Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
On Tue, 21 Nov 2006, Mark Hennessy wrote:
I have a new system that has FreeBSD 6.1 on it to replace a system with
FreeBSD 4.11 being put out of service.
I want to keep to using local root passwords only, but export other users'
logins over NIS. It acts presently as an NIS slave server.
The NIS master server was upgraded a few months ago to FreeBSD 6.0 and
then 6.1.
All other machines are running FreeBSD 4.11.
A weird thing started to happen with the new machine. Only on this new
machine, the local root password doesn't work and only the root password
of the NIS master server will work to attain root. Perhaps something
needs to be changed somewhere to make the local root password work again?
Here's the /etc/nsswitch.conf from the master server:
group: compat
group_compat: nis
hosts: files dns
networks: files
passwd: compat
passwd_compat: nis
shells: files
Here's the /etc/nsswitch.conf from the slave server:
group: compat
group_compat: nis
hosts: files dns
networks: files
passwd: compat
passwd_compat: nis
shells: files
They both appear to be set to defaults.
I tried changing group and passwd to include 'files', I also tried
changing group_compat and passwd_compat to include 'files', but no
positive change.
Mark,
Careful here.
The line needs to read 'files nis', not 'nis files' - if you used the
latter, try switching it around so that the local /etc/passwd is checked
for root logins before NIS is consulted.
As I understand the man page, you want to change the {group,passwd}_compat
lines, not the {group,passwd} lines themselves.
I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They
are served by NIS as clients and all of their local root passwords work
fine.
From nsswitch.conf(5):
The nsswitch.conf file format first appeared in FreeBSD 5.0. It was
imported from the NetBSD Project, where it appeared first in NetBSD 1.4.
The NIS section of the handbook contains no mention of nsswitch.conf(5),
so I'm not actually sure that it's required for system authentication.
David Adam
[EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
David Adam [EMAIL PROTECTED] wrote:
On Tue, 21 Nov 2006, Mark Hennessy wrote:
I have a new system that has FreeBSD 6.1 on it to replace a system with
FreeBSD 4.11 being put out of service.
I want to keep to using local root passwords only, but export other users'
logins over NIS. It acts presently as an NIS slave server.
The NIS master server was upgraded a few months ago to FreeBSD 6.0 and
then 6.1.
All other machines are running FreeBSD 4.11.
A weird thing started to happen with the new machine. Only on this new
machine, the local root password doesn't work and only the root password
of the NIS master server will work to attain root. Perhaps something
needs to be changed somewhere to make the local root password work again?
Here's the /etc/nsswitch.conf from the master server:
group: compat
group_compat: nis
hosts: files dns
networks: files
passwd: compat
passwd_compat: nis
shells: files
Here's the /etc/nsswitch.conf from the slave server:
group: compat
group_compat: nis
hosts: files dns
networks: files
passwd: compat
passwd_compat: nis
shells: files
They both appear to be set to defaults.
I tried changing group and passwd to include 'files', I also tried
changing group_compat and passwd_compat to include 'files', but no
positive change.
Mark,
Careful here.
The line needs to read 'files nis', not 'nis files' - if you used the
latter, try switching it around so that the local /etc/passwd is checked
for root logins before NIS is consulted.
As I understand the man page, you want to change the {group,passwd}_compat
lines, not the {group,passwd} lines themselves.
I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They
are served by NIS as clients and all of their local root passwords work
fine.
From nsswitch.conf(5):
The nsswitch.conf file format first appeared in FreeBSD 5.0. It was
imported from the NetBSD Project, where it appeared first in NetBSD 1.4.
The NIS section of the handbook contains no mention of nsswitch.conf(5),
so I'm not actually sure that it's required for system authentication.
David Adam
[EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
I'm a bit unsure about it myself.
I tried exactly what you suggested, putting files on the compat line and
before nis for both passwd and groups on the NIS slave server only, and no
go. Perhaps it is the master server that actually controls this? I don't
know. Any further advice would be greatly appreciated.
