[Freeipa-users] More slapi-nis help

Thu Aug 20 01:21:23 UTC 2009

On Wed, Aug 19, 2009 at 5:19 PM, Nalin Dahyabhai<nalin at redhat.com> wrote:
> On Wed, Aug 19, 2009 at 04:50:44PM -0500, Brandon Young wrote:
>> I have been dinking with this a few minutes at a time since last week,
>> and am having a problem, still.  I have gone over my nis-plugin.ldif
>> file and verified that nis-domain matches everywhere (at first it
>> didn't), and that once the dirsrv successfully starts I can see with
>> 'rpcinfo -p' that ypserv is bound to some port (it changes each time I
>> reboot, but no biggie; I'm not running a firewall).  I can check from
>> a remote host (again with rpcinfo) and see the ypserv service is
>> available.  However, when I try to 'ypcat passwd', from a host that is
>> configured to use the freeipa server as its NIS server, it doesn't
>> return anything.  If I further do something like: 'ypcat -h
>> freeipakc01 -d someorg passwd', it eventually times out and says "No
>> such map passwd.byname. Reason: Can't communicate with portmapper".
>> "Aha," I think.  A clue.  Alas, I verified that the rpcbind service is
>> still running.  Both host.allow and host.deny are empty (thus allowing
>> all connections).  Rebooting doesn't help.
>>
>> Here is my ldif I uploaded to setup the nis-plugin:
>>
>> dn: cn=NIS Server, cn=plugins, cn=config
>> objectclass: top
>> objectclass: nsSlapdPlugin
>> objectclass: extensibleObject
>> cn: NIS Server
>> nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
>> nsslapd-plugininitfunc: nis_plugin_init
>> nsslapd-plugintype: object
>> nsslapd-pluginenabled: on
>> nsslapd-pluginid: nis-server
>> nsslapd-pluginversion: 0.15
>> nsslapd-pluginvendor: redhat.com
>> nsslapd-plugindescription: NIS Server Plugin
>> nis-tcp-wrappers-name: nis-server
>
> I notice you don't have a "nsslapd-pluginarg0" set here, so the plugin's
> going to use the first reserved port it can bind to ("rpcinfo -p" will
> tell you which one it settled on -- your example output showed it landed
> on 710) to receive client requests.  If you're running a firewall on the
> NIS server, is that port open?
>

I am not running a firewall.  If I probe portmapper from a remote host
(again, using 'rpcinfo -p freeipa', where freeipa is the name of the
server) I can see ypserv running on port 710.  Am I correct in
understanding that it is unnecessary to set the nsslapd-pluginarg0 to
a specific port, since I am not running a firewall on the server?

>> dn: nis-domain=someorg+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config
>> objectclass: top
>> objectclass: extensibleObject
>> nis-domain: someorg
>> nis-map: passwd.byname
>> nis-base: cn=users, dc=some-org, dc=org
>> nis-secure: no
>
> That looks right to me.
>
> The default settings for maps named 'passwd.byname' configure the plugin
> to expect that entries which should appear in the map will match the
> filter "(objectClass=posixAccount)" and will have a single value for at
> least these attributes:
>  uid, uidNumber, gidNumber

Every user entry in the database has a single value for each of those
three attributes

> and it would prefer to also see these:
>  userPassword, gecos (or cn), homeDirectory, loginShell
>

All these attributes are also set (except userPassword, in some
cases).  I used ipa-adduser to add every user, and supplied all
required fields for each entry, which set all these attributes (though
did not *require* passwords.  Some entries do have passwords set,
though).

> Do the user entries meet these requirements?  If not, you'll need to
> override the default settings for the map to have it make use of what's
> there.
>
> HTH,
>

Any other ideas what I might look at?  Is there a log file I can turn
to?  Perhaps a way to put the server/plugin in debug mode to see if an
NIS request is even being serviced?  As nearly as I can tell (without
breaking out wireshark) the ypserv plugin/service is not even
acknowledging requests from a client that can otherwise ping the
server and probe it with rpcinfo.

The steps I took were:

1. Insert ldif entries defining the plugin and mappings (as described
in the previous email)
2. restart dirsrv
3. verify rpcbind has bound ypserv to some ports
4. reconfigure an existing NIS client to point at the new NIS server
5. attempt a ypcat of passwd

Sounds easy.  The getting started guide doesn't seem to detail any
additional steps.  Are there missing steps?  Did I miss a step
detailed somewhere?  Should it just work?  I feel like I must be
missing something very basic.

> Nalin
>