NFS & NIS

GVHD: Nguyn Tn Khi

Li ni u __________________________________________________________________________ 3 Ti 13: ___________________________________________________________________________ 4 A. I. NFS-NETWORK FILE SYSTEM ____________________________________________________ 5 Gii Thiu S Lc V NFS ________________________________________________________ 5

II. Setup NFS Server _________________________________________________________________ 6

1.
a. b.

Danh sch cc file cu hnh, cc dch v, cc file script v cu lnh ca NFS server ______________ 6
/etc/exports _________________________________________________________________________________ 6 /Etc / hosts.allow v / etc / hosts.deny ____________________________________________________________ 7

2.
a. b.

Khi ng cc dch v c lin quan ______________________________________________________ 7

Khi ng portmapper ________________________________________________________________________ 8 Cc tin trnh ngm: __________________________________________________________________________ 8

3. 4.

Xc minh cc dch v ca NFS ang chy _________________________________________________ 8 Cp nht thay i cho /etc/exports _______________________________________________________ 9

III.
1. 2.

Minh Ha Vic Cu Hnh NFS: ___________________________________________________ 9

Thit lp trn server: __________________________________________________________________ 9 Thit lp trn client __________________________________________________________________ 11

IV.
1. 2. 3. 4.
a. b.

Bo Mt______________________________________________________________________ 11
Tng quan __________________________________________________________________________ 11 The Portmapper-qun l cc kt ni ____________________________________________________ 11 Server security: nfsd and mountd_______________________________________________________ 12 Client security _______________________________________________________________________ 13
Ty chn gn kt nosuid the nosuid mount option _______________________________________________13 Ty chn gn kt broken_suid the broken_suid mount option ______________________________________14

5. 6. 7.

NFS v tng la ____________________________________________________________________ 14 Truyn a giao thc NFS thng qua SSH ________________________________________________ 16 Tm tt ____________________________________________________________________________ 17

B. I.

NIS-NETWORK INFORMATION SERVICE _________________________________________ 18 Gii Thiu S Lc V NIS _______________________________________________________ 18

II. Cu Hnh NIS __________________________________________________________________ 18

1.
a. b. c. d. e.

Cu hnh NIS server: _________________________________________________________________ 19

Ci t cc gi dch v ________________________________________________________________________19 Thay i file /etc/sysconfig/network _____________________________________________________________19 Thay i file /etc/yp.conf ______________________________________________________________________19 Khi ng cc dch v NIS server lin quan _______________________________________________________19 Khi to NIS domain _________________________________________________________________________20

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 1

NFS & NIS

GVHD: Nguyn Tn Khi

f. g.

Khi ng 2 dch v ypbind v ypxfrd ____________________________________________________________22 Kim tra li xem cc dch v chy n cha ______________________________________________________22

2. 3.
a. b. c. d. a.

Thm ngi dng NIS ________________________________________________________________ 23 Cu hnh NIS client __________________________________________________________________ 24

Chy authconfig _____________________________________________________________________________24 Khi ng cc dch v ngm lin quan ti NIS client ________________________________________________24 Kim tra vic phn gii tn min ________________________________________________________________24 Kim tra vic truy cp ti NIS server _____________________________________________________________25 Th ng nhp vo NIS server __________________________________________________________________25 i. ng nhp thng qua Telnet _________________________________________________________________25 ii. ng nhp thng qua SSH ___________________________________________________________________26

III. IV.

Minh H

i Cu Hnh NIS ___________________________________________________ 27

Bo Mt______________________________________________________________________ 32

Ph Lc: ___________________________________________________________________________ 33
Mt s khi nim: ________________________________________________________________________ 33 Ti liu tham kho: _______________________________________________________________________ 33

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 2

NFS & NIS

GVHD: Nguyn Tn Khi

Li ni u
Hin nay h iu hnh Linux ang ngy cng c ng dng trong nhiu ngnh khoa hc cng nh phc v cuc sng thng ngy, t ng dng trong cc h thng chuyn bit phc v trong y t, qun i ti phc v trong h thng gio dc v ng dng vn phng cho ngi dng cui Trong nhng nm gn y h iu hnh Linux tng bc c a vo s dng ti Vit Nam. Nhiu t chc, cng ty v cc d n tin hc chn Linux l mi trng pht trin cc ng dng ca mnh. Chnh v th nhu cu tm hiu h iu hnh ny ang tr nn rt quan trng v cn thit. ti ny ch cp ti 2 ng dng rt nh trong vic khai thc cc dch v qun tr mng trn h iu hnh linux l Network File System (NFS) v Network Information Service (NIS). Ti liu v linux hin nay rt nhiu tuy nhin cc ti liu chuyn su v 1 mng no th a s vn l ting Anh v hn na: Linux hin nay c rt nhiu bn phn phi ( trn 30 bn phn phi tnh n thng 4/2011 ), chnh v th trong qu trnh thc hin n, chng em gp khng t kh khn khi tham kho cc ti liu vi nhiu t chuyn ngnh, cng nh c s sai khc gia cc bc thit lp trn tng bn phn phi. T thc t chc chn ti ny khng trnh khi nhiu thiu st v cha chnh xc. Rt mong nhn c s ng gp kin ca thy. Nhm chng em chn thnh cm n s hng dn ca thy Nguyn Tn Khi v cc bn cng nh nhng thnh vin trn cc din n linux gip chng em hon thnh ti ny.

Kontum,ngy 30, thng 05, nm 2011

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 3

NFS & NIS

GVHD: Nguyn Tn Khi

Ti 13:
Tm hiu v khai thc dch v qun tr mng NIS, NFS trn h iu hnh Linux: Gii thiu chc nng. Cc th vin h tr v cch bin dch ci t t m ngun. Cc dch v/tools lin quan v file cu hnh. Trin khai dch v trn my server v client. Minh ha kt qu c th. C ch an ton v bo mt cho dch v.

