Linux 账号集中化管理部署

Linux 账号集中化管理部署无非就是NIS、NFS、AUTOFS的结合体，那我就简短的介绍一下相关服务。

NIS：我们可以抽象的理解为NIS就是windows AD到Linux下换个名字而已，都是做账号管理的；

NFS：网络文件系统，主要的作用是共享用户的宿主目录；

AUTOFS：可以说是NFS的非常好的一款插件可以智能挂载、卸载NFS共享；

演示系统：Centos 6.2

演示主机：

Master     172.20.45.35

Slave   172.20.45.39

Client   172.20.45.38

本次演示分为两部分：

1.一台NIS主机（Master）与一台NIS客户端（Client）；

2.增加一台NIS主机（Slave），使环境作为两台NIS主从以及一台验证客户机；

一、NIS  服务器（Master） 与 NIS客户端（Client）

1.增加对应关系以及关闭防火墙、SElinux：

登录Master

增加对应关系

# vi /etc/hosts增加172.20.45.35    Master172.20.45.38    Client

关闭防火墙

# service iptables stop# chkconfig iptables off

关闭SElinux

# vi /etc/selinux/config SELINUX=enforcing更改为SELINUX=disabled

至此重启Master主机；

登录Client

增加对应关系

# vi /etc/hosts增加172.20.45.38    Client172.20.45.35    Master

关闭防火墙

# service iptables stop# chkconfig iptables off

关闭SElinux

# vi /etc/selinux/config SELINUX=enforcing更改为SELINUX=disabled

至此重启Client主机；

登录Master

2.使用yum安装相关软件包

# yum install ypserv ypbind portmap yp-tools --nogpgcheck

ypserv    :NIS服务的主要程序包

ypbind   :提供NIS客户端的查询指令功能的软件包

portmap:管理RPC连接、启动的软件包

yp-tools :提供NIS客户端设定功能的软件包

3.设定NIS域

# vi /etc/sysconfig/network
增加
NISDOMAIN=sunnorth（sunnorth为自定义nis域名可更改）

4.设定NIS服务器对应条目

# vi /etc/yp.conf 增加ypserv   172.20.45.35

5.设定权限网段

# vi /etc/ypserv.conf最后一行注释去掉 *                        : *       : *                : none

如果对安全级别要求较高的可以这么写：

127.0.0.0/255.255.255.0 : * : * : none172.20.45.0/255.255.252.0 : * : * : none* : * : * : deny

6.启动相关服务并加入开机启动

启动服务

# service portmap start# service yppasswdd start# service ypserv start

加入开机启动

# chkconfig portmap on# chkconfig yppasswdd on# chkconfig ypserv on

7.更改编译文件头，增加配置文件路径

# vi /var/yp/Makefileall:  passwd group hosts rpc services netid protocols mail \更改为all:  passwd group hosts rpc services netid protocols mail auto.master auto.home \

8.增加账号

# useradd tom# passwd tom# useradd jarry# passwd jarry

9.初始化nis数据库

# /usr/lib/yp/ypinit -mAt this point, we have to construct a list of the hosts which will run NISservers.  Master is in the list of NIS server hosts.  Please continue to addthe names for the other hosts, one per line.  When you are done with thelist, type a <control D>.        next host to add:  Master        next host to add:  Ctrl + DThe current list of NIS servers looks like this:MasterIs this correct?  [y/n: y]  yWe need a few minutes to build the databases...Building /var/yp/sunnorth/ypservers...Running /var/yp/Makefile...gmake[1]: Entering directory `/var/yp/sunnorth'Updating passwd.byname...Updating passwd.byuid...Updating group.byname...Updating group.bygid...Updating hosts.byname...Updating hosts.byaddr...Updating rpc.byname...Updating rpc.bynumber...Updating services.byname...Updating services.byservicename...Updating netid.byname...Updating protocols.bynumber...Updating protocols.byname...Updating mail.aliases...Updating auto.master...gmake[1]: *** No rule to make target `/etc/auto.home', needed by `auto.home'.  Stop.gmake[1]: Leaving directory `/var/yp/sunnorth'make: *** [target] Error 2Error running Makefile.Please try it by hand.

提示没有相关文件，创建之后再执行初始化

# touch /etc/auto.home#/usr/lib/yp/ypinit -mAt this point, we have to construct a list of the hosts which will run NISservers.  Master is in the list of NIS server hosts.  Please continue to addthe names for the other hosts, one per line.  When you are done with thelist, type a <control D>.        next host to add:  Master        next host to add:  Ctrl + DThe current list of NIS servers looks like this:MasterIs this correct?  [y/n: y]  yWe need a few minutes to build the databases...Building /var/yp/sunnorth/ypservers...Running /var/yp/Makefile...gmake[1]: Entering directory `/var/yp/sunnorth'Updating passwd.byname...Updating passwd.byuid...Updating group.byname...Updating group.bygid...Updating hosts.byname...Updating hosts.byaddr...Updating rpc.byname...Updating rpc.bynumber...Updating services.byname...Updating services.byservicename...Updating netid.byname...Updating protocols.bynumber...Updating protocols.byname...Updating mail.aliases...Updating auto.master...Updating auto.home...gmake[1]: Leaving directory `/var/yp/sunnorth'Master has been set up as a NIS master server.Now you can run ypinit -s Master on all slave server.

