Hello all,
Thanks very much to:
Craig Biggerstaff
Kristin Larson
Lars Bro
for their replies. They all relayed useful information. The bottom line
is that
the prpassword file is only available on the NIS primary. If the primary
fails
then no one but root can login because C2 needs the prpassword file. The
only
way around this is to run ASE and setup /tcb as a disk service that
would move
between machines.
Thanks again,
Mark Jaunty
###############################################################
Craig Biggerstaff wrote:
Someone else asked about NIS and C2 on the same system last week, and
here is what I told them:
You can get C2 and NIS to work on the same system. But you might not
want to (see below). Details for setting up C2 and NIS to work together
are in the DU Security manual. Once you have it set up, users don't use
yppasswd, they use plain ol' passwd. Unlike plain ol' passwd in a
non-C2 environment, this *does* update the NIS database.
The problem with C2 is that C2 carries additional information in the
password database that causes updates with every login attempt. In an
NIS environment, this becomes a single point of failure for your
network, because every login requires an update to the NIS master
server, and if the NIS master is down, users cannot login to NIS client
systems. Under regular security and NIS, users can log in if the NIS
master is down; they simply can't change their passwords. In addition
to the single point of failure problem, C2 causes a *major* increase in
the number of updates to the NIS master server, so it can quickly become
a performance bottleneck.
(So the answer to your question is yes: it does defeat the purpose of
having NIS slave servers.)
-- Craig Biggerstaff
Kristin Larson wrote:
C2 is set up so that if you setup a slave
it can not update the Master databases. The slave is really
not supported to make sure that only one machine can change
the password files. This way, it is harder to corrupt or
break in to an NIS group with C2 security. That was the
explanation I received in a nutshell.
Also, when I spoke with a DEC tech, she told me straight out
not to create a slave with NIS and C2 because of this security
feature.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Kristin L. Larsen aka) "Hey you!"
Lars Bro wrote:
The NIS Master is responsible for maintaining the /var/yp/src/prpasswd
file. This file contains dynamic information such as when you last
logged in, how many times you mistyped your password and so on.
When someone logs in or logs out, the following happens:
That person NIS Master
initiate login
validate password
send "he logged in" receive "he logged in"
update /var/yp/src/yppasswd
update "yppasswd" map
update all slave servers as
registered in the "ypservers"
NIS map by means of yppush
command
wait for yppasswd to
be updated. This confirms
that NIS has registered the
information.
finish login
1) If the NIS server is down, nothing will work. This is a
single point
of failure and the remedy is to run TruCluster.
2) If a NIS slave is down, the NIS master will not get an answer
from
that slave and will time out. Now, if the slave that serves
you
happens to be updated after that one, you will unfortunately
time out before the NIS master gets to you.
Your problem is the 2) problem. I have solved it by having the NIS
master
pinging all its slaves each minute and recreating the 'ypslaves'
map so
that this map only contains the slaves known to be up during the
last
minute. If a slave goes down just as you are logging on you may
still time
out but the next time you try, things will work again.
Here is the script I wrote for that purpose:
#!/sbin/sh
#################################################################
#
# This file is the property of
#
# DSC Communications A/S
# Denmark
#
#################################################################
#
# $Id: pollservers,v 1.1 1997/11/28 14:24:20 lab Exp $
#
# $Log: pollservers,v $
# Revision 1.1 1997/11/28 14:24:20 lab
# Adding support for NIS on ase
#
#
PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin:/var/yp
SERVERFILE=/var/yp/src/ypservers
TIMEOUT=10
MAPDIR=/tmp/ypservers$$
SERVICE=tmn_nis
[ -f $SERVERFILE ] || exit 0
mkdir $MAPDIR || exit 0
for Y in `cat $SERVERFILE`
do
if ping -c 1 $Y >/dev/null 2>&1
then
> $MAPDIR/$Y
fi &
done
sleep $TIMEOUT
ls $MAPDIR | awk '{print $0, $0}' | makedbm \
-m $SERVICE - /var/yp/`domainname`/ypservers
yppush ypservers >/dev/null 2>&1
rm -rf $MAPDIR
Hope, this may be of use.
Yours, Lars Bro
Received on Mon Apr 20 1998 - 18:11:27 NZST