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 4

Network File System

GVHD: Nguyn Tn Khi

A. NFS-NETWORK FILE SYSTEM I. Gii Thiu S Lc V NFS

NFS (Network File System) l h thng cung cp dch v chia s file ph bin hin nay trong h thng mng Linux v Unix. NFS c pht trin cho php cc my tnh gn kt ti 1 phn vng a trn 1 my t xa ging nh n l a cc b (local disk.)vy. n cho php vic truyn ti file qua mng c nhanh v trn tru hn. N cng to ra kh nng tm tng cho nhng ngi m bn khng mong mun truy cp cng ca bn qua mng (theo cch h c th c email, xa file v lm sp h thng ca bn) nu bn ci t n khng chnh xc. NFS dng h thng m hnh client/server. Trn server c cc a vt l cha cc file h thng c chia s v mt s dch v chy ngm trn h thng (daemon) phc v cho vic chia s vi client (gi l qu trnh export). Ngoi ra cc dch v chy trn server cng cung cp chc nng bo mt file v qun l lu lng s dng (file system quota). Cc client mun s dng cc file system c chia s trn Server ch n gin dng giao thc NFS mount (gn kt) cc file system ln h thng ca mnh. H thng chia s file NFS c s dng vi nhiu chc nng khc nhau. V d thay v mi h thng client/server ca bn phi c mt phn vng /home/username ca tng ngi dng th ch cn lu tr th mc trn 1 my ch trung tm (NFS server), sau dng giao thc NFS mount th mc /home/username tng ng ca tng ngi dng khi h ng nhp h thng. C vi s khc bit gia cc phin bn 2 NFS,3NFS,4NFS. Bn s cn 3 NFS nu nh ci t trn mt h thng ln hay h thng chuyn bit no y, cn 2 NFS v 4 NFS thch hp cho ngi dng ngu nhin, nh l. NFS (Network File System) h thng c pht trin gn cc phn vng a trn cc my t xa nh th trn my local. Cho php chia s file nhanh v tp trung trn mng.

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 5

Network File System

GVHD: Nguyn Tn Khi

II.

Setup NFS Server

Thit lp my ch s c thc hin theo hai bc: Thit lp cc tp tin cu hnh cho NFS, v sau khi ng cc dch v NFS.

1. Danh sch cc file cu hnh, cc dch v, cc file script v cu lnh ca NFS server
Cc file cu hnh NFS Server
/etc/exports /var/lib/nfs/rmtab /var/lib/nfs/xtab /etc/host.allow /etc/host.deny

c dch v NFS Server rpc.portmap rpc.mountd rpc.nfsd rpc.statd rpc.rquotad rpc.rquotad

c file script v cu lnh /etc/rc.d/init.d/nfs nfstat showmount rpcinfo exportfs

C ba tp tin cu hnh chnh, bn s cn phi chnh sa thit lp mt my ch NFS: /etc/exports , /etc/hosts.allow v /etc/hosts.deny Ni dung cc file cu hnh:
a. /etc/exports

Cc dng text trong file cu hnh /etc/exports c c php nh sau : dir host1(options) host2(options) hostN(options) Trong : dir : th mc hoc file system mun chia s. host : mt hoc nhiu host c cho php mount dir. c th c nh ngha l mt tn, mt nhm s dng k t , * hoc mt nhm s dng 1 di a ch mng/subnetmask... options : nh ngha 1 hoc nhiu options khi mount. C th: ro: th mc c chia s ch c c; client khng th ghi ln n. rw: client c th c v ghi trn th mc. no_root_squash: mc nh, bt k file truy vn c to bi ngi ch (root) my trm u c x l tng t nu n c to bi user nobody (cc file to ra trn h thng m ko do ngi dng can thip-ti khon v danh) trn my ch. (truy vn c nh x ph thuc vo UID ca user nobody trn server ch khng phi trn client). Nu no_root_squash c chn, ngi qun tr cao cp trn client s c cng mc truy cp n cc file trn h thng ging nh qun tr cao cp trn server. iu ny c th ko theo nhiu vn an ninh nghim trng, mc d n c th l cn thit nu bn mun thc hin cng vic qun tr no trn client-cng vic i hi cc th mc phi c chia s. Bn khng nn ch nh la chn ny nu khng c l do r rng. no_subtree_check: nu ch 1 phn ca a c chia s, 1 on chng trnh gi l thm tra li vic kim tra cy con c yu cu t pha client (n l 1 file n m trong phn vng c chia s). Nu ton b a c chia s, vic v hiu ha s kim tra ny s tng tc truyn ti.

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 6

Network File System

GVHD: Nguyn Tn Khi

sync: thng bo cho client bit 1 file c ghi xong- tc l n c ghi lu tr an ton-khi m NFS hon thnh vic kim sot ghi ln cc file h thng. cch x l ny c th l nguyn nhn lm sai lch d liu nu server khi ng li.

V d 1 file cu hnh mu /etc/exports : /usr/local *.ipmac.vn(ro) /home 192.168.1.0/255.255.255.0(rw) /var/tmp 192.168.1.1(rw) Dng th nht : cho php tt c cc host vi tn min nh dng somehost.ipmac.vn c mount th mc /usr/local vi quyn ch c. Dng th hai : cho php bt k host no c a ch IP thuc subnet 192.168.1.0/24 c mount th mc /home vi quyn c v ghi. Dng th ba : ch cho php host c a ch IP l 192.168.1.1 c mount th mc /var/tmp vi quyn c v ghi.
b. /Etc / hosts.allow v / etc / hosts.deny

Hai tp tin c bit ny gip xc nh cc my tnh trn mng c th s dng cc dch v trn my ca bn. Mi dng trong ni dung file cha duy nht 1 danh sch gm 1 dch v v 1 nhm cc my tnh. Khi server nhn c yu cu t client, cc cng vic sau s c thc thi: Kim tra file host.allow nu client ph hp vi 1 quy tc c lit k ti y th n c quyn truy cp. Nu client khng ph hp vi 1 mc trong host.allow server chuyn sang kim tra trong host.deny xem th client c ph hp vi 1 quy tc c lit k trong hay khng (host.deny). Nu ph hp th client b t chi truy cp. Nu client ph hp vi cc quy tc khng c lit k trong c 2 file th n s c quyn truy cp.

2. Khi ng cc dch v c lin quan

s dng dch v NFS, cn c cc daemon (dch v chy ngm trn h thng) sau:

Portmap: Qun l cc kt ni, s dng c ch RPC (Remote Procedure Call), dch v chy c server v client NFS: Khi ng cc tin trnh RPC khi c yu cu phc v cho chia s file, dch v ch chy trn server NFS lock: S dng cho client kha cc file trn NFS server thng qua PRC.

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 7

Network File System

GVHD: Nguyn Tn Khi

a. Khi ng portmapper

NFS ph thuc vo tin trnh ngm qun l cc kt ni (portmap hoc rpc.portmap), chng cn phi c khi ng trc. N nn c t ti /sbin nhng i khi trong /usr/sbin. Hu ht cc bn phn phi linux gn y u khi ng dch v ny trong kch bn khi ng (boot scripts t khi ng khi server khi ng) nhng vn phi m bo n c khi ng u tin trc khi bn lm vic vi NFS (ch cn g lnh netstat -anp |grep portmap kim tra). b. c tin trnh ngm:

Dch v NFS c h tr bi 5 tin trnh ngm: rpc.nfsd- thc hin hu ht mi cng vic. rpc.lockd and rpc.statd-qun l vic kha cc file. rpc.mountd-qun l cc yu cu gn kt lc ban u. rpc.rquotad-qun l cc hn mc truy cp file ca ngi s dng trn server c truy xut. lockd c gi theo yu cu ca nfsd. V th bn cng khng cn quan tm lm ti vic khi ng n. statd th cn phi c khi ng ring.

