From owner-freebsd-jail@FreeBSD.ORG  Thu May 20 04:22:21 2010
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 036131065672
	for <freebsd-jail@freebsd.org>; Thu, 20 May 2010 04:22:21 +0000 (UTC)
	(envelope-from freebsd.lists@thunderit.com)
Received: from mail.thunderit.com (user2.centaur.shellfusion.net
	[64.85.163.114])
	by mx1.freebsd.org (Postfix) with ESMTP id CF5DF8FC1A
	for <freebsd-jail@freebsd.org>; Thu, 20 May 2010 04:22:20 +0000 (UTC)
Received: from dhcp-0-50-56-1-de-ad.cpe.mountaincable.net ([24.215.30.146]
	helo=[10.1.1.1])
	by mail.thunderit.com with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.69 (FreeBSD)) (envelope-from <freebsd.lists@thunderit.com>)
	id 1OEwfT-0001Oh-AJ
	for freebsd-jail@freebsd.org; Wed, 19 May 2010 23:43:32 -0400
Message-ID: <4BF4AFDF.2040407@thunderit.com>
Date: Wed, 19 May 2010 23:43:27 -0400
From: Allan Jude <freebsd.lists@thunderit.com>
Organization: ThunderIT Consulting Inc.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: freebsd-jail@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 24.215.30.146
X-SA-Exim-Mail-From: freebsd.lists@thunderit.com
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	centaur.shellfusion.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=6.0 tests=ALL_TRUSTED,BAYES_50
	autolearn=ham version=3.2.5
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail.thunderit.com)
Subject: NIS (ypbind) Client in a Jail
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2010 04:22:21 -0000

I have a series of jails spread across a number of machines and I want
to share a common set of users between them.

On a 'real' server (192.168.0.50), I have setup ypserv (per handbook
instructions), and I've setup ypbind successfully on the jail host
(192.168.0.20), but when I set it up inside the jail it self
(192.168.0.22), it doesn't seem to be able to connect to the ypserv. I
had to set the 'domainname' on the host, as you cannot change the sysctl
in the jail, and this is fine, as I want the common uids on the host as
well, so top etc show the correct usernames for processes running as
those users in the jail.

/etc/nsswitch.conf

group: files nis
hosts: files dns
networks: files
passwd: files nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

I have tried rpcbind w/ and w/o the -h flag (i also tried w/ it on the
host to make it not bind to *)

ps aux|grep bind in jail

root         6986  0.0  0.1  7676  2328  ??  SJ    4:45PM   0:00.00
/usr/sbin/ypbind
root        95169  0.0  0.0  6876  1532  ??  SsJ   4:21PM   0:00.01
/usr/sbin/rpcbind -h 192.168.0.22
root        95265  0.0  0.1  7676  2268  ??  SsJ   4:21PM   0:00.05
/usr/sbin/ypbind

sockstat|grep bind in jail

root     ypbind     7267  4  udp4   192.168.0.22:1011     *:*
root     ypbind     7267  5  tcp4   192.168.0.22:982      *:*
root     ypbind     7267  6  udp4   192.168.0.22:58996    *:*
root     ypbind     95265 4  udp4   192.168.0.22:1011     *:*
root     ypbind     95265 5  tcp4   192.168.0.22:982      *:*
root     rpcbind    95169 5  stream /var/run/rpcbind.sock
root     rpcbind    95169 6  udp4   192.168.0.22:111      *:*
root     rpcbind    95169 7  udp4   *:*                   *:*
root     rpcbind    95169 8  dgram  -> /var/run/logpriv
root     rpcbind    95169 9  udp4   192.168.0.22:792      *:*
root     rpcbind    95169 10 tcp4   192.168.0.22:111      *:*
root     rpcbind    95169 11 tcp4   *:*                   *:*

but when I do id user or ypcat passwd it just sits there.

ps aux|grep bind on the host (the processes with the J are the ones
inside the jail)

root         7391  0.0  0.1  7676  2328  ??  SJ   12:47PM   0:00.00
/usr/sbin/ypbind
root        90870  0.0  0.0  6748  1460  ??  Ss   12:18PM   0:00.00
/usr/sbin/rpcbind -h 192.168.0.20
root        90873  0.0  0.1  9724  2964  ??  Ss   12:18PM   0:00.01
/usr/sbin/ypbind
root        95169  0.0  0.0  6876  1532  ??  SsJ  12:21PM   0:00.01
/usr/sbin/rpcbind -h 192.168.0.22
root        95265  0.0  0.1  7676  2268  ??  SsJ  12:21PM   0:00.05
/usr/sbin/ypbind

I have also tried ypserver -S domain,192.168.0.50

ypbind doesn't seem to have any debugging options, so its hard to tell
what it is doing, but as far as I can tell (tcpdump), it is not actually
attempting to connect to the ypserv

Any suggestions?

-- 
Allan Jude