后期维护时如果有新增账号需重复执行此步骤

# cd /var/yp# make

10.启用nis支持

# authconfig --update --enablenis

至此nis配置完毕，需要再启用nfs服务来挂载用户的宿主目录

11.修改nfs配置文件共享/home目录

# vi /etc/exports增加/home  *(async,rw)

12.重启nfs服务验证是否共享成功

# service nfs restart# showmount -e 172.20.45.35Export list for 172.20.45.35:/home *

NIS 服务器（Master）配置完成

登录Client

1.安装相关软件包

# yum install ypbind yp-tools --nogpgcheck

2.system-config-authentication配置nis客户端

# system-config-authentication

Enable NIS Support

Configure NIS

3.验证账号是否同步成功

# getent passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologinnscd:x:28:28:NSCD Daemon:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinpcap:x:77:77::/var/arpwatch:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinavahi:x:70:70:Avahi daemon:/:/sbin/nologinrpc:x:32:32:Portmapper RPC user:/:/sbin/nologinapache:x:48:48:Apache:/var/www:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinhsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinxfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinavahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologingdm:x:42:42::/var/gdm:/sbin/nologintom:$1$ZgJVQCEM$HgfGmm02iOVh63rsewRZ90:500:500::/home/tom:/bin/bashjarry:$1$AXGkB7WI$2jf1ShICXL1CEQP6OW9C2/:502:502::/home/jarry:/bin/bash

4.使用autofs智能挂载NFS文件系统

# vi /etc/auto.master  注释所有配置增加/home auto.home

5.创建autofs配置文件

# touch /etc/auto.home# vi /etc/auto.home增加*  -rw,soft,intr  172.20.45.35:/home/&

6.重启相关服务并加入开机启动

重启服务

# service ypbind restart# service autofs restart

加入开机启动

# chkconfig ypbind on# chkconfig autofs on

7.客户端验证

# su - tom$ pwd/home/tom$ mount/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)proc on /proc type proc (rw)sysfs on /sys type sysfs (rw)devpts on /dev/pts type devpts (rw,gid=5,mode=620)/dev/hdb1 on /boot type ext3 (rw)tmpfs on /dev/shm type tmpfs (rw)none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)172.20.45.35:/home/tom on /home/tom type nfs (rw,soft,intr,addr=172.20.45.35)

至此，Master 与 Client NIS完成。

二、加入另一台NIS服务器（Slave）构建NIS主从服务器

登录Slave

1.增加主机对应关系以及关闭防火墙、SElinux

增加对应关系

# vi /etc/hosts增加172.20.45.39    Slave172.20.45.35    Master

关闭防火墙

# service iptables stop# chkconfig iptables off

关闭SElinux

# vi /etc/selinux/config SELINUX=enforcing更改为SELINUX=disabled

至此重启Slave主机；

2.安装相关软件包

# yum install ypserv ypbind portmap yp-tools --nogpgcheck

3.设定网段权限

# vi /etc/ypserv.conf 去掉最后一行注释 *                        : *       : *                : none

登录Master

1.设定主从自动同步

# vi /var/yp/Makefile NOPUSH=true改为NOPUSH=false

2.设定从服务器IP地址

# vi /var/yp/ypservers增加172.20.45.39

3.开启传送进程

# service ypxfrd start

登录Client

1.设定主从服务器列表

# vi /etc/yp.conf domain sunnorth server 172.20.45.35增加domain sunnorth server 172.20.45.35;172.20.45.39

登录Slave

1.加入nis域

# vi /etc/sysconfig/network增加NISDOMAIN=sunnorth（sunnorth为自定义nis域名可更改）

2.启动相关服务

# service portmap start# service ypserv start# service yppasswdd start

3.手动获取账号信息

# /usr/lib/yp/ypinit -s MasterWe will need a few minutes to copy the data from Master.Transferring passwd.byname...Trying ypxfrd ... successTransferring rpc.bynumber...Trying ypxfrd ... successTransferring services.byname...Trying ypxfrd ... successTransferring hosts.byaddr...Trying ypxfrd ... successTransferring hosts.byname...Trying ypxfrd ... successTransferring group.bygid...Trying ypxfrd ... successTransferring ypservers...Trying ypxfrd ... successTransferring rpc.byname...Trying ypxfrd ... successTransferring auto.home...Trying ypxfrd ... successTransferring protocols.byname...Trying ypxfrd ... successTransferring auto.master...Trying ypxfrd ... successTransferring group.byname...Trying ypxfrd ... successTransferring netid.byname...Trying ypxfrd ... successTransferring mail.aliases...Trying ypxfrd ... successTransferring passwd.byuid...Trying ypxfrd ... successTransferring services.byservicename...Trying ypxfrd ... successTransferring protocols.bynumber...Trying ypxfrd ... successSlave's NIS data base has been set up.If there were warnings, please figure out what went wrong, and fix it.At this point, make sure that /etc/passwd and /etc/group havebeen edited so that when the NIS is activated, the data bases youhave just created will be used, instead of the /etc ASCII files.