From owner-freebsd-questions  Sat Dec 13 20:13:04 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id UAA06216
          for questions-outgoing; Sat, 13 Dec 1997 20:13:04 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from misery.sdf.com (misery.sdf.com [204.244.210.193])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id UAA06203
          for <freebsd-questions@freebsd.org>; Sat, 13 Dec 1997 20:12:57 -0800 (PST)
          (envelope-from tom@sdf.com)
Received: from tom by misery.sdf.com with smtp (Exim 1.73 #1)
	id 0xh5Fm-0006vB-00; Sat, 13 Dec 1997 20:02:06 -0800
Date: Sat, 13 Dec 1997 20:02:05 -0800 (PST)
From: Tom <tom@sdf.com>
To: Toby Swanson <toby@milkyway.org>
cc: freebsd-questions@freebsd.org
Subject: Re: NIS login problem
In-Reply-To: <Pine.BSF.3.91.971213190055.1606A-100000@antares.milkyway.org>
Message-ID: <Pine.BSF.3.95q.971213195541.26297A-100000@misery.sdf.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


On Sat, 13 Dec 1997, Toby Swanson wrote:

> I have set up an NIS master server and a client, both running 2.1.7. 

  2.1.7 is old.  ypserv has been much improved in 2.2

> Ypserv is running on the master, ypbind on both (server bound to itself),
> yppasswdd on both.  Running ypwhich on both shows both bound to the

  You shouldn't run yppasswdd on clients.  It should only run on the
master NIS server.

> master.  Running ypcat passwd.byname on both shows the passwd file.  The
> client is mapping user names on the master to uids on the server.  Changes
> to the group file on the master affect the client.  Fingering a user on
> the client retrieves correct info from the server.  Running yppasswd on
> the client changes the master.passwd file on the server.  Everything seems
> to work except logging in.  The des and kerberos libraries have been

  You don't need kerberos, unless you use kerberos on your network.

> installed.  /var/yp/ypupdate.log says nothing other that the maps have
> been updated.  If I run ypserv in debug mode I see the query for a user
> name and a succesful answer (I think).  It seems the client is not
> authenticating or decrypting the password properly.  I installed a 2.1.7
> client in a Solaris 2.5.1 domain and everything went smoothly. The only 
> error I see on either system is when su'ing to root I get the message 
> "su: kerberos: not in root's ACL."  If anyone has any ideas about what 
> may be wrong or what else to check I would appreciate your feedback.

  Do you have "+:::::::::" in master.passwd on the client?

  Are you using FreeBSD-style NIS with master.passwd.byname and
master.passwd.byname maps too?  If you so, you should make sure you are
building them, and that the client can ypcat them, because they contain
the password.  Note that FreeBSD-style is the default unless you modified
the nis makefile.  Perhaps you modified the client to be insecure to work
with your prior Solaris system, but your FreeBSD master is running in
secure mode.

> Thanks in advance.
> 
> Toby
> 
> home:  toby@milkyway.org
> work:  tjswanson@tva.gov
> 
> 

Tom