Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

FreeBSD NIS serving linux clients.

7 views
Skip to first unread message

dave

unread,
Apr 13, 2002, 5:40:52 PM4/13/02
to
Hello,
I'm having a few problems configuring nis to interoperate between
FreeBSD which is the main nis server and rh 7.2 linux nis clients.
First of all, user's can log in to the nis master server just fine and
change their passwords. However, they can not log in to the linux boxes even
though the linux boxes can display information about the nis users. In
/var/yp/Makefile on the nis master server i've set unsecure to true, and
remade the nis maps, this has not corrected the problem.
Additionally, using proftpd doesn't work, i've added the suggested lines
to /etc/pam.conf and PersistentPasswd off to proftpd.conf, restarted
proftpd, however when a user tries to log in an error 530 occurs and in
/var/log/messages i get a message that the password is not valid.
Any pointers appreciated.
Thanks.
Dave.

To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Terry Lambert

unread,
Apr 13, 2002, 8:38:38 PM4/13/02
to
dave wrote:
> I'm having a few problems configuring nis to interoperate between
> FreeBSD which is the main nis server and rh 7.2 linux nis clients.

Verify that you have installed the non-default DES support, and
that the FreeBSD box is exporting DES passwords, instead of MD5.

-- Terry

dave

unread,
Apr 13, 2002, 8:39:04 PM4/13/02
to
Hi,
As far as i know fbsd is exporting md5 passwords. The rh box is set up
to do md5, as well.
Dave.

Dan Nelson

unread,
Apr 13, 2002, 9:53:00 PM4/13/02
to
In the last episode (Apr 13), dave said:
> Hi,
> As far as i know fbsd is exporting md5 passwords. The rh box is
> set up to do md5, as well.

Does "id nisuser" or "finger nisuser" work?

Do you have "passwd: files nis" /etc/nsswitch.conf, or "passwd: compat"
plus a "+::0:0:::" record in /etc/passwd?

Blank out a user's password and see if he can log in, to verify that
DES vs MD5 is really the problem.

Try running "ypmatch nisuser passwd" and paste the output into the
Linux passwd file and see if nisuser can log in.

Also make sure you're running ypbind-1.8 or higher on the Linux box.
Earlier versons have a very hard time staying bound to a server.

--
Dan Nelson
dne...@allantgroup.com

Scott Mitchell

unread,
Apr 14, 2002, 5:42:20 AM4/14/02
to
On Sat, Apr 13, 2002 at 05:40:52PM -0400, dave wrote:
> Hello,
> I'm having a few problems configuring nis to interoperate between
> FreeBSD which is the main nis server and rh 7.2 linux nis clients.
> First of all, user's can log in to the nis master server just fine and
> change their passwords. However, they can not log in to the linux boxes even
> though the linux boxes can display information about the nis users. In
> /var/yp/Makefile on the nis master server i've set unsecure to true, and
> remade the nis maps, this has not corrected the problem.
> Additionally, using proftpd doesn't work, i've added the suggested lines
> to /etc/pam.conf and PersistentPasswd off to proftpd.conf, restarted
> proftpd, however when a user tries to log in an error 530 occurs and in
> /var/log/messages i get a message that the password is not valid.
> Any pointers appreciated.
> Thanks.
> Dave.

Hi Dave,

The Linux NIS implementation (at least the one that RedHat ships) is a bit
strange, to say the least :-) Here's what I had to do to get our various
RedHat 6.x/7.x client to talk to a FreeBSD NIS master.

First of all, I assume your Linux boxen are set up to use shadow
passwords. You need to have your NIS server export a 'shadow' map in
addition to the 'master.passwd' map that FreeBSD expects to find the
encrypted passwords in. Every OS does this differently -- our Solaris
machines use yet another different map for shadow passwords.

