the NIS is activated, the data bases you
have just created will be used, instead of the /etc ASCII files.
[root@dione yp]#

Now we should be able to test both servers:

[stuart@laptop ~]$ ypcat -h dione.seekbrain.com -d nis.seekbrain.com passwd | grep stuart
stuart:$1$:500:500::/home/stuart:/bin/bash
[stuart@laptop ~]$ ypcat -h tethys.seekbrain.com -d nis.seekbrain.com passwd | grep stuart
stuart:$1$:500:500::/home/stuart:/bin/bash

We can even test what happens when we kill Tethys NIS server:

[stuart@laptop ~]$ ypcat -h tethys.seekbrain.com -d nis.seekbrain.com passwd | grep stuart
No such map passwd.byname. Reason: Can’t communicate with portmapper
[stuart@laptop ~]$ ypcat -h dione.seekbrain.com -d nis.seekbrain.com passwd | grep stuart
stuart:$1$:500:500::/home/stuart:/bin/bash
[stuart@laptop ~]$

Ie. Dione still answers queries for us even if Tethys is dead. 🙂

Finally, we have cron reload our passwd files once an hour. In /etc/cron.hourly/updatenis I put:

#!/bin/bash
/usr/lib/yp/ypinit -s tethys.seekbrain.com &> /dev/null

This is followed by the usual chmod 755 /etc/cron.hourly/updatenis . 🙂
Setting up NIS Clients

So now it’s time to setup our machines to use NIS authentication. This is relevent to both servers & clients alike since we want a single database sourced purely from Tethys (and slaved to Dione).

Redhat distributions come along with an easy to use authentication config utility.

Simply run “authconfig” and run through the prompts. I’ve taken two screenshots of this process which should be fairly self explanatory:

Step 1


The authconfig utility will then handle the reloading of information:

[root@dione pam.d]# authconfig
authconfig: critical error writing /etc//samba/smb.conf: No such file or directory
Stopping portmap: [ OK ]
Starting portmap: [ OK ]
setsebool: SELinux is disabled.
Shutting down NIS services: [ OK ]
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server.
[root@dione pam.d]#

Now we should be right to do authentication:

[stuart@laptop ~]$ ssh stuart@dione
stuart@dione’s password:
Last login: Mon Feb 6 21:44:34 2006 from 192.168.50.100
-bash-3.00$

Cool eh? 🙂
Conclusion

Well now we have a centralised authentication system with redundant slaves. With this achieved I’ve now paved the way to setup our mail storage systems.

As always, have fun! 🙂

Stuart

Sorry, the comment form is closed at this time.


Read more

«
»