Tuy nhin trong cc bn phn phi linux gn y u c kch bn khi ng cho cc tin trnh trn. Tt c cc tin trnh ny u n m trong gi nfs-utils, n c th c lu gi trong /sbin hoc /usr/sbin Nu bn phn phi ca bn khng tch hp chng trong kch bn khi ng, th bn nn t thm chng vo, cu hnh theo th t sau y:

rpc.portmap
rpc.mountd, rpc.nfsd rpc.statd, rpc.lockd (nu cn thit) rpc.rquotad

3. Xc minh cc dch v ca NFS ang chy

lm iu ny, ta truy vn portmapper vi lnh rpcinfo quota tm ra dch v no ang c cung cp, bn s nhn c kt qu tng t nh sau:

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 8

Network File System

GVHD: Nguyn Tn Khi

program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100011 1 udp 749 rquotad 100011 2 udp 749 rquotad 100005 1 udp 759 mountd 100005 1 tcp 761 mountd 100005 2 udp 764 mountd 100005 2 tcp 766 mountd 100005 3 udp 769 mountd 100005 3 tcp 771 mountd 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 300019 1 tcp 830 amd 300019 1 udp 831 amd 100024 1 udp 944 status 100024 1 tcp 946 status 100021 1 udp 1042 nlockmgr 100021 3 udp 1042 nlockmgr 100021 4 udp 1042 nlockmgr 100021 1 tcp 1629 nlockmgr 100021 3 tcp 1629 nlockmgr 100021 4 tcp 1629 nlockmgr

4. Cp nht thay i cho /etc/exports

Nu bn thay i trong /etc/exports, cc thay i c th cha c hiu lc ngay lp tc, bn phi thc thi lnh exportfs bt nfst cp nht li ni dung file /etx/exports . Nu bn khng tm thy lnh exportfs th bn c th kt thc nfsd vi lnh HUD. Nu cc vic khng hot ng, ng qun kim tra li hosts.allow m bo r ng bn khng qun vic khai bo danh sch cc my con trong y. Ngoi ra cng nn kim tra danh sch cc my ch trn bt k h thng tng la no m bn thit lp. III. inh Ha Vic u Hnh NFS: M hnh 2 my thc hin vic cu hnh

1. Thit lp trn server:

Vic u tin l to ra 1 th mc dng chia s trn my NFS server. y l th mc nfsdir

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 9

Network File System

GVHD: Nguyn Tn Khi

Chnh sa file /etc/exports cho php gn kt NFS ca th mc ny vi cc quyn truy cp. dng lnh vi /etc/exports

VD: (ro)=read only (rw)=read+write

Cp nht bn ghi mi trong file /etc/exports ta dng lnh exportfs

Kim tra xem cc dch v NFS ,NFSlock, daemon portmap cng hot ng v t khi ng mi khi server khi ng li hay khng.

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 10

Network File System

GVHD: Nguyn Tn Khi

2. Thit lp trn client

To 1 th mc trn client (nfsdirs) mount ti th mc trn server (nfsdir). Mount 2 th mc vi nhau >> kt thc.

IV.

Bo Mt

1. Tng quan
Vi NFS, c 2 bc cn thit 1 client c truy cp n ti nguyn trn server. Bc u tin l gn kt truy cp. vic gn kt truy cp t c l do client c gng kt ni vo server. Nu a ch IP ca cc client khp vi 1 trong nhng a ch trong danh sch cho php th client s c gn kt. iu ny khng tht s an ton. Nu ai c kh nng bt chc hay chim ly 1 a ch ng tin cy th h c th truy cp im gn kt ca bn. Mt v d thc t: Bn gi ti cng ty sa cha ng ng nc, sau mt ngi n v t gii thiu bn thn vi bn, bn tin r ng ngi ng l ngi do cng ty kia gi n, bi v h c eo 1 ci th nhn vin ca cng ty trn. Tuy nhin c th ngi c c n l k gi mo th sao Mi mt my tnh gn kt vi 1 a (volume), h iu hnh ca my s c quyn truy cp n mi file trn a v c ghi ln cc file , nu a c th hin vi ty chn rw. Bc th hai l vic truy cp file. y l chc nng iu khin truy cp file thng thng trn client ch khng phi 1 chc nng c bit ca NFS. Mi a c gn vi ngi s dng v nhm nhng quyn hn trn cc file gii hn quyn iu khin truy cp. Mt v d: trn server ngi dng c tn NEO c nh x vi ID 9999. NEO to ra 1 tp tin trn server m ngi khc ch c quyn truy cp (tng ng vi vic chmod 600). Mt my client c gn kt ti a cha tp tin . Trn my client ngi dng tn XONE cng c ID 9999. iu ny c ngha r ng XONE c th truy cp ti tp tin ca NEO ci m ch c quyn truy xut bi chnh NEO. T hi hn, nu ngi no tr thnh superuser (siu ngi dng- L mt ti khon ngi dng c bit trn UNIX c quyn truy cp ti Root) trn my client th h c th dng lnh su username ( thay i tn ti khon) v tr thnh bt k ai. Lc ny NFS khng cn l s la chn sng sut.

2. The Portmapper-qun l cc kt ni
The Portmapper (qun l tin trnh) gi 1 danh sch nhng dch v ang chy trn cc cng. Danh sch ny c s dng bi 1 my tnh c kt ni thy c nhng cng no m n (my tnh) mun truy cp ti cc dch v no y. Portmapper khng cn t nh vi nm trc y nhng n vn l 1 im ng lo i vi nhiu ngi qun tr h thng. portmapper ging nh NIS v NFS, tht s khng nn c nhng kt ni ra bn ngoi 1

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 11

Network File System

GVHD: Nguyn Tn Khi

mng LAN. Nu bn bt buc phi chia s chng ra bn ngoi hy cn thn v duy try thng xuyn vic kim tra h thng. Khng phi bn phn phi linux no cng c to ra ging nhau. Mt vi bn phn phi khng km theo 1 portmapper ng tin cy. Cch n gin kim tra portmapper ca bn c m bo hay khng l thc thi lnh : strings /sbin/portmap | grep hosts. N s c file hosts.allow v hosts.deny. Gi s portmapper t ti /sbin/portmap bn c th kim tra n vi lnh sau cng kt qu tr v tng t th ny:

