Date: Wed, 11 Jan 1995 00:50:39 -0500 (EST) From: Wankle Rotary Engine <wpaul@skynet.ctr.columbia.edu> To: freebsd-hackers@FreeBSD.org Subject: First cut of NIS server code Message-ID: <199501110550.AAA00346@skynet.ctr.columbia.edu>
next in thread | raw e-mail | index | archive | help
Okay boys & girls: I've uploaded the first cut of the ypserv stuff I've
been working on to freefall:/incoming/ypserv-2.0-current.tar.gz. (Hope
that's the right place.) Here come some notes:
The archive includes sources for ypserv, ypxfr, yppush, yppasswdd, yp_mkdb
and a modified /usr/bin/passwd that has yppasswd rolled into it. There are
binaries supplied too. The Makefiles were shamelessly stolen and adapted
from other parts of the FreeBSD source tree.
There is a getpwent.c.diff patch which needs to be applied to getpwent.c
in libc in order to properly allow a FreeBSD NIS client to properly
handle password maps in the master.passwd format. This patch, in concert
with some security checking features in ypserv, help protect the
master.passwd maps from non-privileged users.
This patch changes the way YP lookups are done for the passwd maps: if
the user doing the lookup is the superuser, an attempt will be made to
do a yp_first on the master.passwd map. If this succeeds, the master.passwd
map will be transfered instead of the standard passwd map. If it fails,
the master.passwd transfer is aborted and the standard passwd map is
transfered instead. This allows FreeBSD client machines to continue to
work with standard NIS servers. There's a bit of a speed hit involved
in doing this, but only for the superuser: for normal users, lookups
should be about as fast as usual. In any event, you will need to rebuild
libc, and any statically-linked binaries that use the getpwent routines
for password authentication.
A YP Makefile, an mknetid script and a pwupdate script (for use with
yppasswdd) are provided. These may need to be edited befopre being
committed. I'm not sure how you guys want to swing this, so I'll
leave it to you to make the necessary mods.
Here are the changes/features for each program:
YPSERV:
- Modified to use db database format instead of GNU dbm
- All maps are read/write by root only.
- Implemented ypxfr capability
- With the -dns flag, the server will do DNS lookups for hosts not in the
hosts.* maps -- changed to use actual resolver routines to avoid
a possible looping condition (server queries itself)
- Put in checks for each map transfer function to check the port from
which YP requests originate -- only the superuser will be allowed to
transfer the master.passwd maps and do ypxfrs.
- Changed to background itself properly. If involked with -debug, server
remains in the foreground and prints copious status messages.
YPXFR:
- Converted to use db database format instead of GNU dbm
- Took out a lot of grungy debugging code.
- Changed certain function names to avoid conflicts with RPC xdr_*
functions already in libc.
YPPUSH:
- Mostly the same as ypxfr
YP_MKDB:
- Converted to use db format
YPPASSWD:
- Merged with /usr/bin/passwd -- passwd now has -y -s and -f flags:
passwd -y user change YP password instead of local
passwd -f user change full name (gecos) in passwd map
passwd -s user change shell in passwd map
yppasswd -> symlink to passwd (same as passwd -y)
ypchfn -> symlink to passwd (same as passwd -f)
ypchsh -> synlink to passwd (same as passwd -s)
YPPASSWDD:
- Hacked to support master.passwd format. If you invoke yppasswdd with
no arguments, it will assume that /etc/master.passwd and /etc/passwd
are the raw password files to use. The prefered invocation would be:
yppasswdd -m /path/to/master.passwd -o /path/to/passwd -f -s
The -s flag allows changes to the shell field in the password database.
The -f flag allows changes to the gecos field. If you don't specify
these flags, users will only be able to change their password.
/path/to/master.passwd should be read/write by root only.
If you plan to use FreeBSD to serve a standard NIS client (like a SunOS
box), you'll also need to use the -u (unsecure) flag. yppasswdd normally
strips passwords out of the standard /path/to/passwd file. This would
break non-FreeBSD clients. Note that the /path/to/master.passwd file
must exist even if you won't be serving FreeBSD clients. You do not need
to create a map for it though. So, if you want to set up a FreeBSD
machine to serve SunOS clients, do this:
1) yppasswdd -m /path/to/master.passwd -o /path/to/passwd -f -s -u
2) edit /var/yp/Makefile so that it doesn't rebuild master.passwd.byname
and master.passwd.byuid by default
- If you do use /etc/master.passwd as your raw password file, yppasswdd will
rebuild the standard databases for you as pwd_mkdb does.
- Runs /usr/libexec/pwupdate after a user changes a password, which is a
script that contains the commands needed to update and push the
password maps.
/var/yp/Makefile:
- Should rebuild all the necessary files -- will probably have to be
edited for each system. Unfortunately, setting up NIS is not for
the squeamish.
There are a couple of man pages here and there, but somebody will have
to worry about providing complete documentation: I don't do man pages.
Jordan: I hope you can try this stuff on freefall/thud/watever to give it
a shakedown. If there are any really nasty problems, I'll try my best
to stomp them out.
Share and enjoy!
-Bill
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Bill Paul System Manager
wpaul@ctr.columbia.edu Center for Telecommunications Research
(212) 854-6020 Columbia University, New York City
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Møøse Illuminati: ignore it and be confused, or join it and be confusing!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199501110550.AAA00346>