Second (and this is the one that took me all day to figure out), the Linux
NIS client won't look in the shadow password map at all unless it sees an
'x' in the password field of the 'passwd' map. That right, put a '*' or
any other invalid password in there, and it'll assume it's the real
password and (obviously) fail to match it against whatever the user just
typed in. I believe this is actually documented in some Linux NIS HOWTO,
but it was pretty hard to track down.

I've appended diffs between the stock 4.3-R /var/yp/Makefile and my local
one, that implements these changes. It might not apply cleanly to later
versions, but should be pretty easy to replicate by hand. You'll notice
that it also moves the source for the 'groups' map into /var/yp... ignore
that if it's not relevant to your situation.

Hope that is some help,

Scott

*** Makefile.dist Sat Apr 21 10:10:22 2001
--- Makefile Wed Nov 7 17:57:36 2001
***************
*** 10,15 ****
--- 10,22 ----
#
# This Makefile can be modified to support more NIS maps if desired.
#
+ # 20010830 rsm Added support for Linux-friendly shadow.byname map,
+ # generated from master.passwd. Also made sure that
+ # password field in passwd map ues 'x' not '*', so that
+ # Linux clients will recognise the invalid passwords...
+ # 20011107 rsm Moved source for 'group' maps to /var/yp/group.
+ # Clients should append this map to their own /etc/group.
+ #

# If this machine is an NIS master, comment out this next line so
# that changes to the NIS maps can be propagated to the slave servers.
***************
*** 104,110 ****
PROTOCOLS = $(YPSRCDIR)/protocols
RPC = $(YPSRCDIR)/rpc
SERVICES = $(YPSRCDIR)/services
! GROUP = $(YPSRCDIR)/group
ALIASES = $(YPSRCDIR)/aliases
NETGROUP = $(YPDIR)/netgroup
PASSWD = $(YPDIR)/passwd
--- 111,118 ----
PROTOCOLS = $(YPSRCDIR)/protocols
RPC = $(YPSRCDIR)/rpc
SERVICES = $(YPSRCDIR)/services
! #GROUP = $(YPSRCDIR)/group
! GROUP = $(YPDIR)/group
ALIASES = $(YPSRCDIR)/aliases
NETGROUP = $(YPDIR)/netgroup
PASSWD = $(YPDIR)/passwd
***************
*** 187,193 ****
publickey: publickey.byname
aliases: mail.aliases

! master.passwd: master.passwd.byname master.passwd.byuid

#
# This is a special target used only when doing in-place updates with
--- 195,201 ----
publickey: publickey.byname
aliases: mail.aliases

! master.passwd: master.passwd.byname master.passwd.byuid shadow.byname

#
# This is a special target used only when doing in-place updates with
***************
*** 467,473 ****
@if [ ! $(UNSECURE) ]; then \
$(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
! print $$1":*:"$$3":"$$4":"$$8":"$$9":"$$10}' $^ \
> $(PASSWD) ; \
else $(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
--- 475,481 ----
@if [ ! $(UNSECURE) ]; then \
$(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
! print $$1":x:"$$3":"$$4":"$$8":"$$9":"$$10}' $^ \
> $(PASSWD) ; \
else $(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
***************
*** 559,564 ****
--- 567,588 ----
$(CAT) $(MASTER) | \
$(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
print $$3"\t"$$0 }' $^ \
+ | $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \
+ $(RMV) $(TMP) $@
+ @$(DBLOAD) -c
+ @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi
+ @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi
+ .endif
+
+
+ shadow.byname: $(MASTER)
+ @echo "Updating $@..."
+ .if ${MASTER} == "/dev/null"
+ @echo "Master.passwd source file not found -- skipping"
+ .else
+ $(CAT) $(MASTER) | \
+ $(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
+ print $$1"\t"$$1":"$$2":12345:0:99999:7:::" }' $^ \
| $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \
$(RMV) $(TMP) $@
@$(DBLOAD) -c

--
===========================================================================
Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels
Cambridge, England | 0x54B171B9 | don't get sucked into jet engines"
scott.m...@mail.com | 0xAA775B8B | -- Anon

0 new messages