| View previous topic :: View next topic |
| Author |
Message |
burzmali
Apprentice
Joined: 18 Apr 2002
Posts: 238
Location: ca
|
 Posted: Fri Dec 20, 2002 9:57 pm Post subject: nis and yppasswd |
 |
|
has anyone gotten this to work?
i have server set up as an NIS master that also exports home directories via NFS, and i have mail set up as NIS client that mounts it's /home on the server's exported NFS /home directory. users can login via ssh or ftp and also get mail. all that works fine. however users cannot use yppasswd to change their passwd in the NIS database. i have started rpc.yppasswdd on the server with and without the -m flag. either way, when i type 'yppasswd as a logged in user on the client (mail) this is what i get:
| Code: |
burzmali@mail burzmali $ yppasswd
Changing NIS account information for burzmali on server.burzmali.net.
Please enter old password:
Sorry.
burzmali@mail burzmali $
|
i entered the correct passwd for the old one. what do i have to do to get this working? any help is appreciated. thank you.
_________________
burzmali
www.burzmali.net |
|
| Back to top |
|
 |
474
l33t
Joined: 19 Apr 2002
Posts: 714
|
| Posted: Thu Dec 26, 2002 8:19 am Post subject: |
|
|
| I have this problem too and I'm trying to deduce the cause. I noticed that I could successfully change the password of a user account if I elevated to root priveleges on the client. Is this the case for you also? |
|
| Back to top |
|
|
burzmali
Apprentice
Joined: 18 Apr 2002
Posts: 238
Location: ca
|
| Posted: Fri Dec 27, 2002 8:40 pm Post subject: |
|
|
yeah, that is what i get too. any ideas on how to fix it? i am pretty new to NIS.
_________________
burzmali
www.burzmali.net |
|
| Back to top |
|
|
474
l33t
Joined: 19 Apr 2002
Posts: 714
|
| Posted: Fri Dec 27, 2002 11:32 pm Post subject: |
|
|
Yeah, I'm pretty new to it also - and a few incongruities are beginning to emerge. For example I removed my local user account on a workstation - well, I'm using NIS so I don't need the local account right? Wrong! Things still work, but I can't su to root anymore on the workstation because it thinks I'm not part of the wheel group. I have many things to learn about NIS it seems ...
I'm looking into this. A possible culprit could be /etc/nsswitch.conf - I still haven't found a guide to explicitly explains exactly how it works in depth and the manpage isn't as thorough as I'd like. |
|
| Back to top |
|
|
philthedrill
n00b
Joined: 10 Jan 2003
Posts: 18
Location: Moscow, ID
|
| Posted: Fri Jan 10, 2003 3:59 pm Post subject: |
|
|
This thread is brief on nsswitch.conf:
https://forums.gentoo.org/viewtopic.php?t=27670
On my network, I have passwd in /etc/nsswitch.conf set to "compat".
Also, my rpc.yppasswdd is running with '-D /etc/yp/' (which is where the yp passwd and shadow files are located).
I was also experiencing some serious authentication issues for NIS users last month (most of my machines are Red Hat), where ssh would use one password, yppasswd would use another, and so forth.
It ended up that some machines didn't compile openssh with pam support, so I had to redo ssh with:
configure --with-pam
HTH.
--phil |
|
| Back to top |
|
|
burzmali
Apprentice
Joined: 18 Apr 2002
Posts: 238
Location: ca
|
| Posted: Tue Jan 21, 2003 6:16 pm Post subject: |
|
|
i tried what you suggested: start rpc.yppasswd with '-D /var/yp' and have passwd be 'compat' in /etc/nsswitch.conf.
the -D flag seems to have no effect and switching passwd to compat (on the client, right?) just caused me to not have a name on login:
| Code: |
burzmali@usal burzmali $ ssh mail
Last login: Tue Jan 21 10:03:02 2003 from usal.burzmali.net
/usr/bin/whoami: cannot find username for UID 1000
-bash: [: =: unary operator expected
I have no name!@mail burzmali $ logout
|
this is kind of a bummer.
_________________
burzmali
www.burzmali.net |
|
| Back to top |
|
|
philthedrill
n00b
Joined: 10 Jan 2003
Posts: 18
Location: Moscow, ID
|
| Posted: Tue Jan 21, 2003 7:57 pm Post subject: |
|
|
| Quote: | i tried what you suggested: start rpc.yppasswd with '-D /var/yp' and have passwd be 'compat' in /etc/nsswitch.conf.
the -D flag seems to have no effect and switching passwd to compat (on the client, right?) just caused me to not have a name on login: |
Yes, the client should be set to compat in /etc/nsswitch.conf.
Now, make sure you have '-D /etc/yp' (or wherever your passwd and shadow files are) instead of '-D /var/yp'.
/etc/yp should contain the passwd and shadow files.
/var/yp contains the maps.
