To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Verify that you have installed the non-default DES support, and
that the FreeBSD box is exporting DES passwords, instead of MD5.
-- Terry
Does "id nisuser" or "finger nisuser" work?
Do you have "passwd: files nis" /etc/nsswitch.conf, or "passwd: compat"
plus a "+::0:0:::" record in /etc/passwd?
Blank out a user's password and see if he can log in, to verify that
DES vs MD5 is really the problem.
Try running "ypmatch nisuser passwd" and paste the output into the
Linux passwd file and see if nisuser can log in.
Also make sure you're running ypbind-1.8 or higher on the Linux box.
Earlier versons have a very hard time staying bound to a server.
--
Dan Nelson
dne...@allantgroup.com
Hi Dave,
The Linux NIS implementation (at least the one that RedHat ships) is a bit
strange, to say the least :-) Here's what I had to do to get our various
RedHat 6.x/7.x client to talk to a FreeBSD NIS master.
First of all, I assume your Linux boxen are set up to use shadow
passwords. You need to have your NIS server export a 'shadow' map in
addition to the 'master.passwd' map that FreeBSD expects to find the
encrypted passwords in. Every OS does this differently -- our Solaris
machines use yet another different map for shadow passwords.
Second (and this is the one that took me all day to figure out), the Linux
NIS client won't look in the shadow password map at all unless it sees an
'x' in the password field of the 'passwd' map. That right, put a '*' or
any other invalid password in there, and it'll assume it's the real
password and (obviously) fail to match it against whatever the user just
typed in. I believe this is actually documented in some Linux NIS HOWTO,
but it was pretty hard to track down.
I've appended diffs between the stock 4.3-R /var/yp/Makefile and my local
one, that implements these changes. It might not apply cleanly to later
versions, but should be pretty easy to replicate by hand. You'll notice
that it also moves the source for the 'groups' map into /var/yp... ignore
that if it's not relevant to your situation.
Hope that is some help,
Scott
*** Makefile.dist Sat Apr 21 10:10:22 2001
--- Makefile Wed Nov 7 17:57:36 2001
***************
*** 10,15 ****
--- 10,22 ----
#
# This Makefile can be modified to support more NIS maps if desired.
#
+ # 20010830 rsm Added support for Linux-friendly shadow.byname map,
+ # generated from master.passwd. Also made sure that
+ # password field in passwd map ues 'x' not '*', so that
+ # Linux clients will recognise the invalid passwords...
+ # 20011107 rsm Moved source for 'group' maps to /var/yp/group.
+ # Clients should append this map to their own /etc/group.
+ #
# If this machine is an NIS master, comment out this next line so
# that changes to the NIS maps can be propagated to the slave servers.
***************
*** 104,110 ****
PROTOCOLS = $(YPSRCDIR)/protocols
RPC = $(YPSRCDIR)/rpc
SERVICES = $(YPSRCDIR)/services
! GROUP = $(YPSRCDIR)/group
ALIASES = $(YPSRCDIR)/aliases
NETGROUP = $(YPDIR)/netgroup
PASSWD = $(YPDIR)/passwd
--- 111,118 ----
PROTOCOLS = $(YPSRCDIR)/protocols
RPC = $(YPSRCDIR)/rpc
SERVICES = $(YPSRCDIR)/services
! #GROUP = $(YPSRCDIR)/group
! GROUP = $(YPDIR)/group
ALIASES = $(YPSRCDIR)/aliases
NETGROUP = $(YPDIR)/netgroup
PASSWD = $(YPDIR)/passwd
***************
*** 187,193 ****
publickey: publickey.byname
aliases: mail.aliases
! master.passwd: master.passwd.byname master.passwd.byuid
#
# This is a special target used only when doing in-place updates with
--- 195,201 ----
publickey: publickey.byname
aliases: mail.aliases
! master.passwd: master.passwd.byname master.passwd.byuid shadow.byname
#
# This is a special target used only when doing in-place updates with
***************
*** 467,473 ****
@if [ ! $(UNSECURE) ]; then \
$(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
! print $$1":*:"$$3":"$$4":"$$8":"$$9":"$$10}' $^ \
> $(PASSWD) ; \
else $(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
--- 475,481 ----
@if [ ! $(UNSECURE) ]; then \
$(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
! print $$1":x:"$$3":"$$4":"$$8":"$$9":"$$10}' $^ \
> $(PASSWD) ; \
else $(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
***************
*** 559,564 ****
--- 567,588 ----
$(CAT) $(MASTER) | \
$(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
print $$3"\t"$$0 }' $^ \
+ | $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \
+ $(RMV) $(TMP) $@
+ @$(DBLOAD) -c
+ @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi
+ @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi
+ .endif
+
+
+ shadow.byname: $(MASTER)
+ @echo "Updating $@..."
+ .if ${MASTER} == "/dev/null"
+ @echo "Master.passwd source file not found -- skipping"
+ .else
+ $(CAT) $(MASTER) | \
+ $(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
+ print $$1"\t"$$1":"$$2":12345:0:99999:7:::" }' $^ \
| $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \
$(RMV) $(TMP) $@
@$(DBLOAD) -c
--
===========================================================================
Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels
Cambridge, England | 0x54B171B9 | don't get sucked into jet engines"
scott.m...@mail.com | 0xAA775B8B | -- Anon