# NIS (ypbind) Client in a Jail



## allanjude@ (Apr 17, 2010)

I have a series of jails spread across a number of machines and I want to share a common set of users between them.

On a 'real' server (192.168.0.50), I have setup ypserv (per handbook instructions), and I've setup ypbind successfully on the jail host (192.168.0.20), but when I set it up inside the jail it self (192.168.0.22), it doesn't seem to be able to connect to the ypserv. I had to set the 'domainname' on the host, as you cannot change it in the jail, and this is fine, as I want the common uids on the host as well, so top etc show the correct usernames for processes running as those users in the jail.

/etc/nsswitch.conf

```
group: files nis
hosts: files dns
networks: files
passwd: files nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
```

I have tried rpcbind w/ and w/o the -h flag (i also tried w/ it on the host to make it not bind to *)

[cmd=]ps|grep bind[/cmd] in jail

```
root         6986  0.0  0.1  7676  2328  ??  SJ    4:45PM   0:00.00 /usr/sbin/ypbind
root        95169  0.0  0.0  6876  1532  ??  SsJ   4:21PM   0:00.01 /usr/sbin/rpcbind -h 192.168.0.22
root        95265  0.0  0.1  7676  2268  ??  SsJ   4:21PM   0:00.05 /usr/sbin/ypbind
```
[cmd=]sockstat|grep bind[/cmd] in jail

```
root     ypbind     7267  4  udp4   192.168.0.22:1011     *:*
root     ypbind     7267  5  tcp4   192.168.0.22:982      *:*
root     ypbind     7267  6  udp4   192.168.0.22:58996    *:*
root     ypbind     95265 4  udp4   192.168.0.22:1011     *:*
root     ypbind     95265 5  tcp4   192.168.0.22:982      *:*
root     rpcbind    95169 5  stream /var/run/rpcbind.sock
root     rpcbind    95169 6  udp4   192.168.0.22:111      *:*
root     rpcbind    95169 7  udp4   *:*                   *:*
root     rpcbind    95169 8  dgram  -> /var/run/logpriv
root     rpcbind    95169 9  udp4   192.168.0.22:792      *:*
root     rpcbind    95169 10 tcp4   192.168.0.22:111      *:*
root     rpcbind    95169 11 tcp4   *:*                   *:*
```

but when I do [cmd=]id user[/cmd] or [cmd=]ypcat passwd[/cmd] it just sits there.

[cmd=]ps|grep bind[/cmd] on the host (the processes with the J are the ones inside the jail)

```
root         7391  0.0  0.1  7676  2328  ??  SJ   12:47PM   0:00.00 /usr/sbin/ypbind
root        90870  0.0  0.0  6748  1460  ??  Ss   12:18PM   0:00.00 /usr/sbin/rpcbind -h 192.168.0.20
root        90873  0.0  0.1  9724  2964  ??  Ss   12:18PM   0:00.01 /usr/sbin/ypbind
root        95169  0.0  0.0  6876  1532  ??  SsJ  12:21PM   0:00.01 /usr/sbin/rpcbind -h 192.168.0.22
root        95265  0.0  0.1  7676  2268  ??  SsJ  12:21PM   0:00.05 /usr/sbin/ypbind
```

I have also tried [cmd=]ypserver -S domain,192.168.0.50[/cmd]

[cmd=]ypbind[/cmd] doesn't seem to have any debugging options, so its hard to tell what it is doing, but as far as I can tell (tcpdump), it is not actually attempting to connect to the ypserv

Any suggestions?


----------



## anomie (Apr 21, 2010)

Running any packet filtering firewall on the host? 

It may or may not be helpful, but you could observe systems calls for ypcat (or whatever) using truss(1).


----------



## jedwards (Sep 23, 2010)

Sorry to reply to such an old thread, but I ran into this same exact problem on FreeBSD 8.1 (and previous releases).  After googling, this was one of the first hits of many problems but no real solutions, and I hope this helps others.  

I'm assuming NIS is working on the host, and proper rpcbind and ypserv entries are in hosts.allow. The problem lies within rpcbind, as it shouldn't be run in the jail.

On the host:

```
rpcbind_enable="YES"
nisdomainname="[I]nisdomain[/I]"
nis_server_enable="YES"
nis_yppasswdd_enable="YES"

nis_client_enable="YES"
nis_client_flags="-S [I]nisdomain[/I]"
```

The way that I found to resolve this was to do the following in the jail:

/etc/rc.conf

```
nis_client_enable="YES"
nis_client_flags="-S [I]nisdomain[/I]"
rpcbind_enable="NO"
```

If you attempt to run `/etc/rc.d/ypbind` in the jail, then it will check to see if rpcbind is running, and if it is not running, it is started.  I found it best to comment these lines out of /etc/rc.d/ypbind, or at least prevent it from starting rpcbind.


```
#if ! checkyesno rpcbind_enable  && \
        #    ! /etc/rc.d/rpcbind forcestatus 1>/dev/null 2>&1
        #then
        #        force_depend rpcbind || return 1
        #fi
```

After starting [cmd=]/etc/rc.d/ypbind[/cmd] the client no longer hung when running [cmd=]id _username_[/cmd] or any query to the NIS server and it was properly displaying the uids.


----------



## rbelk (Sep 23, 2010)

Thanks jedwards, I was thinking of doing NIS for my jails. You just saved me a lot of time and couple of headaches. Are you a mind reader?


----------



## allanjude@ (Sep 23, 2010)

Sorry that I forgot to reply to this when I found the answer, If I recall I got help from the mailing list.

I just added:

```
/etc/rc.d/rpcbind forcestop
```

to the end of /etc/rc.d/ypbind

and now I have a common set of users across all 24 of my jails across 8 physical machines, and life is good.

I highly recommend you follow the instructions in the handbook and setup a slave or two for the ypbind, or even a slave on each host machine, as things go very wrong if ypbind cannot be reached.


----------



## pattex (Aug 7, 2015)

I'm sorry for warming up this super old thread again. But I wonder how (you) people got ypbind running, in a jail, in the first place.
When I try to do this – and I do ;-) – ypbind won't start because the domain name isn't set.

`# ypbind -S mydomain`

```
ypbind: domainname not set. Aborting
```

And in fact, it isn't. But I also can't do it.

`# domainname`

`# domainname maydomain`

```
domainname: setdomainname: Operation not permitted
```

In the jail's /etc/rc.conf I set the 'nisdomainname', of course.


```
# Bring up ypbind
nisdomainname="mydomain"
nis_client_enable="YES"
nis_client_flags="-S mydomain"

# Prevent rpc
rpcbind_enable="NO"
```

I'm using ezjail, if this matters.
Does anybody know something about this and would please help me?


----------



## asomers (May 25, 2021)

Update: a lot has changed since 2010.  These days you can set the domainname in a jail separately from the host.  rpcbind works fine in a jail too.  There is still one problem, though: ypbind's broadcast traffic doesn't work in a shared IP jail, because ypbind doesn't know what netmask to use.  However, these days there are VNET jails which have their own network stack.  If you use VNET, then NIS works just fine.  No special configuration is required.


----------

