Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

Network Information Service (NIS)

Network Information Service (NIS)

ypserv runs on the server side and listens for remote requests for information.

In the lab you'll force it to listen on a particular port, but it is flexible (because of another service called portmap (now known as RPC)) in which port it will use.

While running (and listening on that port) it will respond to queries for information from databases it builds.

These are listed inside the Makefile:

/var/yp/Makefile

Network Information Service (NIS)

Issues with NIS: Security Concerns

Note that using NIS for much of this is not particularly secure.

It really isn't that hard to fake an IP address.

LDAP is a more secure way of doing this, but is somewhat more complicated, and not covered in this course.

It is essential to control the access to password and configuration files via the hosts.allow and hosts.deny files as well as using encryption.

Network Information Service (NIS)

Issues with NIS: RPC (port-mapping is required)

It is possible that a conflict could occur when competing services want to access the same port number.

A port-mapping service (now called RPC) is used to assign a service to a designated port (Similar concept to DHCP).

When another machine wants to connect to that service, it also asks RPC what port that service is on.

RPC uses port 111.

Network Information Service (NIS)

When editing /var/yp/Makefile:

Most of the Makefile can be left as is, however you may wish to change which types of data it will provide.

By default, ypserv will answer requests from anyone.

This is ridiculously insecure. You should add entries into

/var/yp/sercurenets for each network it should answer queries from.

You'll have to run the command /var/yp/make to generate these the first time (and again if you make any changes)

For the clients machines to access information on the NIS server, a background process (daemon) called ypbind must be installed and run.

You can think the ypbind allows the client to "bind" or connect to the NIS server.

Network Information Service (NIS)

In order to provide central authentication for different Linux servers on a computer network (for efficient OS administration), you only are required to create, configure and modify objects once on an NIS server referred to as the YP server (similarly like you do with Active Server Pages in MS Windows), and then implement changes to ALL of your NIS clients.

Sun Microsystems originally created this system referred to as

Yellow Pages (like a telephone directory), but due to licensing issues, other Unix and Linux distributions using an open-source application called NIS or NIS+

DNS Configuration

  • In order to setup DNS, the Linux sysadmin will customize name server settings in a configuration file called:

/etc/named.conf

  • What name servers actually store are zone records (along with a few other things).

  • Each zone record links to a file the has entries that describe the machines & services available in this zone, and the name servers for zones in sub-domains.

Querying a Name Server

Purpose of NIS

Installing, configuring, running and testing NIS

Using NIS

Here a just a few resource record types:

A most commonly used to map hostnames to an IP address of the host

CNAME Alias of one name to another

MX Maps a domain name to a list of mail transfer agents for domain

NS Delegates a DNS zone to use the given authoritative name servers

PTR Commonly used for implementing reverse DNS lookups

SOA Specifies authoritative information about a DNS zone:

(primary name server, domain's administrator e-mail,

domain serial number, etc.)

Terms stands for: Start of (zone) authority record

DNS Terminology

Network Information Service (NIS)

DNS Configuration

Useful named.conf options:

  • notify {yes|master-only|explicit|no} // notify servers if data changes
  • allow-notify {list of servers} // servers allowed to pass updated data
  • also-notify {list of servers} // servers to be notified of data changes
  • recursion {yes|no} //
  • allow-recursion {address list} //
  • forwarders {address list} // DNS servers to query first instead of external queries
  • forward {only|first} // Toggle to allow to query list of server over external
  • allow-query {address list} // Limits machines that can query this name server
  • allow-query-cache {address list} // Limits machines that can query server's cache
  • blackhole {address list} // Never talk to machines (blacklist) both query & respond

Address lists can take the following format: {address;address;address};

eg. { 142.204.27.124; 142.204.133.27 };

{ 142.204.27/24; 142.204.133/24 }; // Note the slightly modified CIDR

  • To better protect the name server (load-balancing,

duplication in case of server outage), the master name server holds a copy of the name server data and sends copies to its clone name servers (slaves).

  • An administrator can change data on a master name server, but cannot change data on the slave name servers.