# strings /sbin/portmap | grep hosts. /etc/hosts.allow /etc/hosts.deny @(#) hosts_ctl.c 1.4 94/12/28 17:42:27

Trc tin, hy chnh sa02:13:22 /etc/hosts.deny . Thm dng sau vo tp tin:

portmap: ALL
#

@(#) hosts_access.c 1.21 97/02/12

iu ny s chn truy cp n mi ngi. Sau , trong lc cc truy cp b chn th chy lnh rpcinfo p nh m kim tra xem portmap ca bn c tht s c v tun theo file ny hay khng. Kt qu tr v c th khng c g, hoc c th l 1 thng bo li. Hai file hosts.allow v hosts.deny c hiu lc ngay lp tc sau khi bn lu li chng. Khng dch v no (daemon) cn c khi ng li. Vic chn mi qun l truy cp vi tt c mi ngi c hi mnh tay, v vy chng ta m li truy cp b ng cch edit file /etc/hosts.allow. Nhng trc tin ta phi tm hiu nhng g cha bn trong n. V c bn, n lit k tt c cc my tnh c quyn truy cp portmap. Nhng my cn truy cp cc dch v trn my ca bn cn c chp thun lm iu y. Gi d my bn c a ch 192.168.0.254, thuc mng con 192.168.0.0 v cc my trong mng con c th truy cp n n (192.168.0.254). thc hin iu trn thay v portmap: ALL ta s vit li l portmap: 192.168.0.0/255.255.255.0 (Nu bn khng chc chn v a ch mng/mt n mng, bn c th s dng lnh ifconfig hay netstat xc minh li).

3. Server security: nfsd and mountd

Trn my ch, chng ta khng h mun tin cy vo bt c yu cu truy vn no c to ra nh trng hp ngi qun l cao cp trn my trm (vi quyn root c th ton quyn truy cp trn client, iu ny th khng c php xy ra trn mt my ch). Chng ta c th ngn chn iu ny b ng ty chn root_squash trong /etc/exports /home slave1(rw,root_squash) (ty chn dng hn ch quyn root). Thit lp ny nn lun c bt sn, ch khi c 1 l do cc k cp bch th chng ta mi hy thit lp trn, b ng ty chn no_root_squash. By gi nu 1 user c UID 0 (tc ID ca ngi qun tr cao cp) th truy cp (c, ghi, xa) cc tp tin h thng, my ch s thay th b ng UID ca ti khon v danh (nobody user). iu ny ngha l ngi qun tr cao cp (root user) trn my trm khng th truy cp hay thay i cc file , ch c ngi qun

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 12

Network File System

GVHD: Nguyn Tn Khi

tr cao cp trn server mi c c quyn y m thi. iu ny rt tt v c l bn nn dng root_squash trn tt c cc file h thng m bn cho truy cp n. Vn tn ti cu hi r ng liu ngi qun tr cao cp trn my trm c th dng lnh su mo danh thnh ngi dng bt k v c gng truy cp, thay i cc file h thng trn my ch hay khng . Cu tr li l c, v tht s l nhng g s din ra (trn 1 h thng chy linux vi NFS). y c 1 ch : tt c cc file quan trng nn c s hu bi ngi qun tr cao cp v ti khon duy nht m ngi qun tr cao cp trn my trm khng th gi mo chnh l ti khon qun tr cao cp ca my ch. Cc cng TCP t 1-1024 c dnh ring cho cng vic ca ngi qun tr cao cp ( l l do m i khi n c gi l cng an ton). Nhng ngi dng khc khng th ghp ni ti cc cng ny. B sung thm ty chn secure trong /etc/exports ngha l n s ch lit k cc truy vn n t cc cng 1-1024 trn my khch, do mi nguy him t nhng ngi dng khng phi l qun tr cao cp trn my trm khng th xut hin v m ra 1 s tng tc gi mo trn 1 cng khng c bo mt. Ty chn ny c thit lp mc nh.

4. Client security
a. Ty chn gn kt nosuid the nosuid mount option

Vi khi nim v SUID

i khi bn gp li khi c gng thc thi 1 chng trnh, n bo rng chng trnh phi c khi ng bi quyn SUID. SUID vit tt ca set user ID. c ngha l nu SUID c thit t cho 1 ng dng/file no y, sau ID ti khon ca bn s c thit lp nh l ch nhn ca ng dng/file y thay cho ngi dng hin ti, trong khi thc thi chng trnh . iu ny c ngha l trong trng hp ti c mt ng dng m ch s hu ca n l 'root' v n c thit lp SUID, sau khi ti chy ng dng nh ngi dng bnh thng, ng dng s vn c chy nh di quyn 'root'. T khi SUID bit bo cho linux bit rng user ID root c thit lp cho ng dng ny v bt c khi no ng dng c thc thi, n phi c th thi ging nh khi c thc thi di quyn root (t lc root s hu file ny). Trong trng hp bn tht s hiu vn trn, bn c th ang lo lng-n c phi l 1 li bo mt nghim trng. Nu ngi dng c kh nng chy ng dng nh quyn root, n tr thnh s xm phm trng trn nh l mi e da ti an ninh h thng. Trong thc t SUID c dng nh l 1 cch tng an ton cho h thng.

Chng ta c th cm nhng chng trnh SUID lm bin mt h thng file NFS vi ty chn nosuid. Vi chng trnh trn linux, nh passwd c gi l chng trnh suid: chng thit lp ID ca nhng ngi ang chy chng thnh ID ch nhn file . Nu 1 file cng c qun l bi root v suid, chng trnh s thc thi vi quyn root, v th chng c th thc hin cc cng vic m ch root mi c quyn thc hin (nh l ghi chp trn file cha mt khu). Vic s dng ty chn nosuid l tng tt, v bn nn xem xt p dng n trn tt c cc a NFS c gn kt. iu ny c ngha l ngi dng c quyn root trn my ch khng th to 1 chng trnh suid-root trn file h thng, ng nhp my trm nh ngi s dng bnh hng v dng chng trnh suid-root tr thnh ngi qun tr cao cp trn my trm. Mt ngi no y cng c th chn truy

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 13

Network File System

GVHD: Nguyn Tn Khi

cp i vi cc file trn h thng c gn kt hon ton vi ty chn noexec. Nhng iu ny nhiu kh nng khng thc t hn vic nosuid v r ng 1 file h thng t nht c kh nng ngn chn 1 vi kch bn hoc chng trnh cn c thc thi.
b. Ty chn gn kt broken_suid the broken_suid mount option

Mt vi chng trnh c ( v d xterm ) thng tin vo vic root c th thc thi mi khu vc. iu ny s b ph v cc nhn linux mi trn cc gn kt NFS. Cc vn bo mt lin quan l nhng chng trnh thc hin kiu hot ng ny ca suid c th quen vi vic thay i uid ca bn bn ngoi my ch nfs thc hin vic nh x uid. V th, mc nh broken_suid c v hiu ha trong nhn linux. Nu bn ang s dng 1 bn phn phi linux c, 1 vi loi chng trnh suid c hoc 1 vi bn unix c hn, bn c th phi gn kt t my trm vi ty chn broken_suid. Tuy nhin cc bn unix v linux gn y c xterm v nhng chng trnh nh th ch ging nh c kh nng thc thi bnh thng, h gi nhng chng trnh thc hin vic setuid. Gii thch: setuid l mt tin trnh c th thit lp quan h ca ngi s dng c hiu lc v super-user (root). C ngha l mc d bt k ngi dng no cng c th chy tin trnh, nhng sau tin trnh c th i hi nhng c quyn gc (root). Mt v d v setuid l tin trnh wservice ArcStorm.