--
Mark P. Hennessy
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy [EMAIL PROTECTED] wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf: MH I'm a bit unsure about it myself. MH I tried exactly what you suggested, putting files on the compat line MH and before nis for both passwd and groups on the NIS slave server MH only, and no go. Perhaps it is the master server that actually MH controls this? I don't know. Any further advice would be greatly MH appreciated. Sorry to disturb, but I don't understand why you distribute the server's root pw via NIS at all. Is it really shown by ypcat passwd on the client? If so, how about removing it from the list of exported accounts? The nsswitch.conf I'm using here looks like this: group: nis files hosts: files nis dns passwd: nis files cu Gerrit ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
On Wed, 22 Nov 2006, Mark Hennessy wrote:
David Adam [EMAIL PROTECTED] wrote:
On Tue, 21 Nov 2006, Mark Hennessy wrote:
I have a new system that has FreeBSD 6.1 on it to replace a system with
FreeBSD 4.11 being put out of service.
I want to keep to using local root passwords only, but export other users'
logins over NIS. It acts presently as an NIS slave server.
The NIS master server was upgraded a few months ago to FreeBSD 6.0 and
then 6.1.
All other machines are running FreeBSD 4.11.
A weird thing started to happen with the new machine. Only on this new
machine, the local root password doesn't work and only the root password
of the NIS master server will work to attain root. Perhaps something
needs to be changed somewhere to make the local root password work again?
snip
I tried changing group and passwd to include 'files', I also tried
changing group_compat and passwd_compat to include 'files', but no
positive change.
Mark,
Careful here.
The line needs to read 'files nis', not 'nis files' - if you used the
latter, try switching it around so that the local /etc/passwd is checked
for root logins before NIS is consulted.
As I understand the man page, you want to change the {group,passwd}_compat
lines, not the {group,passwd} lines themselves.
I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They
are served by NIS as clients and all of their local root passwords work
fine.
From nsswitch.conf(5):
The nsswitch.conf file format first appeared in FreeBSD 5.0. It was
imported from the NetBSD Project, where it appeared first in NetBSD 1.4.
The NIS section of the handbook contains no mention of nsswitch.conf(5),
so I'm not actually sure that it's required for system authentication.
I'm a bit unsure about it myself.
I tried exactly what you suggested, putting files on the compat line and
before nis for both passwd and groups on the NIS slave server only, and no
go. Perhaps it is the master server that actually controls this? I don't
know. Any further advice would be greatly appreciated.
Just to clarify - you're running a single NIS master, and you're having
this problem on a new NIS client? Or is it a NIS slave server as well? I
don't think that this should affect things, but I just wanted to clear up
the nomenclature.
Hmm, odd. I don't know if you have to restart any services to pick up
changes in nsswitch.conf, but I doubt it.
However, re-reading the manpage reminded me that nsswitch doesn't actually
control authentication in many cases - PAM handles this, on Linux at any
rate.
Someone (quite possibly me) has kicked the cable out of my FreeBSD box, so
I can't check this at the moment, but you may well need to edit something
in /etc/pam.d. In particular, if you have NIS as sufficient, it'll take
precedence over pam_unix (i.e., files).
Cheers,
David Adam
[EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
On Wed, Nov 22, 2006 at 10:49:01PM +0800, David Adam wrote: On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K?hn wrote: On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy [EMAIL PROTECTED] wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf: MH I'm a bit unsure about it myself. MH I tried exactly what you suggested, putting files on the compat line MH and before nis for both passwd and groups on the NIS slave server MH only, and no go. Perhaps it is the master server that actually MH controls this? I don't know. Any further advice would be greatly MH appreciated. Sorry to disturb, but I don't understand why you distribute the server's root pw via NIS at all. Is it really shown by ypcat passwd on the client? If so, how about removing it from the list of exported accounts? That's a really good point. When you consider the inherent insecurity of NIS, having a root password in the maps is a pretty bad plan anyway. Given my vague handwaving at PAM, and the fact that the OP probably has NIS as sufficient above pam_unix, the obvious solution if my unverified assertions are correct is to remove the root password from the NIS maps. I could be mistaken, but isn't the 'compat' entry to cover the case with the old format passwd/group files, in which one used '+:...' or similar to include NIS (or other authentication). As such, 'compat' means use the file, plus whatever is added under 'compat', further meaning that you can have only one entry under 'compat'. So, if you want old style behavior, what you want is something like: passwd: compat passwd_compat: nis Alternatively, you can use something like: passwd: files nis # passwd_compat: nis or even: passwd: winbind nis files # passwd_compat: nis [Corrections welcome if I have this wrong] -- greg byshenk - [EMAIL PROTECTED] - Leiden, NL ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
quote who=Mark Hennessy
David Adam [EMAIL PROTECTED] wrote:
On Tue, 21 Nov 2006, Mark Hennessy wrote:
I have a new system that has FreeBSD 6.1 on it to replace a system with
FreeBSD 4.11 being put out of service.
I want to keep to using local root passwords only, but export other
users'
logins over NIS. It acts presently as an NIS slave server.
The NIS master server was upgraded a few months ago to FreeBSD 6.0 and
then 6.1.
All other machines are running FreeBSD 4.11.
A weird thing started to happen with the new machine. Only on this new
machine, the local root password doesn't work and only the root
password
of the NIS master server will work to attain root. Perhaps something
needs to be changed somewhere to make the local root password work
again?
Here's the /etc/nsswitch.conf from the master server:
group: compat
group_compat: nis
hosts: files dns
networks: files
passwd: compat
passwd_compat: nis
shells: files
Here's the /etc/nsswitch.conf from the slave server:
group: compat
group_compat: nis
hosts: files dns
networks: files
passwd: compat
passwd_compat: nis
shells: files
They both appear to be set to defaults.
I tried changing group and passwd to include 'files', I also tried
changing group_compat and passwd_compat to include 'files', but no
positive change.
Mark,
Careful here.
The line needs to read 'files nis', not 'nis files' - if you used the
latter, try switching it around so that the local /etc/passwd is checked
for root logins before NIS is consulted.
As I understand the man page, you want to change the
{group,passwd}_compat
lines, not the {group,passwd} lines themselves.
I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They
are served by NIS as clients and all of their local root passwords work
fine.
From nsswitch.conf(5):
The nsswitch.conf file format first appeared in FreeBSD 5.0. It was
imported from the NetBSD Project, where it appeared first in NetBSD 1.4.
The NIS section of the handbook contains no mention of nsswitch.conf(5),
so I'm not actually sure that it's required for system authentication.
David Adam
[EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
I'm a bit unsure about it myself.
I tried exactly what you suggested, putting files on the compat line and
before nis for both passwd and groups on the NIS slave server only, and no
go. Perhaps it is the master server that actually controls this? I don't
know. Any further advice would be greatly appreciated.
You can try this config:
group: files nis
hosts: files dns
networks: files dns
passwd: files nis
shells: files
just removes *compat* stuff
works for me. :)
--
Sincerely yours,
Artyom Viklenko.
---
[EMAIL PROTECTED] | http://www.aws-net.org.ua/~artem
FreeBSD: The Power to Serve - http://www.freebsd.org
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
David Adam [EMAIL PROTECTED] wrote:
On Wed, 22 Nov 2006, Mark Hennessy wrote:
David Adam [EMAIL PROTECTED] wrote:
On Tue, 21 Nov 2006, Mark Hennessy wrote:
I have a new system that has FreeBSD 6.1 on it to replace a system
with
FreeBSD 4.11 being put out of service.
I want to keep to using local root passwords only, but export other
users'
logins over NIS. It acts presently as an NIS slave server.
The NIS master server was upgraded a few months ago to FreeBSD 6.0
and
then 6.1.
All other machines are running FreeBSD 4.11.
A weird thing started to happen with the new machine. Only on this
new
machine, the local root password doesn't work and only the root
password
of the NIS master server will work to attain root. Perhaps
something
needs to be changed somewhere to make the local root password work
again?
snip
I tried changing group and passwd to include 'files', I also tried
changing group_compat and passwd_compat to include 'files', but no
positive change.
Mark,
Careful here.
The line needs to read 'files nis', not 'nis files' - if you used the
latter, try switching it around so that the local /etc/passwd is
checked
for root logins before NIS is consulted.
As I understand the man page, you want to change the
{group,passwd}_compat
lines, not the {group,passwd} lines themselves.
I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers.
They
are served by NIS as clients and all of their local root passwords
work
fine.
From nsswitch.conf(5):
The nsswitch.conf file format first appeared in FreeBSD 5.0. It was
imported from the NetBSD Project, where it appeared first in NetBSD
1.4.
The NIS section of the handbook contains no mention of
nsswitch.conf(5),
so I'm not actually sure that it's required for system authentication.
I'm a bit unsure about it myself.
I tried exactly what you suggested, putting files on the compat line
and
before nis for both passwd and groups on the NIS slave server only, and
no
go. Perhaps it is the master server that actually controls this? I
don't
know. Any further advice would be greatly appreciated.
Just to clarify - you're running a single NIS master, and you're having
this problem on a new NIS client? Or is it a NIS slave server as well? I
don't think that this should affect things, but I just wanted to clear up
the nomenclature.
Hmm, odd. I don't know if you have to restart any services to pick up
changes in nsswitch.conf, but I doubt it.
However, re-reading the manpage reminded me that nsswitch doesn't actually
control authentication in many cases - PAM handles this, on Linux at any
rate.
Someone (quite possibly me) has kicked the cable out of my FreeBSD box, so
I can't check this at the moment, but you may well need to edit something
in /etc/pam.d. In particular, if you have NIS as sufficient, it'll take
precedence over pam_unix (i.e., files).
Cheers,
David Adam
[EMAIL PROTECTED]
The machine in question having the problem with its root password being
clobbered by NIS is an NIS Slave Server running FreeBSD 6.1, the other
machines that aren't having this problem are clients running FreeBSD 4.11,
and the NIS Master Server is running FreeBSD 6.1.
The pam config for login and su don't appear to be pointing specifically
to NIS for anything, just system.
--
Mark P. Hennessy
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
Mark Hennessy wrote: The machine in question having the problem with its root password being clobbered by NIS is an NIS Slave Server running FreeBSD 6.1, the other machines that aren't having this problem are clients running FreeBSD 4.11, and the NIS Master Server is running FreeBSD 6.1. The pam config for login and su don't appear to be pointing specifically to NIS for anything, just system. What does /etc/passwd look like? I've seen this happen in our environment when a +entry in /etc/password is above the equivalent user account. Like if +root... or [EMAIL PROTECTED] were above the default root account. Incidentally, my /etc/nsswitch.conf looks like this and does work appropriately with NIS: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis -Proto ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
quote who=David Adam On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K�hn wrote: On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy [EMAIL PROTECTED] wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf: MH I'm a bit unsure about it myself. MH I tried exactly what you suggested, putting files on the compat line MH and before nis for both passwd and groups on the NIS slave server MH only, and no go. Perhaps it is the master server that actually MH controls this? I don't know. Any further advice would be greatly MH appreciated. Sorry to disturb, but I don't understand why you distribute the server's root pw via NIS at all. Is it really shown by ypcat passwd on the client? If so, how about removing it from the list of exported accounts? That's a really good point. When you consider the inherent insecurity of NIS, having a root password in the maps is a pretty bad plan anyway. Given my vague handwaving at PAM, and the fact that the OP probably has NIS as sufficient above pam_unix, the obvious solution if my unverified assertions are correct is to remove the root password from the NIS maps. Sure. In my case, there is separate master.passwd and group files in /var/yp directory. All regular user accounts (typically with uid=1000) resides here. Same for groups. In local /etc/master.passwd resides only system accounts and some accounts for applications. This works for 4.x, 5.x, 6.x without problems. I even have Linux clients authorising against FreeBSD NIS servers. (Some modifications to /var/yp/Makefile needed). So, from interoperability and security points of view, much better to separate system accounts and keep them localy. -- Sincerely yours, Artyom Viklenko. --- [EMAIL PROTECTED] | http://www.aws-net.org.ua/~artem FreeBSD: The Power to Serve - http://www.freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