--phil |
|
| Back to top |
|
|
zojas
Veteran
Joined: 22 Apr 2002
Posts: 1138
Location: Phoenix, AZ
|
| Posted: Mon Feb 10, 2003 11:43 pm Post subject: |
|
|
I'm struggling with this too. first, I've written a /etc/init.d script. quite simple:
| Code: | #!/sbin/runscript
depend() {
need portmap net ypserv
}
start() {
ebegin "Starting NIS Password Server"
start-stop-daemon --start --quiet --exec /usr/sbin/rpc.yppasswdd -- -e chsh -e chfn
eend $?
}
stop() {
ebegin "Stopping NIS Password Server"
start-stop-daemon --stop --quiet --exec /usr/sbin/rpc.yppasswdd
eend $?
}
|
|
|
| Back to top |
|
|
zojas
Veteran
Joined: 22 Apr 2002
Posts: 1138
Location: Phoenix, AZ
|
| Posted: Mon Feb 10, 2003 11:51 pm Post subject: |
|
|
I have some Suse and RedHat clients. on my Suse client I've set passwd to compat in /etc/nsswitch.
I intend to use my regular /etc/passwd and /etc/shadow files.
Right now I can run yppasswd successfully on the Suse client; I can enter the old password and it lets me put in a new password. the password is then updated in /etc/shadow on the gentoo NIS server. but the NIS client still sees the old password.
it's like the pwupdate script is not being run. I'm going to hack the script now so it outputs something to a file in /tmp so I can tell if it runs or not. |
|
| Back to top |
|
|
zojas
Veteran
Joined: 22 Apr 2002
Posts: 1138
Location: Phoenix, AZ
|
| Posted: Tue Feb 11, 2003 12:05 am Post subject: |
|
|
it seems that once i run yppasswd on the client, it does change the passwd on the server (in /etc/shadow) but then the yp system gets quite confused. the nis client sees neither the new or old password. running 'make' in /var/yp doesn't even fix it.
if I then run 'passwd' on the server and then run 'make' in /var/yp then the client is ok again.
anyway, I'll shut up and instrument the pwupdate script like i said i was going to, that has to be the problem! |
|
| Back to top |
|
|
zojas
Veteran
Joined: 22 Apr 2002
Posts: 1138
Location: Phoenix, AZ
|
| Posted: Tue Feb 11, 2003 12:15 am Post subject: |
|
|
ok! At least I have some data now.
the pwupdate script creates some temporary files and if there are errors emails them to root. root was getting no email though.
so I hacked the script so it saves the files in /tmp. here's the interesting output:
| Code: | | Updating shadow.byname... Ignored -> merged with passwd |
this is the same output I get when I run 'make' in /var/yp.
so it looks like it succeeded. My conclusion is that I don't have my shadow.byname map set up correctly. it seems to work, but the Makefile isn't rebuilding it correctly?
all I did was use the stock Makefile in /var/yp and comment out some of the maps. |
|
| Back to top |
|
|
zojas
Veteran
Joined: 22 Apr 2002
Posts: 1138
Location: Phoenix, AZ
|
| Posted: Tue Feb 11, 2003 12:51 am Post subject: |
|
|
first important find: you need to have an entry like this:
in your /etc/passwd file on the client so it will look in NIS for the name of the account. (i have the 'compat' entries in nisswitch.conf as described above)
also, put
in /etc/group.
also, there is a line in the stock Makefile which says
| Code: |
# Should we merge the passwd file with the shadow file ?
# MERGE_PASSWD=true|false
MERGE_PASSWD=true
|
I tried changing it to false and then a separate shadow map was generated, but clients didn't seem to have access to it. (with it set to false, 'ypcat passwd' would have an 'x' in the passwd field, but 'ypcat shadow' produced nothing. with it set to true, the encrypted password shows up in the output of 'ypcat passwd') |
|
| Back to top |
|
|
474
l33t
Joined: 19 Apr 2002
Posts: 714
|
| Posted: Wed Feb 12, 2003 2:56 pm Post subject: |
|
|
I believe I have the answer. I've learned a few things since I made my last post here (much of which zojas has kindly taken the time to discuss).
Firstly I want to post a link to a great PDF which covers NIS in a nutshell:
http://davidcoulson.net/writing/pcp/184/masterclass-linuxexpert.pdf
Now for the issue of shadow maps. The problem seems to be that the Makefile doesn't actually create a shadow.byname map.
My steps to modify the Makefile are as follows:- Modify the line beginning all: so that your NIS server exports whatever you want.
- Comment out this line:
| Code: | | GSHADOW = $(YPPWDDIR)/gshadow |
Password/group merge settings should be as follows: | Code: | MERGE_PASSWD=true
MERGE_GROUP=false |
Here's the important part, find and comment the following lines: | Code: | # Don't build a shadow map!
shadow.byname:
@echo "Updating $@... Ignored -> merged with passwd"
else |
That deals with the inexplicable nature of the default Makefile where it refuses to create a shadow.byname map file. Re-make your NIS maps, and ensure that rpc.yppasswd is running: | Code: | | rpc.yppasswd -e chsh -e chfn |
zojas' method for adding this as a dependency is quite graceful and recommended!