5. NFS v tng la
Khi 1 dch v chy ngm khi ng, n yu cu 1 cng cn trng t bn nh x. Portmapper a ra 1 cng cho tin trnh v ghi li du vt ca cng . Khi cc my ch hoc nhng tin trnh khc cn giao tip vi tin trnh ngm, chng yu cu s cng t portmapper truy tm tin trnh. V th cc cng s khng ngng b th ni, v cc cng khc nhau c th rnh vo cc thi im khc nhau v v th portmapper s phn b chng (port) mi ln mi khc. y l vn au u cho vic thit lp tng la nu nh bn cha bao gi bit c khu vc m cc tin trnh s din ra, sau khng bit chnh xc nhng cng no cho php truy cp. y khng hn l mt vn ln i vi nhiu ngi ang chy trn mng LAN c bo v hoc b c lp. Vi ngi dng trn mng cng cng th iu ny tht khng khip. Trong phin bn nhn 2.4.13 v sau ny bn khng cn phi lo lng v vic th ni ca cc cng. By gi tt c cc tin trnh ngm lin quan n NFS c th c nh vi 1 cng. Hu ht chng d dng thc hin k m ty chn p khi c khi ng. Cc tin trnh ngm c khi ng vi 1 vi i s hoc ty chn, chng c m t sau y: Portmap lun s dng cng 111 trn giao thc tcp v udp. Nfsd trn cng 2049(tcp/udp). Mt s tin trnh khc: statd, mountd, lockd, rquotad thng s c chuyn ti cng kh dng u tin do portmapper ch nh. nhng tc ng ca statd kt hp vi 1 cng c th, s dng ty chn p s cng. nhng tc ng ca statd p ng trn 1 cng c th, thm vo ty chn o s cng khi khi ng n. nhng tc ng ca mountd kt hp vi cng c th, s dng thuc tnh p s cng

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 14

Network File System

GVHD: Nguyn Tn Khi

V d: statd pht i trn cng 32765, nghe trn cng 32766, v mountd nghe trn cng 32767, ta g lnh sau:
# statd -p 32765 -o 32766 # mountd -p 32767

lockd khi ng khi c kernel gi. Vic khin bn phi vt qua cc ty chn modul hay ty chn nhn (kernel) khin lockd nghe v hi p trn ch 1 cng no y. Nu bn ang dng modul c th np ti v mun ch r nhng ty chn ny trong file /etc/modules.conf th hy thm dng sau:
options lockd nlm_udpport=32768 nlm_tcpport=32768

Dng trn s xc nh giao thc tcp v udp trn cng 32768 cho lockd. Nu bn khng s dng modul np ti hoc nu bn bin dch lockd vo trong nhn thay v xy dng n nh 1 modul, bn s cn vt qua iu ny b ng ty chn trong s khi ng ca nhn. N trng t nh th ny :
vmlinuz 3 root=/dev/hda1 lockd.udpport=32768 lockd.tcpport=32768

Nu bn ang s dng hn ngch (quota) v dng nrc.quotad khin n c kh nng xem c trn nfs, bn s cn phi a n vo ti khon khi thit lp tng la. C 2 ni cha m ngun ca rpc.rquotad, mt ni cha nfs-utils, cn li ni cha quota-tools. Chng khng hot ng ng nht vi nhau: Mt ci c cung cp vi s h tr bi nfs-utils ni tin trnh ngm ti 1 cng vi lnh dn hng p, nhng phn n m trong quota-tools th khng nh th. Ta cng ly 1 v d v vic thit lp tng la trn my ch: NFS server 192.168.0.42 Client 192.168.0.45

Trong v d phn trn ta c: statd nhn cc truy vn cng 32765, hi p trn cng 32766 mountd buc phi gn vi cng 32767 Cc thng s ca lockd c thit lp gn cho cng 32768 nfsd trn cng 2049 portmapper trn cng 111 V chng ta khng s dng quotas

S dng IP HANINS, mt tng la n gin trng s nh th ny:

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 15

Network File System

GVHD: Nguyn Tn Khi

ipchains -A input -f -j ACCEPT -s 192.168.0.45 ipchains -A input -s 192.168.0.45 -d 0/0 32765:32768 -p 6 -j ACCEPT ipchains -A input -s 192.168.0.45 -d 0/0 32765:32768 -p 17 -j ACCEPT ipchains -A input -s 192.168.0.45 -d 0/0 2049 -p 17 -j ACCEPT ipchains -A input -s 192.168.0.45 -d 0/0 2049 -p 6 -j ACCEPT ipchains -A input -s 192.168.0.45 -d 0/0 111 -p 17 -j ACCEPT

Dngipchainscho bit s chp 0/0 -d 0/0 -p 6 -j DENYca gi tin (ngoi tr mnh tin u tin s u tin -A input -s nhn tt c cc phn ri rc -y -l c s l nh gi tin bnh thng). Trn l thuyt khng c gi tin no i qua cho n khi n c ghp ipchains -A cuc -s 0/0 -d gy ra 17 -j gy -l li. D nhin c nhnginputtn cng c0/0 -p bi vic DENYqu ti 1 my tnh vi cc mnh gi tin. Nhng NFS s khng hot ng chnh xc cho n khi bn cc mnh tin i qua. Cc dng khc cho bit vic chp nhn cc kt ni c th t bt k cng no trn my trm n cc cng c th m chng ti lm cho n sn sng s dng c trn my ch. C ngha l nu c 1 my trm 192.158.0.46 c gng lin lc vi my ch NFS th n s khng th gn kt Vi nhng cng c kh nng gn kt, hin nhin l rt d dng iu khin nhng g cc my ch c cho php gn kt cc chia s NFS ca bn. iu ang ni l NFS khng phi l 1 giao thc m ha v bt c ai trn cng mng vt l c th pht hin s lu thng (cc gi tin) v ti hin li cc thng tin ang c chuyn qua li.

