On pe, 15 huhti 2022, Ranbir via FreeIPA-users wrote:
Hello Everyone,
I'm a long time freeipa admin, but I've never used its NIS
compatibility features. I'm also not well versed with NIS in general.
Anyway, I'm testing out migrating NIS users, netgroup, etc. to freeipa
and pointing a test NIS client at the freeipa server to get the NIS
users, groups, etc. from.
It occurred to me afterwards that the old NIS domain name doesn't match
the test freeipa realm I've stood up. Do they both have to match on the
freeipa server for NIS to work or can the freeipa realm be "A" and the
NIS domain be "B"? If they can be different, how do I change the NIS
domain name in freeipa?
I tried the following (see below).
[root@freeipatest01 ~]# ipa-compat-manage --realm swamp enable
[root@freeipatest01 ~]# ipa-nis-manage --realm swamp enable
I have no idea what the --realm switch is for. The man page is no help.
I took a wild guess that I could specify a different NIS domain name
with it.
There are only two options relevant to both of these tools: -d for debug
and -y for specifying a file with cn=Directory Manager password. The
rest of options are coming from standard set of options associated with
administrative IPA tools. They are not used and probably can be removed.
After doing the above, I created a freeipa user. I then tried to
lookup
the user from another server, which didn't work:
[user@another-host ~]$ ypcat -h freeipatest01 -d swamp passwd
No such map passwd.byname. Reason: No such map in server's domain
NIS look ups do work if I don't specify a different NIS domain:
[root@freeipatest01 ~]# ypcat passwd
rsandhu:*:22205:100:Ranbir Sandhu:/home/rsandhu:/bin/bash
admin:*:494800000:494800000:Administrator:/home/admin:/bin/bash
My initial thought was the freeipa realm and the NIS domain name have
to match. But, I decided to play around to see what would happen.
I'd appreciate it if anyone can clear this up for me.
Configuration for NIS maps is a part of nis plugin (slapi-nis) and is
supplied by FreeIPA in /usr/share/ipa/nis* files. It hardcodes IPA
domain in the entry name and attributes:
dn: nis-domain=$DOMAIN+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config
default:objectclass: top
default:objectclass: extensibleObject
default:nis-domain: $DOMAIN
default:nis-map: passwd.byname
default:nis-base: cn=users, cn=accounts, $SUFFIX
default:nis-secure: no
The definition above is for ipa-ldap-updater tool, it is not LDIF, so
you cannot apply it directly. This is one of maps, there are many more.
nis plugin supports multiple maps so it is possible to create a copy of
nis.uldif and replace $DOMAIN by something different. See
https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/
for some details how to use ipa-ldap-updater.
I would recommend though to migrate those NIS clients to more modern
solutions and not rely on NIS protocol. We are getting rid of NIS server
support eventually. NIS client code has disappeared from RHEL 9 beta
already and is going to be removed from Fedora too:
https://lwn.net/Articles/874174/
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland