Date: Wed, 22 Nov 2006 16:04:29 +0100 From: Greg Byshenk <freebsd@byshenk.net> To: freebsd-stable@freebsd.org Subject: Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf Message-ID: <20061122150428.GA1636@core.byshenk.net> In-Reply-To: <Pine.LNX.4.58.0611222244580.14631@mussel.ucc.gu.uwa.edu.au> References: <Pine.BSF.4.64.0611220857001.23875@earl-grey.cloud9.net> <20061122154006.1ff46918.gerrit@pmp.uni-hannover.de> <Pine.LNX.4.58.0611222244580.14631@mussel.ucc.gu.uwa.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 22, 2006 at 10:49:01PM +0800, David Adam wrote: > On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K?hn wrote: > > On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy <mark@cloud9.net> > > wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf: > > MH> I'm a bit unsure about it myself. > > MH> I tried exactly what you suggested, putting files on the compat line > > MH> and before nis for both passwd and groups on the NIS slave server > > MH> only, and no go. Perhaps it is the master server that actually > > MH> controls this? I don't know. Any further advice would be greatly > > MH> appreciated. > > Sorry to disturb, but I don't understand why you distribute the server's > > root pw via NIS at all. Is it really shown by "ypcat passwd" on the > > client? If so, how about removing it from the list of exported accounts? > That's a really good point. When you consider the inherent insecurity of > NIS, having a root password in the maps is a pretty bad plan anyway. > Given my vague handwaving at PAM, and the fact that the OP probably has > NIS as sufficient above pam_unix, the obvious solution if my unverified > assertions are correct is to remove the root password from the NIS maps. I could be mistaken, but isn't the 'compat' entry to cover the case with the old format passwd/group files, in which one used '+:...' or similar to include NIS (or other authentication). As such, 'compat' means "use the file, plus whatever is added under 'compat'", further meaning that you can have only one entry under 'compat'. So, if you want "old style" behavior, what you want is something like: passwd: compat passwd_compat: nis Alternatively, you can use something like: passwd: files nis # passwd_compat: nis or even: passwd: winbind nis files # passwd_compat: nis [Corrections welcome if I have this wrong....] -- greg byshenk - gbyshenk@byshenk.net - Leiden, NL
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061122150428.GA1636>