NIS Authenticated Linux workstation on an e-smith server

How- To Linux workstation with SME server

ver 0.8

Adam Landow

Lecturing Support Officer,

Alice Springs Correctional Centre

Alice Springs N.T 0870

email: adamlandow at bonbon.net

Scope:

This how-to illustrates a scenario where Linux workstations and an e-smith SME server can entirely replace a Windows network with domain logons replaced with native NIS authentication, and roaming profiles replaced with shared home directories on the e-smith box.

The motivation for this is a) to prove that in many cases, Windows is NOT necessary at all, b) to provide a more stable computing environment in a SME environment, and c) save stacks of cash.

Example: a community organization (community corrections in my case) is donated a number of ex-military PC’s with completely blank hard drives. Funding is minimal, and accountability is high, so using a ‘wink wink’ copy of Windows is not an option if you want to stay on this side of the wire.

However, a Windows-like environment is necessary to minimise training requirements.

Software Version information:

The SME version used in this how-to is 6.0.1-01

The workstation used in this how-to is Xandros Desktop version 3, OC Edition. This was chosen due to it’s accurate emulation of Windows environment and it’s ability to be upgraded to run Windows binaries if necessary using CrossOver Office for a modest fee. Other workstation distributions could conceivably be substituted here.

For reference, Xandros 3 OC is a variant on the Debian Sarge distribution.

Assumed knowledge:

Acquisition and installation of rpm packages on an e-smith SME server. I usually download them from a workstation, dump them into an I-bay and use Midnight Commander to navigate around from within an SSH shell before running the rpm –Uvh insertpackagehere.rpm. For shell access I use PuTTY.

Editing of configuration files using your favourite editor: again, Midnight Commander is my favourite, but the ‘old-skool’ diehards will probably want to use Vi or some other obscure thing.

Using Debian’s apt-get utility to install the necessary modules on the workstation.

Files required for server:

from http://www.dungog.net/sme/files/nis-nfs/

dungog-nis-0.1-1.noarch.rpm e-smith-nfs-1.2.1-04sjn01.noarch.rpm nfs-utils-0.3.3-5.i386.rpm portmap-4.0-41.i386.rpm ypserv-2.2-9.i386.rpm yp-tools-2.6-4.i386.rpm ypbind-1.10-7.i386.rpm

References:

Swerts-Knudsen.dk website, page

http://sme.swerts-knudsen.dk/howtos/howto_31.htm

Stephen Noble's how-to (essentially this one)

http://www.dungog.net/sme/files/nis-nfs/README.txt

NIS generic how-to

http://www.opennet.ru/docs/HOWTO/NIS-HOWTO/

1) Server setup.

NIS

From a fresh install of SME;

NIS or Network Information Service, is a service that provides information, that has to be known throughout the network, to all machines on the network. NIS is a system that becomes very useful when you have more than one SME server in your network and you want to be able to log into all with the same username.

Install the rpm`s from the nis-nfs directory.

[root@sme ]# rpm -Uvh ypserv-* portmap-* dungog-nis-*

Start the portmap and ypserv services

[root@sme ]# service portmap start [root@sme ]# service ypserv start

Now we have to make sure the NIS Server is running. The following command should return this output.

[root@sme ]# rpcinfo -u localhost ypserv

program 100004 version 1 ready and waiting program 100004 version 2 ready and waiting

Now on the NIS Master run

[root@sme ]# /usr/lib/yp/ypinit -m

adam- nicked from Damian

create /var/yp/push and fill with:

grep "/home/e-smith/files/users" /etc/passwd | awk -F: ' {print $1":"$2":"$3":"$4":"$5":\/home\/"$1":\/bin\/bash"}' > /etc/passwd.dist make

[root@sme ]# chmod 755 /var/yp/push

Edit /var/yp/Makefile and change the line which says:

PASSWD = $(YPPWDDIR)/passwd

to

PASSWD = $(YPPWDDIR)/passwd.dist

also add to makefile where it says

all: passwd group shadow \ (about line 103)

so it says

all: passwd group shadow auto.master auto.home

(When you run /var/yp/push only the user entries from /etc/passwd are crunched into an alternative passwd file with corrected homedir paths for the client automounters to use. Also we don't want to distribute SME's root password to everyone do we ?)

Make the following the only entries in /etc/auto.master

/home auto.home

Create /etc/auto.home and add the following

* -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid 192.168.100.40:/home/e-smith/files/users/&/home

where 192.168.100.40 is, of course, the IP of your server

Run /var/yp/push by typing, while in the /var/yp directory

[root@sme ]# ./push

[adam- also may need to run nfslock on server and client]

[you may need ypbind and yp-tools to test your sme nis if you have problems sn]

----------------- NFS setup ----------------------------

1) rpm -Uvh e-smith-nfs-1.21-04sjn01.noarch.rpm nfs-utils-0.3.3-5.i386.rpm

2) populate /etc/exports and start NFS

[root@sme]# /sbin/e-smith/signal-event nfs-update

3) Make it run on bootup

[adam- perhaps better to use ln -s /etc/rc.d/init.d/nfs /etc/rc7.d/S99nfs?]

[root@sme]# /sbin/e-smith/db configuration set nfs service

[root@sme]# /sbin/e-smith/db configuration setprop nfs status enabled

=============== 1) Client setup =================================

--------------- NIS Setup ---------------------

1) Download Xandros 3.01 OC Edition, either using BitTorrent (faster and free) or pay the $10 US to grab it from their server.

2) Install on the client machine with standard install options.

3) Set up the NIS client:

a) open Xandros Networks application and click on the Debian unsupported site option found under edit -> Set Application Sources.

c) open terminal, logon as superuser, or su

apt-get install nis

d) edit /etc/yp.conf to contain the line

ypserver yourservername.yourdomain.com broadcast added broadcast sn

e) edit /etc/hosts to contain the line edited to suit

192.168.1.1 yourservername.yourdomain.com yourservername

where IP address is that of your server

only needed if ping servername doesn't work, it should sn

f) restart NIS

/etc/init.d/nis restart

Check to see if NIS is working by entering into a terminal

ypcat passwd

also check to see that auto.master and .home are being exported

ypcat auto.home ypcat auto.master

and if all's good you'll get the password hashes of all the users on your e-smith box! and other handy info!

----------------- NFS setup ----------------------------

automount- should work.

On RH8 the automounter should be working once installed. The auto home dir thingie is exported from the server so there should be very little intervention needed on the part of the client.

Xandros has one, but it's not clear at the moment how to get it happening.

I saw something somewhere about 99% of problems with automount being due to a non-empty /home dir. Is this true? It would explain my success with a fresh RH8 install but not a Xandros install on a machine I'm using all the time with local accounts...

reboot the workstation and try logging on as one of the users in the e-smith box!

Current issues/requests

• some devices dependent on group membership of the local machine (audio being a major case in point) won't work.
• NFS won't start at bootup on the server; chkconfig doesn't seem to do it properly
• There is probably a whole bunch of security holes here, not least of which is the ability to grab password hashes. l0pht crack, anyone?