On Wed, Aug 19, 2009 at 5:19 PM, Nalin Dahyabhai<[email protected]> wrote: > On Wed, Aug 19, 2009 at 04:50:44PM -0500, Brandon Young wrote: >> I have been dinking with this a few minutes at a time since last week, >> and am having a problem, still. I have gone over my nis-plugin.ldif >> file and verified that nis-domain matches everywhere (at first it >> didn't), and that once the dirsrv successfully starts I can see with >> 'rpcinfo -p' that ypserv is bound to some port (it changes each time I >> reboot, but no biggie; I'm not running a firewall). I can check from >> a remote host (again with rpcinfo) and see the ypserv service is >> available. However, when I try to 'ypcat passwd', from a host that is >> configured to use the freeipa server as its NIS server, it doesn't >> return anything. If I further do something like: 'ypcat -h >> freeipakc01 -d someorg passwd', it eventually times out and says "No >> such map passwd.byname. Reason: Can't communicate with portmapper". >> "Aha," I think. A clue. Alas, I verified that the rpcbind service is >> still running. Both host.allow and host.deny are empty (thus allowing >> all connections). Rebooting doesn't help. >> >> Here is my ldif I uploaded to setup the nis-plugin: >> >> dn: cn=NIS Server, cn=plugins, cn=config >> objectclass: top >> objectclass: nsSlapdPlugin >> objectclass: extensibleObject >> cn: NIS Server >> nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so >> nsslapd-plugininitfunc: nis_plugin_init >> nsslapd-plugintype: object >> nsslapd-pluginenabled: on >> nsslapd-pluginid: nis-server >> nsslapd-pluginversion: 0.15 >> nsslapd-pluginvendor: redhat.com >> nsslapd-plugindescription: NIS Server Plugin >> nis-tcp-wrappers-name: nis-server > > I notice you don't have a "nsslapd-pluginarg0" set here, so the plugin's > going to use the first reserved port it can bind to ("rpcinfo -p" will > tell you which one it settled on -- your example output showed it landed > on 710) to receive client requests. If you're running a firewall on the > NIS server, is that port open? >
I am not running a firewall. If I probe portmapper from a remote host (again, using 'rpcinfo -p freeipa', where freeipa is the name of the server) I can see ypserv running on port 710. Am I correct in understanding that it is unnecessary to set the nsslapd-pluginarg0 to a specific port, since I am not running a firewall on the server? >> dn: nis-domain=someorg+nis-map=passwd.byname, cn=NIS Server, cn=plugins, >> cn=config >> objectclass: top >> objectclass: extensibleObject >> nis-domain: someorg >> nis-map: passwd.byname >> nis-base: cn=users, dc=some-org, dc=org >> nis-secure: no > > That looks right to me. > > The default settings for maps named 'passwd.byname' configure the plugin > to expect that entries which should appear in the map will match the > filter "(objectClass=posixAccount)" and will have a single value for at > least these attributes: > uid, uidNumber, gidNumber Every user entry in the database has a single value for each of those three attributes > and it would prefer to also see these: > userPassword, gecos (or cn), homeDirectory, loginShell > All these attributes are also set (except userPassword, in some cases). I used ipa-adduser to add every user, and supplied all required fields for each entry, which set all these attributes (though did not *require* passwords. Some entries do have passwords set, though). > Do the user entries meet these requirements? If not, you'll need to > override the default settings for the map to have it make use of what's > there. > > HTH, > Any other ideas what I might look at? Is there a log file I can turn to? Perhaps a way to put the server/plugin in debug mode to see if an NIS request is even being serviced? As nearly as I can tell (without breaking out wireshark) the ypserv plugin/service is not even acknowledging requests from a client that can otherwise ping the server and probe it with rpcinfo. The steps I took were: 1. Insert ldif entries defining the plugin and mappings (as described in the previous email) 2. restart dirsrv 3. verify rpcbind has bound ypserv to some ports 4. reconfigure an existing NIS client to point at the new NIS server 5. attempt a ypcat of passwd Sounds easy. The getting started guide doesn't seem to detail any additional steps. Are there missing steps? Did I miss a step detailed somewhere? Should it just work? I feel like I must be missing something very basic. > Nalin > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
