Full NIS Integration

From AstroArch

To configure NIS authentication on your VMware ESX server use the following steps.

  • Run the enabling command from the Service Console CLI. Remember to use IP addresses where possible to cut down on DNS requirements for your ESX server. DNS being down will cause authentication problems. The following command takes care of starting the proper daemons, opening up firewall ports, and configuring the necessary files. 
 esxcfg-auth --enablenis --nisdomain=DOMAIN --nisserver=IPofNISServer
  • Modify /etc/nsswitch.conf to look like the following. The main changes are to add nis to the group and shadow lines. 
# Autogenerated by esxcfg-auth

aliases:         files nisplus
automount:       files nisplus nis
bootparams:      nisplus [NOTFOUND=return] files
ethers:          files
group:           files nis
hosts:           files dns nis
netgroup:        nisplus
netmasks:        files
networks:        files
passwd:          files nis
protocols:       files nis
publickey:       nisplus
rpc:             files
services:        files nis
shadow:          files
  • Test to be sure everything shows up as expected. The following should show your normal password file contents plus any other users shared out by NIS. While the group command will list your groups based on NIS as well. 
 getent passwd
 getent group
  • Test to be sure NIS is working using NIS commands. These will just list the NIS specific users and groups. Note if the third command does not return anything then netgroup support does not exist on your NIS server. 
 ypcat passwd.byname
 ypcat group.byname
 ypcat netgroup
  • Enable pam_access to limit logins to those groups and users who require access. 
#%PAM-1.0
# Autogenerated by esxcfg-auth

account      required         /lib/security/$ISA/pam_unix.so    broken_shadow
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_access.so

auth         required         /lib/security/$ISA/pam_env.so
auth         sufficient       /lib/security/$ISA/pam_unix.so   likeauth nullok
auth         required         /lib/security/$ISA/pam_deny.so 

password     required         /lib/security/$ISA/pam_cracklib.so retry=3
password     sufficient       /lib/security/$ISA/pam_unix.so nullok use_authtok  md5 shadow nis
password     required         /lib/security/$ISA/pam_deny.so

session      required         /lib/security/$ISA/pam_limits.so
session      required         /lib/security/$ISA/pam_unix.so
session      required         /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077
  • The last line of the account section of the system-auth file references pam_access.so which allows the administrator to control who can login from which systems. An example of the /etc/security/access.conf file follows. This file allows root access from crond, console, ttys 1-6, IP Address 127.0.0.1 and not from anywhere else. It also allow allows those users in the vmadmins group (whether from a local group or AD) to gain access to the system from any IP except for the user badadmin who can gain access ONLY from the IP address of 192.168.1.100. All other access is denied. The manual page on access.conf (man access.conf) will give many more details on how to set this up. This is an important step else it may be possible for others to gain access to information they should not have, like the configuration of the virtual machines. 
# Access.conf
+ : root : crond console tty1 tty2 tty3 tty3 tty5 tty6
+ : root : 127.0.0.1
+ : @vmadmins EXCEPT badadmin : ALL
+ : badadmin : 192.168.1.100
- : root : ALL
- : ALL : ALL
  • The last line of the session section above will create home directors for those users allowed to login. Otherwise you will have to create them all by hand. All users SHOULD have a valid home directory else they are placed in the / home directory.
  • Reboot the server. For some reason just restarting ypbind will not effect the necessary changes as they do on other Linux systems.
Retrieved from "http://www.astroarch.com/wiki/index.php/Full_NIS_Integration"