6. Truyn a giao thc NFS thng qua SSH

bn v SSH:
SSH (Secure Shell) l mt giao thc mng dng thit lp kt ni mng mt cch bo mt. SSH hot ng lp trn trong m hnh phn lp TCP/IP. Cc cng c SSH (nh l OpenSSH, ...) cung cp cho ngi dng cch thc thit lp kt ni mng c m ho to mt knh kt ni ring t. SSH l mt chng trnh tng tc gia my ch v my khch c s dng c ch m ho mnh nhm ngn chn cc hin tng nghe trm, nh cp thng tin trn ng truyn. Cc chng trnh trc y: telnet, rlogin khng s dng phng php m ho. V th bt c ai cng c th nghe trm thm ch c c ton b ni dung ca phin lm vic bng cch s dng mt s cng c n gin. S dng SSH l bin php hu hiu bo mt d liu trn ng truyn t h thng ny n h thng khc. SSH lm vic thng qua 3 bc n gin: nh danh host - xc nh nh danh ca h thng tham gia phin lm vic SSH. M ho - thit lp knh lm vic m ho. Chng thc - xc thc ngi s dng c quyn ng nhp h thng.

Mt phng n m ha lung lu thng d liu trong NFS trn mng l s dng kh nng chuyn tip cng ca SSH . Tuy nhin lm nh vy c 1 hn ch nghim trng nu bn khng hon ton tin tng vo ngi dng cc b trn my ch.

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 16

Network File System

GVHD: Nguyn Tn Khi

Bc u tin l chia s file cho localhost (my ch cc b). V d chia s th mc /home th ta thm dng sau vo file /etc/exports : /home 127.0.0.1(rw) Bc tip theo l dng ssh chuyn tip cng. V d, ssh c th bo cho my ch nh m chuyn tip ti bt k cng no trn bt k my no t 1 cng trn my trm. Gi s nh phn trc, my ch ca chng ta l 192.158.0.42 v gn kt n cng 32767 vi tham s -p 32767 . Trn my trm ta g vo: # ssh root@192.168.0.42 -L 250:localhost:2049 -f sleep 60m # ssh root@192.168.0.42 -L 251:localhost:32767 -f sleep 60m Mc ch lnh trn l iu khin ssh trn my trm thc hin bt k truy vn trc tip cng 250 ca my trm v chuyn hng n (request), u tin l thng qua sshd trn my ch, sau l trn cng 2049 ca my ch. Dng lnh th 2 tng t, iu khin vic giao nhn gia cc yu cu truy xut n cng 251 trn my trm v cng 32767 ca my ch. Localhost tng ng vi my ch, iu ny ngha l vic chuyn hng s c thc hin trn chnh my ch. Cng kt ni c th c cch khc chuyn tip ti bt k my tnh no, v cc truy vn s ging nh l xut pht t bn ngoi (thc t l t trong chnh server) nu nh chng n t my ch.

7. Tm tt
Nu bn dng hosts.allow, hosts.deny, root_squash, nosuid v cc cng chc nng c u tin trong portmapper/NFS software, bn trnh c nhiu li c bit n hin nay trong NFS v c th cm thy an ton. Nhng cha ht, sau tt c iu : khi k t nhp truy cp mng, h c th khin cc m lnh l xut hin, chuyn hng hay c trm th in t khi /home hoc /var/mail c chia s trong NFS. V vi l do trn, bn ng bao gi nn truy cp kha bo v PGP (mt phng php m ha d liu) trn NFS. Hoc t nht bn nn bit nhng nguy c lin quanNFS v portmaper bn cht l 1 h thng con rt phc tp, do khng hon ton s khng c li mi c pht hin, li trong thit k ca n hoc do cch chng ta s dng

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 17

Network Information Service

GVHD: Nguyn Tn Khi

B. NIS-NETWORK INFORMATION SERVICE I. Gii Thiu S Lc V NIS

Dch v thng tin mng NIS cho php bn to ra cc ti khon c kh nng chia s trn mi h thng trong mng ca bn. NIS l 1 dch v cho php chng thc user tp trung:

Cc ti khon ngi dng ch c to ra trn NIS server. Cc NIS client ti thng tin v mt khu cn thit t NIS server chng thc mi khi user ng nhp. Mt li th l user ch phi thay i mt khu trn NIS server, thay v ti mi h thng trong mng. iu ny khin NIS ph bin trong cc phng th nghim v my tnh, cc d n pht trin phn mm phn tn hoc bt c ni no m nhiu nhm phi chia s nhiu my tnh khc nhau. Qu trnh chc thc user khng c m ha.

NIS khng m ha thng tin ti khon v mt khu gi ti my trm vo mi lc ng nhp. Mi ngi s dng u c quyn truy cp n ni NIS server cha file m ha mt khu.

II.

Cu Hnh NIS
Mt s lnh vi NIS: ypcat - Cho php in ra mt s gi tr trong NIS map ypwhich - Tm kim server hin ti cho host ang s dng. ypclnt - Cung cp mt giao din ha cho YP (Yellow Pages) cho h thng con. yppasswd - i li password cho NIS Domain ypmake - To mi mt hash map. ypinit - Cu hnh host tr thnh Server or client
yppush - update version cho map

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 18

Network Information Service

GVHD: Nguyn Tn Khi

1. Cu hnh NIS server:

Thao tc cu hnh NIS server khng kh nhng li tri qua rt nhiu bc (nhng chng c th c b qua).
a. Ci t cc gi dch v

Ti v bin dch gi ypserv package, sau ci t n.

b. Thay i file /etc/sysconfig/network

Bn phi thm NIS domain m bn mun dng vo cui file trn, v d domain l NIS-SCHOOLNETWORK #/etc/sysconfig/network NISDOMAIN="NIS-SCHOOL-NETWORK"
c. Thay i file /etc/yp.conf

NIS server cng phi ng thi l NIS client, v th bn phi iu chnh li ni dung file config ca NIS client /etc/yp.conf , thm vo localhost. # /etc/yp.conf - ypbind configuration file ypserver 127.0.0.1
d. Khi ng cc dch v NIS server lin quan

Khi ng cc dch v NIS cn thit trong /etc/init.d v dng lnh chkconfig chc r ng chng c th t khi ng cng vi my tnh.
[root@bigboy tmp]# service portmap start Starting portmapper: [ OK ] [root@bigboy tmp]# service yppasswdd start Starting YP passwd service: [ OK ] [root@bigboy tmp]# service ypserv start Setting NIS domain name NIS-SCHOOL-NETWORK: [ OK ] Starting YP server services: [ OK ] [root@bigboy tmp]# [root@bigboy tmp]# chkconfig portmap on [root@bigboy tmp]# chkconfig yppasswdd on [root@bigboy tmp]# chkconfig ypserv on

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 19

Network Information Service

GVHD: Nguyn Tn Khi

Cc dch v cn c ca NIS server kim tra trng thi cc dch v trong bng trn trc khi chuyn qua bc tip theo, bn c th dng lnh rpcinfo
[root@bigboy tmp]# rpcinfo -p localhost program vers proto port 100000 100000 100009 100004 100004 100004 100004 2 tcp 2 udp 1 udp 2 udp 1 udp 2 tcp 1 tcp 111 portmapper 111 portmapper 681 yppasswdd 698 ypserv 698 ypserv 701 ypserv 701 ypserv