Now you should find that it is possible to change your password on a client 
For any other information (such as how to configure your client files) consult the PDF linked to above.
EDIT: remember that the NIS server will not export groups or users with a GID/UID < 500, as they are considered to be for system services. You can change this in the Makefile with the MINUID and MINGID parameters.
EDIT #2: Spoke a little too soon. It seems to allow the password to be updated, but then you can't login using the new password on the client, until the shadow related lines are commented again, and the NIS maps regenerated. Apparently, uncommenting the lines in the fashion I mentioned causes the Makefile never to generate the passwd maps again. I think we're very close to an answer here, but the final piece of the puzzle remains frustratingly out of reach ...  |
|
| Back to top |
|
|
zojas
Veteran
Joined: 22 Apr 2002
Posts: 1138
Location: Phoenix, AZ
|
| Posted: Wed Feb 12, 2003 11:37 pm Post subject: |
|
|
no luck for me. passwd or yppasswd either one on the client results in the password being changed on the server, but the client continues to see the old password. not even running 'make' by hand in /var/yp on the server fixes it (i verified that pwupdate still runs make at the time yppasswd is run).
here's the output of 'make' by pwupdate:
| Code: | ../Makefile:309: warning: overriding commands for target `passwd.byname'
../Makefile:285: warning: ignoring old commands for target `passwd.byname'
../Makefile:317: warning: overriding commands for target `passwd.byuid'
../Makefile:294: warning: ignoring old commands for target `passwd.byuid'
Updating shadow.byname...
|
it apparently tries to update the map, but the client doesn't see it. |
|
| Back to top |
|
|
zojas
Veteran
Joined: 22 Apr 2002
Posts: 1138
Location: Phoenix, AZ
|
| Posted: Wed Feb 12, 2003 11:41 pm Post subject: |
|
|
ok, a slight correction is in order. my nis server is gentoo, but my clients are redhat 8 and suse 8.1. it turns out this new setup works for redhat but not for suse! so next i'll be looking into config differences between the two clients.
thanks kerframil for the new info about creating the shadow map. |
|
| Back to top |
|
|
useofweapons
n00b
Joined: 09 Jan 2003
Posts: 26
|
| Posted: Fri Mar 21, 2003 1:04 pm Post subject: |
|
|
My fix is as follows...
Change Makefile on the server to
| Code: | # Should we merge the passwd file with the shadow file ?
# MERGE_PASSWD=true|false
MERGE_PASSWD=false
# Should we merge the group file with the gshadow file ?
# MERGE_GROUP=true|false
MERGE_GROUP=false
|
on the client change /var/yp/nicknames to add
| Code: | | shadow shadow.byname |
also change /etc/init.d/ypserv to
| Code: | #!/sbin/runscript
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or later
# $Header: /home/cvsroot/gentoo-x86/net-nds/ypserv/files/ypserv.rc6,v 1.3 2003/0
2/14 23:09:08 vapier Exp $
depend() {
need net
}
start() {
ebegin "Starting NIS Server"
start-stop-daemon --start --quiet --exec /usr/sbin/ypserv
eend $?
ebegin "Starting NIS Password Server"
start-stop-daemon --start --quiet --exec /usr/sbin/rpc.yppasswdd -- -s /
etc/shadow
eend $?
eend $?
}
stop() {
ebegin "Stopping NIS Server"
start-stop-daemon --stop --quiet --exec /usr/sbin/ypserv
eend $?
ebegin "Stopping NIS Password Server"
start-stop-daemon --stop --quiet --exec /usr/sbin/rpc.yppasswdd
eend $?
}
|
yppasswd now works on the client.
HTH |
|
| Back to top |
|
|
useofweapons
n00b
Joined: 09 Jan 2003
Posts: 26
|
| Posted: Fri Mar 21, 2003 1:35 pm Post subject: |
|
|
Also need to add to the end of /etc/shadow on the client
HTH |
|
| Back to top |
|
|
useofweapons
n00b
Joined: 09 Jan 2003
Posts: 26
|
| Posted: Fri Mar 21, 2003 2:29 pm Post subject: |
|
|
OK, can confirm the exact steps required to get it all to work. For the server, see my post above (changes to ypserv and /var/yp/Makefile)
For each client
/etc/passwd add
/etc/shadow add
/etc/group add
/var/yp/nicknames add | Code: | | shadow shadow.byname |
Make no changes to nsswitch.conf
Make sure the user does not exist in the clients /etc/passwd other yppasswd wont work.
It should all now work. I can change password on one machine and log into another with the new password immediately.  |
|
| Back to top |
|
|
burzmali
Apprentice
Joined: 18 Apr 2002
Posts: 238
Location: ca
|
| Posted: Sat Mar 29, 2003 7:13 pm Post subject: |
|
|
thanks alot useofweapons, your steps worked perfectly for me!!!
way to go!
_________________
burzmali
www.burzmali.net |
|
| Back to top |
|
|
|
Networking & Security
