On Wed, Aug 19, 2009 at 04:50:44PM -0500, Brandon Young wrote:
> I have been dinking with this a few minutes at a time since last week,
> and am having a problem, still.  I have gone over my nis-plugin.ldif
> file and verified that nis-domain matches everywhere (at first it
> didn't), and that once the dirsrv successfully starts I can see with
> 'rpcinfo -p' that ypserv is bound to some port (it changes each time I
> reboot, but no biggie; I'm not running a firewall).  I can check from
> a remote host (again with rpcinfo) and see the ypserv service is
> available.  However, when I try to 'ypcat passwd', from a host that is
> configured to use the freeipa server as its NIS server, it doesn't
> return anything.  If I further do something like: 'ypcat -h
> freeipakc01 -d someorg passwd', it eventually times out and says "No
> such map passwd.byname. Reason: Can't communicate with portmapper".
> "Aha," I think.  A clue.  Alas, I verified that the rpcbind service is
> still running.  Both host.allow and host.deny are empty (thus allowing
> all connections).  Rebooting doesn't help.
> Here is my ldif I uploaded to setup the nis-plugin:
> dn: cn=NIS Server, cn=plugins, cn=config
> objectclass: top
> objectclass: nsSlapdPlugin
> objectclass: extensibleObject
> cn: NIS Server
> nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
> nsslapd-plugininitfunc: nis_plugin_init
> nsslapd-plugintype: object
> nsslapd-pluginenabled: on
> nsslapd-pluginid: nis-server
> nsslapd-pluginversion: 0.15
> nsslapd-pluginvendor: redhat.com
> nsslapd-plugindescription: NIS Server Plugin
> nis-tcp-wrappers-name: nis-server

I notice you don't have a "nsslapd-pluginarg0" set here, so the plugin's
going to use the first reserved port it can bind to ("rpcinfo -p" will
tell you which one it settled on -- your example output showed it landed
on 710) to receive client requests.  If you're running a firewall on the
NIS server, is that port open?

> dn: nis-domain=someorg+nis-map=passwd.byname, cn=NIS Server, cn=plugins, 
> cn=config
> objectclass: top
> objectclass: extensibleObject
> nis-domain: someorg
> nis-map: passwd.byname
> nis-base: cn=users, dc=some-org, dc=org
> nis-secure: no

That looks right to me.

The default settings for maps named 'passwd.byname' configure the plugin
to expect that entries which should appear in the map will match the
filter "(objectClass=posixAccount)" and will have a single value for at
least these attributes:
  uid, uidNumber, gidNumber
and it would prefer to also see these:
  userPassword, gecos (or cn), homeDirectory, loginShell

Do the user entries meet these requirements?  If not, you'll need to
override the default settings for the map to have it make use of what's



Freeipa-users mailing list

Reply via email to