From owner-freebsd-stable@FreeBSD.ORG Wed Nov 22 14:45:32 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9A07216A4D4 for ; Wed, 22 Nov 2006 14:45:32 +0000 (UTC) (envelope-from zanchey@ucc.gu.uwa.edu.au) Received: from asclepius2.uwa.edu.au (asclepius2.uwa.edu.au [130.95.128.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id C921743E41 for ; Wed, 22 Nov 2006 14:44:30 +0000 (GMT) (envelope-from zanchey@ucc.gu.uwa.edu.au) Received: from panacea.kas (localhost.localdomain [127.0.0.1]) by panacea.uwa.edu.au (Postfix) with SMTP id 5466D4CD0E for ; Wed, 22 Nov 2006 22:44:58 +0800 (WST) Received: from panacea (localhost.localdomain [127.0.0.1]) by panacea.prekas (Postfix) with ESMTP id 302144CD80 for ; Wed, 22 Nov 2006 22:44:58 +0800 (WST) X-UWA-Client-IP: 130.95.13.9 (UWA) Received: from mooneye.ucc.gu.uwa.edu.au (mooneye.ucc.gu.uwa.edu.au [130.95.13.9]) by panacea.extinput (Postfix) with ESMTP id 6FCB14CD7B for ; Wed, 22 Nov 2006 22:44:56 +0800 (WST) Received: by mooneye.ucc.gu.uwa.edu.au (Postfix, from userid 801) id D48D036867; Wed, 22 Nov 2006 22:44:55 +0800 (WST) Received: from mussel.ucc.gu.uwa.edu.au (mussel.ucc.gu.uwa.edu.au [130.95.13.18]) by mooneye.ucc.gu.uwa.edu.au (Postfix) with ESMTP id B7A9436865; Wed, 22 Nov 2006 22:44:55 +0800 (WST) Received: from zanchey (helo=localhost) by mussel.ucc.gu.uwa.edu.au with local-esmtp (Exim 3.36 #1 (Debian)) id 1GmtLL-0007Ir-00; Wed, 22 Nov 2006 22:44:55 +0800 Date: Wed, 22 Nov 2006 22:44:55 +0800 (WST) From: David Adam To: Mark Hennessy In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Anti-Virus: Kaspersky Anti-Virus for MailServers 5.5.10/RELEASE, bases: 22112006 #230087, status: clean X-SpamTest-Info: Profile: Formal (738/061122) X-SpamTest-Info: Profile: Detect Hard [UCS 2006-10-25] X-SpamTest-Info: Profile: SysLog X-SpamTest-Info: Profile: Marking Spam - Subject (UCS) [2006-10-25] X-SpamTest-Status: Not detected X-SpamTest-Version: SMTP-Filter Version 2.0.0 [0125], KAS/Release Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zanchey@ucc.gu.uwa.edu.au List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Nov 2006 14:45:32 -0000 On Wed, 22 Nov 2006, Mark Hennessy wrote: > David Adam [zanchey@ucc.gu.uwa.edu.au] wrote: > >On Tue, 21 Nov 2006, Mark Hennessy wrote: > >> I have a new system that has FreeBSD 6.1 on it to replace a system with > >> FreeBSD 4.11 being put out of service. > >> > >> I want to keep to using local root passwords only, but export other users' > >> logins over NIS. It acts presently as an NIS slave server. > >> > >> The NIS master server was upgraded a few months ago to FreeBSD 6.0 and > >> then 6.1. > >> > >> All other machines are running FreeBSD 4.11. > >> > >> A weird thing started to happen with the new machine. Only on this new > >> machine, the local root password doesn't work and only the root password > >> of the NIS master server will work to attain root. Perhaps something > >> needs to be changed somewhere to make the local root password work again? > >> > >> I tried changing group and passwd to include 'files', I also tried > >> changing group_compat and passwd_compat to include 'files', but no > >> positive change. > > > >Mark, > > > >Careful here. > > > >The line needs to read 'files nis', not 'nis files' - if you used the > >latter, try switching it around so that the local /etc/passwd is checked > >for root logins before NIS is consulted. > > > >As I understand the man page, you want to change the {group,passwd}_compat > >lines, not the {group,passwd} lines themselves. > > > >> I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They > >> are served by NIS as clients and all of their local root passwords work > >> fine. > > > >>From nsswitch.conf(5): > > > >"The nsswitch.conf file format first appeared in FreeBSD 5.0. It was > >imported from the NetBSD Project, where it appeared first in NetBSD 1.4." > > > >The NIS section of the handbook contains no mention of nsswitch.conf(5), > >so I'm not actually sure that it's required for system authentication. > > > > I'm a bit unsure about it myself. > I tried exactly what you suggested, putting files on the compat line and > before nis for both passwd and groups on the NIS slave server only, and no > go. Perhaps it is the master server that actually controls this? I don't > know. Any further advice would be greatly appreciated. Just to clarify - you're running a single NIS master, and you're having this problem on a new NIS client? Or is it a NIS slave server as well? I don't think that this should affect things, but I just wanted to clear up the nomenclature. Hmm, odd. I don't know if you have to restart any services to pick up changes in nsswitch.conf, but I doubt it. However, re-reading the manpage reminded me that nsswitch doesn't actually control authentication in many cases - PAM handles this, on Linux at any rate. Someone (quite possibly me) has kicked the cable out of my FreeBSD box, so I can't check this at the moment, but you may well need to edit something in /etc/pam.d. In particular, if you have NIS as sufficient, it'll take precedence over pam_unix (i.e., files). Cheers, David Adam zanchey@ucc.gu.uwa.edu.au