[root@bigboy tmp]#

Hai dch v ypbind v ypxfrd s khng khi ng chnh xc cho n khi bn khi to NIS domain. Bn hy khi ng chng sau khi hon tt vic khi to.
e. Khi to NIS domain

By gi bn quyt nh tn ca NIS domain, bn s phi dng lnh ypinit d to ra cc tp tin xc thc lin quan cho tn min. bn s c nhc nhp tn my ch NIS, m trong trng hp ny l bigboy. Vi th thut ny, cc ti khon nonprivileged (khng c c quyn) s t ng truy cp thng qua NIS
[root@bigboy tmp]# /usr/lib/yp/ypinit -m At this point, we have to construct a list of the hosts which will run NIS servers. bigboy is in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the list, type a <control D>. next host to add: bigboy

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 20

Network Information Service

GVHD: Nguyn Tn Khi

next host to add: The current list of NIS servers looks like this: bigboy Is this correct? [y/n: y] y We need a few minutes to build the databases... Building /var/yp/NIS-SCHOOL-NETWORK/ypservers... Running /var/yp/Makefile... gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK' Updating passwd.byname... Updating passwd.byuid... Updating group.byname... Updating group.bygid... Updating hosts.byname... Updating hosts.byaddr... Updating rpc.byname... Updating rpc.bynumber... Updating services.byname... Updating services.byservicename... Updating netid.byname... Updating protocols.bynumber... Updating protocols.byname... Updating mail.aliases... gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK' bigboy has been set up as a NIS master server. Now you can run ypinit -s bigboy on all slave server. [root@bigboy tmp]#

Ch : bn phi m bo portmap ang chy trc khi thc hin bc ny, nu khng s nhn c thng bo li dng nh: failed to send 'clear' to local ypserv: RPC: Port mapper failureUpdating group.bygid... Bn s phi xa th mc /var/yp/NIS-SCHOOL-NETWORK v khi ng li portmap, yppasswd, ypserv trc khi th lm li bc ny.

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 21

Network Information Service

GVHD: Nguyn Tn Khi

f.

Khi ng 2 dch v ypbind v ypxfrd

By gi c th khi ng 2 dch v ny v NIS domain c khi to

[root@bigboy tmp]# service ypbind start Binding to the NIS domain: [ OK ] Listening for an NIS domain server. [root@bigboy tmp]# service ypxfrd start Starting YP map server: [ OK ] [root@bigboy tmp]# chkconfig ypbind on [root@bigboy tmp]# chkconfig ypxfrd on

g. Kim tra li xem cc dch v chy n cha

[root@bigboy tmp]# rpcinfo -p localhost program vers proto port 100000 100000 100003 100003 100021 100021 100021 100004 100004 100004 100004 100009 600100069 600100069 100007 100007 100007 100007 2 tcp 2 udp 111 portmapper 111 portmapper

2 udp 2049 nfs 3 udp 2049 nfs 1 udp 1024 nlockmgr 3 udp 1024 nlockmgr 4 udp 1024 nlockmgr 2 udp 1 udp 2 tcp 1 tcp 1 udp 1 udp 1 tcp 2 udp 1 udp 2 tcp 1 tcp 784 ypserv 784 ypserv 787 ypserv 787 ypserv 798 yppasswdd 850 fypxfrd 852 fypxfrd 924 ypbind 924 ypbind 927 ypbind 927 ypbind

[root@bigboy tmp]#

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 22

Network Information Service

GVHD: Nguyn Tn Khi

2. Thm ngi dng NIS

C th ng nhp vo NIS server tao ti khon ngi dng mi v bn s c cp km 1 mt khu cho NIS user . Khi hon thnh, bn phi dng lnh make cp nht li cc tp tin xc thc trong /var/yp Th tc ny kch hot tt c NIS, cc ti khon nonprivileged s t ng truy cp thng qua NIS. ng thi n chia s thng tin v c tnh ca ngi dng c lu tr ti cc file /etc/passwd v /etc/group (v d nh thng tin v login shell, nhm ngi dng, th mc chnh).
[root@bigboy tmp]# useradd -g users nisuser [root@bigboy tmp]# passwd nisuser Changing password for user nisuser. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@bigboy tmp]# cd /var/yp [root@bigboy yp]# make gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK' Updating passwd.byname... Updating passwd.byuid... Updating netid.byname... gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK' [root@bigboy yp]#

Bn c th kim tra xem cc thng tin chng thc c cp nht hay cha b ng lnh ypmatch, kt qu tr v l chui mt khu m ha ca ngi dng .
[root@bigboy yp]# ypmatch nisuser passwd nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/::504:100::/home/nisuser:/bin/bash [root@bigboy yp]

Ta cng c th dng lnh getent c c php tng t, tuy nhin khc ypmatch, n khng a ra chui mt khu m ha khi chy lnh trn my ch, m n ch ra ni cha file passwd. Trn my client th kt qu tr v ging nh lnh ypmatch.
[root@bigboy yp]# getent passwd nisuser nisuser:x:504:100::/home/nisuser:/bin/bash [root@bigboy yp]#

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 23

Network Information Service

GVHD: Nguyn Tn Khi

3. Cu hnh NIS client

a. Chy authconfig

Authconfig hoc authconfig-tui l nhng chng trnh t ng thit lp cc file NIS. [root@smallfry tmp]# authconfig-tui Khi hon thnh, n s to ra mt file /etc/yp.conf, file ny nh ngha mt s th khc, a ch IP ca NIS server cho 1 tn min c th. N cng thay i file /etc/sysconfig/network nh ngha NIS domain m cc NIS client ph thuc.
# /etc/yp.conf - ypbind configuration file domain NIS-SCHOOL-NETWORK server 192.168.1.100 #/etc/sysconfig/network NISDOMAIN=NIS-SCHOOL-NETWORK b. Khi ng cc dch v ngm lin quan ti NIS client

Khi ng dch v ypbind client v portmap trong th mc /etc/init.d v dng lnh chkconfig khin chng t khi ng sau mi ln my tnh khi ng li.
[root@smallfry tmp]# service portmap start Starting portmapper: [ OK ] [root@smallfry tmp]# service ypbind start Binding to the NIS domain: Listening for an NIS domain server. [root@smallfry tmp]# [root@smallfry tmp]# chkconfig ypbind on [root@smallfry tmp]# chkconfig portmap on c. Kim tra vic phn gii tn min

Bn phi kim tra xem vic phn gii tn min c ng vi a ch IP hay khng # File: /etc/hosts (smallfry) #192.168.1.100 bigboy

