Date: Sun, 14 Apr 2002 10:42:20 +0100 From: Scott Mitchell <scott.mitchell@mail.com> To: dave <dmehler@siscom.net> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD NIS serving linux clients. Message-ID: <20020414104220.B293@fishballoon.dyndns.org> In-Reply-To: <002301c1e333$e2cdf430$0200a8c0@satellite>; from dmehler@siscom.net on Sat, Apr 13, 2002 at 05:40:52PM -0400 References: <002301c1e333$e2cdf430$0200a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 13, 2002 at 05:40:52PM -0400, dave wrote:
> Hello,
> I'm having a few problems configuring nis to interoperate between
> FreeBSD which is the main nis server and rh 7.2 linux nis clients.
> First of all, user's can log in to the nis master server just fine and
> change their passwords. However, they can not log in to the linux boxes even
> though the linux boxes can display information about the nis users. In
> /var/yp/Makefile on the nis master server i've set unsecure to true, and
> remade the nis maps, this has not corrected the problem.
> Additionally, using proftpd doesn't work, i've added the suggested lines
> to /etc/pam.conf and PersistentPasswd off to proftpd.conf, restarted
> proftpd, however when a user tries to log in an error 530 occurs and in
> /var/log/messages i get a message that the password is not valid.
> Any pointers appreciated.
> Thanks.
> Dave.
Hi Dave,
The Linux NIS implementation (at least the one that RedHat ships) is a bit
strange, to say the least :-) Here's what I had to do to get our various
RedHat 6.x/7.x client to talk to a FreeBSD NIS master.
First of all, I assume your Linux boxen are set up to use shadow
passwords. You need to have your NIS server export a 'shadow' map in
addition to the 'master.passwd' map that FreeBSD expects to find the
encrypted passwords in. Every OS does this differently -- our Solaris
machines use yet another different map for shadow passwords.
Second (and this is the one that took me all day to figure out), the Linux
NIS client won't look in the shadow password map at all unless it sees an
'x' in the password field of the 'passwd' map. That right, put a '*' or
any other invalid password in there, and it'll assume it's the real
password and (obviously) fail to match it against whatever the user just
typed in. I believe this is actually documented in some Linux NIS HOWTO,
but it was pretty hard to track down.
I've appended diffs between the stock 4.3-R /var/yp/Makefile and my local
one, that implements these changes. It might not apply cleanly to later
versions, but should be pretty easy to replicate by hand. You'll notice
that it also moves the source for the 'groups' map into /var/yp... ignore
that if it's not relevant to your situation.
Hope that is some help,
Scott
*** Makefile.dist Sat Apr 21 10:10:22 2001
--- Makefile Wed Nov 7 17:57:36 2001
***************
*** 10,15 ****
--- 10,22 ----
#
# This Makefile can be modified to support more NIS maps if desired.
#
+ # 20010830 rsm Added support for Linux-friendly shadow.byname map,
+ # generated from master.passwd. Also made sure that
+ # password field in passwd map ues 'x' not '*', so that
+ # Linux clients will recognise the invalid passwords...
+ # 20011107 rsm Moved source for 'group' maps to /var/yp/group.
+ # Clients should append this map to their own /etc/group.
+ #
# If this machine is an NIS master, comment out this next line so
# that changes to the NIS maps can be propagated to the slave servers.
***************
*** 104,110 ****
PROTOCOLS = $(YPSRCDIR)/protocols
RPC = $(YPSRCDIR)/rpc
SERVICES = $(YPSRCDIR)/services
! GROUP = $(YPSRCDIR)/group
ALIASES = $(YPSRCDIR)/aliases
NETGROUP = $(YPDIR)/netgroup
PASSWD = $(YPDIR)/passwd
--- 111,118 ----
PROTOCOLS = $(YPSRCDIR)/protocols
RPC = $(YPSRCDIR)/rpc
SERVICES = $(YPSRCDIR)/services
! #GROUP = $(YPSRCDIR)/group
! GROUP = $(YPDIR)/group
ALIASES = $(YPSRCDIR)/aliases
NETGROUP = $(YPDIR)/netgroup
PASSWD = $(YPDIR)/passwd
***************
*** 187,193 ****
publickey: publickey.byname
aliases: mail.aliases
! master.passwd: master.passwd.byname master.passwd.byuid
#
# This is a special target used only when doing in-place updates with
--- 195,201 ----
publickey: publickey.byname
aliases: mail.aliases
! master.passwd: master.passwd.byname master.passwd.byuid shadow.byname
#
# This is a special target used only when doing in-place updates with
***************
*** 467,473 ****
@if [ ! $(UNSECURE) ]; then \
$(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
! print $$1":*:"$$3":"$$4":"$$8":"$$9":"$$10}' $^ \
> $(PASSWD) ; \
else $(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
--- 475,481 ----
@if [ ! $(UNSECURE) ]; then \
$(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
! print $$1":x:"$$3":"$$4":"$$8":"$$9":"$$10}' $^ \
> $(PASSWD) ; \
else $(RCAT) $(MASTER) | \
$(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
***************
*** 559,564 ****
--- 567,588 ----
$(CAT) $(MASTER) | \
$(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
print $$3"\t"$$0 }' $^ \
+ | $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \
+ $(RMV) $(TMP) $@
+ @$(DBLOAD) -c
+ @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi
+ @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi
+ .endif
+
+
+ shadow.byname: $(MASTER)
+ @echo "Updating $@..."
+ .if ${MASTER} == "/dev/null"
+ @echo "Master.passwd source file not found -- skipping"
+ .else
+ $(CAT) $(MASTER) | \
+ $(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
+ print $$1"\t"$$1":"$$2":12345:0:99999:7:::" }' $^ \
| $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \
$(RMV) $(TMP) $@
@$(DBLOAD) -c
--
===========================================================================
Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels
Cambridge, England | 0x54B171B9 | don't get sucked into jet engines"
scott.mitchell@mail.com | 0xAA775B8B | -- Anon
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020414104220.B293>