From owner-freebsd-hackers Sun Apr 14 2:42:20 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mta03-svc.ntlworld.com (mta03-svc.ntlworld.com [62.253.162.43]) by hub.freebsd.org (Postfix) with ESMTP id 6490837B405 for ; Sun, 14 Apr 2002 02:42:13 -0700 (PDT) Received: from lungfish.ntlworld.com ([80.4.0.215]) by mta03-svc.ntlworld.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020414094210.XBQE295.mta03-svc.ntlworld.com@lungfish.ntlworld.com>; Sun, 14 Apr 2002 10:42:10 +0100 Received: from tuatara.goatsucker.org (tuatara.goatsucker.org [192.168.1.6]) by lungfish.ntlworld.com (8.11.6/8.11.6) with ESMTP id g3E9g9V43264; Sun, 14 Apr 2002 10:42:09 +0100 (BST) (envelope-from scott@tuatara.goatsucker.org) Received: (from scott@localhost) by tuatara.goatsucker.org (8.11.6/8.11.6) id g3E9gLY17460; Sun, 14 Apr 2002 10:42:21 +0100 (BST) (envelope-from scott) Date: Sun, 14 Apr 2002 10:42:20 +0100 From: Scott Mitchell To: dave Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD NIS serving linux clients. Message-ID: <20020414104220.B293@fishballoon.dyndns.org> References: <002301c1e333$e2cdf430$0200a8c0@satellite> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002301c1e333$e2cdf430$0200a8c0@satellite>; from dmehler@siscom.net on Sat, Apr 13, 2002 at 05:40:52PM -0400 X-Operating-System: FreeBSD 4.5-STABLE i386 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Apr 13, 2002 at 05:40:52PM -0400, dave wrote: > Hello, > I'm having a few problems configuring nis to interoperate between > FreeBSD which is the main nis server and rh 7.2 linux nis clients. > First of all, user's can log in to the nis master server just fine and > change their passwords. However, they can not log in to the linux boxes even > though the linux boxes can display information about the nis users. In > /var/yp/Makefile on the nis master server i've set unsecure to true, and > remade the nis maps, this has not corrected the problem. > Additionally, using proftpd doesn't work, i've added the suggested lines > to /etc/pam.conf and PersistentPasswd off to proftpd.conf, restarted > proftpd, however when a user tries to log in an error 530 occurs and in > /var/log/messages i get a message that the password is not valid. > Any pointers appreciated. > Thanks. > Dave. Hi Dave, The Linux NIS implementation (at least the one that RedHat ships) is a bit strange, to say the least :-) Here's what I had to do to get our various RedHat 6.x/7.x client to talk to a FreeBSD NIS master. First of all, I assume your Linux boxen are set up to use shadow passwords. You need to have your NIS server export a 'shadow' map in addition to the 'master.passwd' map that FreeBSD expects to find the encrypted passwords in. Every OS does this differently -- our Solaris machines use yet another different map for shadow passwords. Second (and this is the one that took me all day to figure out), the Linux NIS client won't look in the shadow password map at all unless it sees an 'x' in the password field of the 'passwd' map. That right, put a '*' or any other invalid password in there, and it'll assume it's the real password and (obviously) fail to match it against whatever the user just typed in. I believe this is actually documented in some Linux NIS HOWTO, but it was pretty hard to track down. I've appended diffs between the stock 4.3-R /var/yp/Makefile and my local one, that implements these changes. It might not apply cleanly to later versions, but should be pretty easy to replicate by hand. You'll notice that it also moves the source for the 'groups' map into /var/yp... ignore that if it's not relevant to your situation. Hope that is some help, Scott *** Makefile.dist Sat Apr 21 10:10:22 2001 --- Makefile Wed Nov 7 17:57:36 2001 *************** *** 10,15 **** --- 10,22 ---- # # This Makefile can be modified to support more NIS maps if desired. # + # 20010830 rsm Added support for Linux-friendly shadow.byname map, + # generated from master.passwd. Also made sure that + # password field in passwd map ues 'x' not '*', so that + # Linux clients will recognise the invalid passwords... + # 20011107 rsm Moved source for 'group' maps to /var/yp/group. + # Clients should append this map to their own /etc/group. + # # If this machine is an NIS master, comment out this next line so # that changes to the NIS maps can be propagated to the slave servers. *************** *** 104,110 **** PROTOCOLS = $(YPSRCDIR)/protocols RPC = $(YPSRCDIR)/rpc SERVICES = $(YPSRCDIR)/services ! GROUP = $(YPSRCDIR)/group ALIASES = $(YPSRCDIR)/aliases NETGROUP = $(YPDIR)/netgroup PASSWD = $(YPDIR)/passwd --- 111,118 ---- PROTOCOLS = $(YPSRCDIR)/protocols RPC = $(YPSRCDIR)/rpc SERVICES = $(YPSRCDIR)/services ! #GROUP = $(YPSRCDIR)/group ! GROUP = $(YPDIR)/group ALIASES = $(YPSRCDIR)/aliases NETGROUP = $(YPDIR)/netgroup PASSWD = $(YPDIR)/passwd *************** *** 187,193 **** publickey: publickey.byname aliases: mail.aliases ! master.passwd: master.passwd.byname master.passwd.byuid # # This is a special target used only when doing in-place updates with --- 195,201 ---- publickey: publickey.byname aliases: mail.aliases ! master.passwd: master.passwd.byname master.passwd.byuid shadow.byname # # This is a special target used only when doing in-place updates with *************** *** 467,473 **** @if [ ! $(UNSECURE) ]; then \ $(RCAT) $(MASTER) | \ $(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \ ! print $$1":*:"$$3":"$$4":"$$8":"$$9":"$$10}' $^ \ > $(PASSWD) ; \ else $(RCAT) $(MASTER) | \ $(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \ --- 475,481 ---- @if [ ! $(UNSECURE) ]; then \ $(RCAT) $(MASTER) | \ $(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \ ! print $$1":x:"$$3":"$$4":"$$8":"$$9":"$$10}' $^ \ > $(PASSWD) ; \ else $(RCAT) $(MASTER) | \ $(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \ *************** *** 559,564 **** --- 567,588 ---- $(CAT) $(MASTER) | \ $(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \ print $$3"\t"$$0 }' $^ \ + | $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \ + $(RMV) $(TMP) $@ + @$(DBLOAD) -c + @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi + @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi + .endif + + + shadow.byname: $(MASTER) + @echo "Updating $@..." + .if ${MASTER} == "/dev/null" + @echo "Master.passwd source file not found -- skipping" + .else + $(CAT) $(MASTER) | \ + $(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \ + print $$1"\t"$$1":"$$2":12345:0:99999:7:::" }' $^ \ | $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \ $(RMV) $(TMP) $@ @$(DBLOAD) -c -- =========================================================================== Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels Cambridge, England | 0x54B171B9 | don't get sucked into jet engines" scott.mitchell@mail.com | 0xAA775B8B | -- Anon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message