# File: /etc/hosts (bigboy) #192.168.1.102 smallfry

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 24

Network Information Service

GVHD: Nguyn Tn Khi

d. Kim tra vic truy cp ti NIS server

Bn c th dng ln ypcat, ypmatch,getent chc chn r ng qu trnh giao tip vi my ch din ra chnh xc.
[root@smallfry tmp]# ypcat passwd nisuser:$1$Cs2GMe6r$1hohkyG7ALrDLjH1:505:100::/home/nisuser:/bin/bash quotauser:!!:503:100::/home/quotauser:/bin/bash ftpinstall:$1$8WjAVtes$SnRh9S1w07sYkFNJwpRKa.:502:100::/:/bin/bash www:$1$DDCi/OPI$hwiTQ.L0XqYJUk09Bw.pJ/:504:100::/home/www:/bin/bash smallfry:$1$qHni9dnR$iKDs7gfyt..BS9Lry3DAq.:501:100::/:/bin/bash [root@smallfry tmp]#

[root@smallfry tmp]# ypmatch nisuser passwd nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash [root@smallfry tmp]#

[root@smallfry tmp]# getent passwd nisuser nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash [root@smallfry tmp]#

Cc nguyn nhn pht sinh li c th l:

Thit lp sai authconfig trong /etc/yp.conf , /etc/sysconfig/network v /etc/nsswitch.conf Khng chy lnh ypinit trm NIS server. NIS khng c khi ng trn NIS server hoc client. Vic nh tuyn gia server v client b li, hoc do tng la chn vic lu thng trong mng

a. Th ng nhp vo NIS server

Sau cc bc thit lp trn NIS server, thm ngi dng v cu hnh NIS client, ta s th ng nhp vo NIS server t client. Nu vic ng nhp tht bi c th l do 2 nguyn nhn chnh: tng la chn vic truy cp thng qua SSH v TELNET hoc l do 2 dch v trn cha c khi ng trn my client.
i. ng nhp thng qua Telnet

[root@bigboy tmp]# telnet 192.168.1.201 Trying 192.168.1.201...

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 25

Network Information Service

GVHD: Nguyn Tn Khi

Connected to 192.168.1.201. Escape character is '^]'. Red Hat Linux release 9 (Shrike) Kernel 2.4.20-6 on an i686 login: nisuser Password: Last login: Sun Nov 16 22:03:51 from 192-168-1-100.simiya.com [nisuser@smallfry nisuser]$

ii.

ng nhp thng qua SSH

[root@bigboy tmp]# ssh -l nisuser 192.168.1.102 nisuser@192.168.1.102's password: [nisuser@smallfry nisuser]$

Trong mt vi phin bn linux, dch v SSH trn my client khng t ng cp nht li ni dung file /etc/nsswitch.conf m bn thay i cho n khi SSH c khi ng li. v l do nn ta s khng truy vn n NIS server c, tr khi khi ng li SSH trn my client.
[root@smallfry root]# service sshd restart Stopping sshd:[ OK ] Starting sshd:[ OK ] [root@smallfry root]#

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 26

Network Information Service

GVHD: Nguyn Tn Khi

III.

Minh Ha Vic Cu Hnh NIS

Cu hnh trn 2 my dng CentOS: 1 my l server, 1 my l client. Trn my 1 ci gi ypserv-2.19-3.rmp

Khai bo NIS domain: m file sau

Thm dng sau vo cui file

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 27

Network Information Service

GVHD: Nguyn Tn Khi

Khai bo NIS DOMAIN b ng cch m file cu hnh sau:

Thm dng sau vo cui file: khai bo NISdomain chnh l my mnh b ng IP lookback:

Sau dng lnh sau xem cc port ng k

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 28

Network Information Service

GVHD: Nguyn Tn Khi

Sau cn cp nht CSDL cho nis server b ng lnh sau:

y bn c th add 1 user vo. Hoc c th add user sau. y mnh s add user sau b ng cch nhn phm "Ctrl +D "

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 29

Network Information Service

GVHD: Nguyn Tn Khi

my s bo ci t thnh cng NIS domain

xem CSLD ca NIS server va update xong ta g lnh sau:

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 30

Network Information Service

GVHD: Nguyn Tn Khi

Start NIS client:

To user cho client login vo NIS server v import user vo NIS domain

Import cc user vo NIS domain

Xem, kim tra cc user c trong NIS domain cha

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 31

Network Information Service

GVHD: Nguyn Tn Khi

Lu : nu bn to mi 1 user b ng lnh useradd th user ch n m trn local n thuc NIS domain bn cn import user vo nh trn

IV.

Bo Mt

Cch thng thng thay i mt khu NIS l chy lnh yppasswd trn NIS client. Lnh ny s dng giao thc yppasswd v cn tin trnh rpc.yppasswdd ang chy trn my NIS server. Giao thc ny c im bt li, l cc mt khu c s c gi i di dng vn bn thun-clear text (khng c m ha) trn mng. iu ny khng c g ng bn nu vic thay i mt khu thnh cng, trong trng hp ny mt khu c s c ghi bi mt khu mi. nhng nu trng hp vic thay i mt khu tht bi gia chng, v k tn cng c th bt s dng mt khu khng c m ha ng nhp mng. Ti t hn: nu ngi qun l h thng thay i mt khu NIS cho mt ai y, mt khu root (root password) ca my ch NIS s c truyn i di dng vn bn thun trn mng. trnh tnh trng ny, ta c th s dng lnh rpasswd trong gi pwdutils vi tnh an ton cao hn. rpasswd thay i mt khu ca ti khon ngi dng trn my ch thng qua kt ni SSL an ton. Mt ngi dng bnh thng ch c th thay i mt khu ca chnh h. Nu ngi no bit mt khu ca ngi qun tr h thng (trong trng hp ny l root password trn my ch NIS), ngi c th thay i mt khu ca bt k ti khon no nu gi lnh rpasswd vi ty chn a.

-a, --admin With this option, rpasswd connects as administrator user to the remote server. The user has to supply the administrator password and can change then every password

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 32

Network Information Service

GVHD: Nguyn Tn Khi

Ph Lc:
Mt s khi nim:
loadable module: modun c th np ti Network Loadable Module (Netware) (NLM): modun c th np ti mng Source tree: thut ng ch th mc ni m m ngun s c bin dch Traffic: s lu thng d liu Portmapper: s cng (port), cha danh sch cc nh x cng vi cc dch v tng ng (cu trc t nh file C:\Windows\System32\drivers\etc\services trong windows) Daemon: dch v chy ngm trn h thng. Export: chia s file (qu trnh export)

Ti liu tham kho:

Managing NFS and NIS Hal Stern, Mike Eisle and Ricardo labiaga Advanced Linux Network Administration LinuxIT Technical Education Centre Website: linuxhomenetworking.com, linux-nis.org, ubuntu-vn.org

--------------------------HT--------------------------

Phan Xun Phc Thnh-Phan Th Bch Thy

Page 33