The examples in this article assume:
A Type 1 network. A Type 1 network is the networking layout where basically the regular nodes are on an internal network that is under the head node, and it is only the head that optionally connects externally.
A NIS server that is outside the internal network.
The IP address of the NIS server is 10.2.185.122 and that the NIS domain name is cp-domain.
A user testuser defined in the passwd map with uid 1001.
The reader knows if it is necessary to mount the home directories of the users from a different NFS server. The reader also knows how to configure it.
This procedure was tested in Bright 8.0 and Bright 7.3, but it should work for previous versions of Bright without modifications. This article applies to both RHEL 7 and RHEL 6 distributions and their derivatives.
The simplest scenario is described first. Modifications are elaborated upon later.
Scenario 1: The users authenticate only against the NIS server
Configure the head node
To configure the head node, the LDAP healthcheck should be disabled:
In Bright 7.3 and previous versions, the following command should used.# cmsh -c "monitoring setup healthconf headnode; use ldap; set disabled yes; commit"
In Bright 8.0, the following command should be used.# cmsh -c "monitoring setup; use ldap; set disabled yes; commit"
The LDAP service should then be disabled:# cmsh -c "device use master; services; use slapd; set autostart no; set monitored no; commit; stop"
The required packages should be installed:# yum install yp-tools ypbind
The file /etc/yp.conf should be edited with the following content:
domain cp-domain server 10.2.185.122
The /etc/nsswitch.conf
file should have the following entries modified:
passwd: files nis
shadow: files nis
group: files nis
The ypbind service should be added to Bright:
#cmsh -c "device use master; services; add ypbind; set monitored yes; set autostart yes; commit"
Disable PAM LDAP configuration:
# authconfig --savebackup=pamldap
# authconfig --disableldapauth --disableldap --update
Configure the software images
The required packages have to be installed (do this step once for every software image):
# yum --installroot=/cm/images/<software_image> install yp-tools ypbind
The/etc/yp.conf
file in every software image should be edited to have the following content:
domain cp-domain server 10.2.185.122
The /etc/nsswitch.conf
file in every software image should be modified with the following entries:
passwd: files nis
shadow: files nis
group: files nis
Disable PAM LDAP configuration, to do this it’s necessary to chroot into each software image and run the following commands:
# authconfig --savebackup=pamldap
# authconfig --disableldapauth --disableldap --update
All compute nodes should then be rebooted.
The ypbind service should be added to every category:
# cmsh -c "category; foreach * (services; add ypbind; set monitored yes; set autostart yes); commit"
Test
On the head node the following command should be run and its output checked:|# id testuser
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)
A node should then be booted by the administrator with the new software image, and the following command run on it:
# id testuser
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)
Scenario 2: The users authenticate against Bright LDAP and the NIS server
Having duplicate UIDs between the Bright LDAP and the NIS server leads to conflict. These should therefore be checked for, and cleaned up.
Configure the head node
The required packages must be installed:# yum install yp-tools ypbind
The file/etc/yp.conf
should have the following content edited:
domain cp-domain server 10.2.185.122
The /etc/nsswitch.conf file should have the entries for passwd, shadow and group modified by adding nis to their entries. For example, in CentOS 7 the entries would be like this:
passwd: files sss ldap nis
shadow: files sss ldap nis
group: files sss ldap nis
The ypbind service should be added to Bright:
#cmsh -c "device use master; services; add ypbind; set monitored yes; set autostart yes; commit"
Configure the software images
The required packages have to be installed (do this step once for every software image):
# yum --installroot=/cm/images/<software_image> install yp-tools ypbind
The /etc/yp.conf
file in every software image should be edited to have the following content:
domain cp-domain server 10.2.185.122
The /etc/nsswitch.conf
file in every software image should be modified with the following entries:
passwd: files nis
shadow: files nis
group: files nis
All compute nodes should then be rebooted.
The ypbind service should be added to Bright in every category:# cmsh -c "category; foreach * (services; add ypbind; set monitored yes; set autostart yes); commit"
Test
On the head node the following commands should be run, and the output checked:# id cmsupport
uid=1000(cmsupport) gid=1000(cmsupport) groups=1000(cmsupport)
# id testuser
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)
Boot a node with the new software image. Then run the following commands and check the output:# id cmsupport
uid=1000(cmsupport) gid=1000(cmsupport) groups=1000(cmsupport)
# id testuser
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)
Automounter configuration
If the automounter maps are to be loaded from the NIS server, some additional steps are required.
In this example it is assumed that the automounter maps are correct and that they do not reference local maps.
Important note
Filesystems mounted dynamically, that is, with an auto-mounter, cannot have their appearance or disappearance detected reliably.
To protect the filesystem from being wiped out accidentally by any live update operation, Bright stops any live update operation, including imageupdate and updateprovisioners. If disabling this feature is desired, then “AllowImageUpdateWithAutoMount=2” must be added to the list of advanced configurations in /cm/local/apps/cmd/etc/cmd.conf on the head node, and the cmd service should then be restarted in order to activate the change.
Any filesystem that may be imported via an auto-mount operation must explicitly be excluded by the administrator, by manually adding the filesystem to the update exclude list. This is to prevent an incorrect execution of imageupdate. Neglecting to do this may wipe out the filesystem, if it happens to be automounted in the middle of an imageupdate operation. For example, if /data is automounted and an “imageupdate” is performed while /data was originally not mounted, then it will get wiped out by the imageupdate command, because the provisioning sub-system does not detect that /data is an NFS share, thus wiping out the shared storage.
Configure the head node
The required package must be installed:# yum install autofs
The /etc/nsswitch.conf
file should be edited, and the entry for automount should be modified by substituting ldap for nis at the end. For example in CentOS 7 the entry would be like this:
automount: files nis
The autofs service should be added to Bright:
# cmsh -c "device use master; services; add autofs; set monitored yes; set autostart yes; commit"
Configure the software images
The required package must be installed in every software image:
# yum --installroot=/cm/images/<software_image> install autofs
The/etc/nsswitch.conf
file should be edited in every software image, and the entry for automount modified by substituting ldap for nis at the end. For example in CentOS 7 the entry would be like this:
automount: files nis
The autofs service should be added to Bright in every category:
# cmsh -c "category; foreach * (services; add autofs; set monitored yes; set autostart yes); commit"
Test
To check all is well, one of the directories referenced by the automounter maps should be listed. This should be checked within the head node, and within a compute node (booted with the updated software image). The mount command can be run to verify that the directory was mounted.