My original question was...
> I'm wondering if anyone knows the tricks to force ypbind to
> bind to the ypserv running on the same host. I have several
> slave servers on the net, and would like to have them bind
> to themselves if possible.
> I know I could do a "ypbind -ypset{me}" followed by a "ypset `hostname`"
> but the manuals claim that to be a security hole. I guess what I'd
> really like on those machines is a "ypbind localhost" and not have
> it broadcast out for other hosts.
I didn't get a real solution from the net that solves the
problem in a clean way. I did some additional digging on my own and
found that a tool that I already had available will do exactly what I wanted.
Get the "securelib" package from eecs.nwu.edu in the /pub/securelib
directory. Then as part of the install, build your /etc/securelib.conf
file to look something like this. My network is A.B.X.Y and
the local interface on a machine that I have ypbind running on is
A.B.C.D. This limits all of the daemons that I start with the
securelib package to be available ONLY to the A.B addresses, and
forces ypbind to only work off of the local interface. If you have
multiple servers that have more than one interface, you can
add multiple ypbind lines that point at the non-shared subnet sides
to keep the conf file the same on all machines.
#
# Example config file for securelib.
#
# <name> <address> <mask>
#
all 127.0.0.0 0.255.255.255
# note here that ypbind will only take on the local interface
ypbind A.B.C.D 0.0.0.0
portmap A.B.0.0 0.0.255.255
ypserv A.B.0.0 0.0.255.255
ypxfrd A.B.0.0 0.0.255.255
rpc.ypupdated A.B.0.0 0.0.255.255
rpc.mountd A.B.0.0 0.0.255.255
rpc.yppasswdd A.B.0.0 0.0.255.255
-- Many thanks to William LeFebvre ( our list maintainer ) for not only the list, but writting the securelib package.Also thanks for taking an interest to: Ian_Reddy@sfu.ca jamieson@vitro.bms.com mharris@jpmorgan.com (Michael Harris) btm@st-andrews.ac.uk (Bruce Mitchell) Mike Raffety <miker@sbcoc.com>
Another solution suggested is below. I haven't tried it since it appears to be more work than the method I used. Harder to move hardware around, and more specialized configs per client.
> From: btm@st-andrews.ac.uk (Bruce Mitchell) > Date: Thu, 15 Oct 92 11:49:03 BST > Message-Id: <22600.9210151049@bruce.st-andrews.ac.uk>
You cannot rely on ypset; we tried this but had to resort to the following:
We have an NIS master and about a dozen NIS slave servers each with several clients. In order to minimise interdependance between clusters (which can give serious problems when NFS servers go down) we need to force all clients to bind to their own server and each server to bind to itself.
The key to this relies on the fact that ypserv will serve all domains which are present in /var/yp when it starts up.
Each of our NIS servers serves two domains:
+st-and.ac.uk AND server.st-and.ac.uk
All clients and servers have their default domain names set to the appropriate server.st-and.ac.uk. For every server domain there is only one server available and clients and servers alike bind consistently and correctly.
On each NIS server, the server.st-and.ac.uk entry is merely a soft link to the +st-and.ac.uk directory. The Makefile on the master must be modified to use the +st-and.ac.uk domain for propagating the maps.
We make extensive use of NFS and the automounter and in the past have had serious problems caused by 'random' bindings when NFS servers go down. The above scheme has solved these problems.
---End
Gene Rackow email: rackow@mcs.anl.gov Math & Computer Science voice: 708-252-7126 Argonne National Lab FAX: 708-252-5986 9700 S. Cass Ave. / Argonne, IL 60439
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:51 CDT