  • Any zone must have at least one master, and should have more than one slave

(prefeably off-site).

Querying with nslookup

  • x

DNS Configuration

  • Anywhere you can include an address list, you can include a pre-defined Access Control List (ACL) instead.

  • This is handy if the same list of addresses shows up in several statements. You only have to type it once, and if you ever have to change it you can do that in one place.

For Example:

acl name {

address list

};

In order to know which NIS server to consult you need to configure the following files on the clients:

/etc/yp.conf – Lists one or more NIS domains, and the servers associated with them.

An NISDOMAIN entry in /etc/sysconfig/networks tells the system what NIS domain it belongs to. This may not match the domain for DNS purposes.

The nsswitch.conf file to tell the client what services it should consult NIS for.

Querying DNS Servers

  • You can use (and probably have used) several commands to find out how your DNS server will answer queries:

host {machinename} – retrieves the ip of machinename.

host {ip} – retrieves the FQDN of the machine at ip.

  • These allow you to manually perform forward and reverse lookups.

  • You can add the name or ip of a server you want to query (if not your default) to the end.

Network Information Service (NIS)

Network Information Server (NIS) WIKI Definition:

( https://en.wikipedia.org/wiki/Network_Information_Service )

The Network Information Service, or NIS ( originally called Yellow Pages or YP ) is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network.

A NIS/YP system maintains and distributes a central directory of user and group information, hostnames, e-mail aliases and other text-based tables of information in a computer network.

For example, in a common UNIX environment, the list of users for identification is placed in /etc/passwd, and secret authentication hashes in /etc/shadow. NIS adds another “global” user list which is used for identifying users on any client of the NIS domain.

Saving iptables Configuration

  • Prior to saving iptables configuration, it is recommended to store iptables commands in a shell script. In this way, you can reset iptables and then run your shell script to configure your iptables settings.

  • It is important to save your iptables configuration; otherwise, it will revert to the default settings on reboot.

  • To save iptables Configuration:

iptables-save > filename

  • To restore iptables from a saved file:

iptables-restore filename

Querying with dig command

DNS Terminology

Querying with the dig command

The following diagram shows dig results by issuing the commands:

dig +short redhat.com

dig +nocomment redhat.com

Doubleclick to see full image.

Each tool (nslookup, host, dig) have their own features so good to understand how all of these tools work.

Here are some common commands used from the clients using NIS:

ypcat (1) - print values of all keys in a NIS database

ypchfn (1) - change user's full name in NIS database

ypchsh (1) - change user's default shell in NIS database

ypmatch (1) - print the values of one or more keys from a NIS map

yppasswd (1) - change user's password in the NIS database

yppoll (8) - return version and master server of a NIS map

ypset (8) - bind ypbind to a particular NIS server

yptest (8) - test NIS configuration

ypwhich (1) - return name of NIS server or map master

You can get this list by issuing command: man -k | grep ^yp

Network Information Service (NIS)

Q: Why use NIS to distribute a central directory of

computer network information?

A: This would be the Linux / Unix OS solution to the

Active Server Pages approach that you would use

for MicroSoft Windows OS.

In lab3, we saw the advantage of using DNS instead of Local host-name resolution in order to resolve hostnames with IPADDR

(i.e. easier to centrally manage).

Imagine having to configure each user you need on every machine in your network and having to make any changes to all of them too. Manually managing that would be terribly inefficient and prone to making errors.

A zone is the domain, without any of its sub-domains.

  • For Example: on.ca, not including senecac, etc.

A domain is a "named" section of a network (e.g. on.ca) and everything inside (below) it in the heirarchy (e.g. senecac.on.ca).

Name servers are responsible usually for a zone.

  • Name servers will (or should) know about the name servers that represent zones in sub-domains - Hence, the heirarchical structure.

  • A zone declaration is displayed on the right that

defines the behaviour of a zone (domain name).

We will discuss in a later slide how to

set this up in a DNS configuration file.

zone “domain name” {

type {master|slave|forward|stub}

file {path to zone file}

masters {address list} #slave only

};

Learn more about creating dynamic, engaging presentations with Prezi