From owner-freebsd-stable@FreeBSD.ORG Wed Nov 22 15:04:33 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7D4FA16A403 for ; Wed, 22 Nov 2006 15:04:33 +0000 (UTC) (envelope-from byshenknet@byshenk.net) Received: from core.byshenk.net (core.byshenk.net [62.58.73.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E93843D53 for ; Wed, 22 Nov 2006 15:04:03 +0000 (GMT) (envelope-from byshenknet@byshenk.net) Received: from core.byshenk.net (localhost.aoes.com [127.0.0.1]) by core.byshenk.net (8.13.8/8.13.8) with ESMTP id kAMF4TTD013285 for ; Wed, 22 Nov 2006 16:04:29 +0100 (CET) (envelope-from byshenknet@core.byshenk.net) Received: (from byshenknet@localhost) by core.byshenk.net (8.13.8/8.13.8/Submit) id kAMF4TSV013283 for freebsd-stable@freebsd.org; Wed, 22 Nov 2006 16:04:29 +0100 (CET) (envelope-from byshenknet) Date: Wed, 22 Nov 2006 16:04:29 +0100 From: Greg Byshenk To: freebsd-stable@freebsd.org Message-ID: <20061122150428.GA1636@core.byshenk.net> References: <20061122154006.1ff46918.gerrit@pmp.uni-hannover.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.2i X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on core.byshenk.net Subject: Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Nov 2006 15:04:33 -0000 On Wed, Nov 22, 2006 at 10:49:01PM +0800, David Adam wrote: > On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K?hn wrote: > > On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy > > wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf: > > MH> I'm a bit unsure about it myself. > > MH> I tried exactly what you suggested, putting files on the compat line > > MH> and before nis for both passwd and groups on the NIS slave server > > MH> only, and no go. Perhaps it is the master server that actually > > MH> controls this? I don't know. Any further advice would be greatly > > MH> appreciated. > > Sorry to disturb, but I don't understand why you distribute the server's > > root pw via NIS at all. Is it really shown by "ypcat passwd" on the > > client? If so, how about removing it from the list of exported accounts? > That's a really good point. When you consider the inherent insecurity of > NIS, having a root password in the maps is a pretty bad plan anyway. > Given my vague handwaving at PAM, and the fact that the OP probably has > NIS as sufficient above pam_unix, the obvious solution if my unverified > assertions are correct is to remove the root password from the NIS maps. I could be mistaken, but isn't the 'compat' entry to cover the case with the old format passwd/group files, in which one used '+:...' or similar to include NIS (or other authentication). As such, 'compat' means "use the file, plus whatever is added under 'compat'", further meaning that you can have only one entry under 'compat'. So, if you want "old style" behavior, what you want is something like: passwd: compat passwd_compat: nis Alternatively, you can use something like: passwd: files nis # passwd_compat: nis or even: passwd: winbind nis files # passwd_compat: nis [Corrections welcome if I have this wrong....] -- greg byshenk - gbyshenk@byshenk.net - Leiden, NL