Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
On Tue, 21 Nov 2006, Mark Hennessy wrote: I have a new system that has FreeBSD 6.1 on it to replace a system with FreeBSD 4.11 being put out of service. I want to keep to using local root passwords only, but export other users' logins over NIS. It acts presently as an NIS slave server. The NIS master server was upgraded a few months ago to FreeBSD 6.0 and then 6.1. All other machines are running FreeBSD 4.11. A weird thing started to happen with the new machine. Only on this new machine, the local root password doesn't work and only the root password of the NIS master server will work to attain root. Perhaps something needs to be changed somewhere to make the local root password work again? Here's the /etc/nsswitch.conf from the master server: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files Here's the /etc/nsswitch.conf from the slave server: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files They both appear to be set to defaults. I tried changing group and passwd to include 'files', I also tried changing group_compat and passwd_compat to include 'files', but no positive change. Mark, Careful here. The line needs to read 'files nis', not 'nis files' - if you used the latter, try switching it around so that the local /etc/passwd is checked for root logins before NIS is consulted. As I understand the man page, you want to change the {group,passwd}_compat lines, not the {group,passwd} lines themselves. I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They are served by NIS as clients and all of their local root passwords work fine. From nsswitch.conf(5): The nsswitch.conf file format first appeared in FreeBSD 5.0. It was imported from the NetBSD Project, where it appeared first in NetBSD 1.4. The NIS section of the handbook contains no mention of nsswitch.conf(5), so I'm not actually sure that it's required for system authentication. David Adam [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
David Adam [EMAIL PROTECTED] wrote: On Tue, 21 Nov 2006, Mark Hennessy wrote: I have a new system that has FreeBSD 6.1 on it to replace a system with FreeBSD 4.11 being put out of service. I want to keep to using local root passwords only, but export other users' logins over NIS. It acts presently as an NIS slave server. The NIS master server was upgraded a few months ago to FreeBSD 6.0 and then 6.1. All other machines are running FreeBSD 4.11. A weird thing started to happen with the new machine. Only on this new machine, the local root password doesn't work and only the root password of the NIS master server will work to attain root. Perhaps something needs to be changed somewhere to make the local root password work again? Here's the /etc/nsswitch.conf from the master server: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files Here's the /etc/nsswitch.conf from the slave server: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files They both appear to be set to defaults. I tried changing group and passwd to include 'files', I also tried changing group_compat and passwd_compat to include 'files', but no positive change. Mark, Careful here. The line needs to read 'files nis', not 'nis files' - if you used the latter, try switching it around so that the local /etc/passwd is checked for root logins before NIS is consulted. As I understand the man page, you want to change the {group,passwd}_compat lines, not the {group,passwd} lines themselves. I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They are served by NIS as clients and all of their local root passwords work fine. From nsswitch.conf(5): The nsswitch.conf file format first appeared in FreeBSD 5.0. It was imported from the NetBSD Project, where it appeared first in NetBSD 1.4. The NIS section of the handbook contains no mention of nsswitch.conf(5), so I'm not actually sure that it's required for system authentication. David Adam [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] I'm a bit unsure about it myself. I tried exactly what you suggested, putting files on the compat line and before nis for both passwd and groups on the NIS slave server only, and no go. Perhaps it is the master server that actually controls this? I don't know. Any further advice would be greatly appreciated. -- Mark P. Hennessy ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy [EMAIL PROTECTED] wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf: MH I'm a bit unsure about it myself. MH I tried exactly what you suggested, putting files on the compat line MH and before nis for both passwd and groups on the NIS slave server MH only, and no go. Perhaps it is the master server that actually MH controls this? I don't know. Any further advice would be greatly MH appreciated. Sorry to disturb, but I don't understand why you distribute the server's root pw via NIS at all. Is it really shown by ypcat passwd on the client? If so, how about removing it from the list of exported accounts? The nsswitch.conf I'm using here looks like this: group: nis files hosts: files nis dns passwd: nis files cu Gerrit ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
On Wed, 22 Nov 2006, Mark Hennessy wrote: David Adam [EMAIL PROTECTED] wrote: On Tue, 21 Nov 2006, Mark Hennessy wrote: I have a new system that has FreeBSD 6.1 on it to replace a system with FreeBSD 4.11 being put out of service. I want to keep to using local root passwords only, but export other users' logins over NIS. It acts presently as an NIS slave server. The NIS master server was upgraded a few months ago to FreeBSD 6.0 and then 6.1. All other machines are running FreeBSD 4.11. A weird thing started to happen with the new machine. Only on this new machine, the local root password doesn't work and only the root password of the NIS master server will work to attain root. Perhaps something needs to be changed somewhere to make the local root password work again? snip I tried changing group and passwd to include 'files', I also tried changing group_compat and passwd_compat to include 'files', but no positive change. Mark, Careful here. The line needs to read 'files nis', not 'nis files' - if you used the latter, try switching it around so that the local /etc/passwd is checked for root logins before NIS is consulted. As I understand the man page, you want to change the {group,passwd}_compat lines, not the {group,passwd} lines themselves. I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They are served by NIS as clients and all of their local root passwords work fine. From nsswitch.conf(5): The nsswitch.conf file format first appeared in FreeBSD 5.0. It was imported from the NetBSD Project, where it appeared first in NetBSD 1.4. The NIS section of the handbook contains no mention of nsswitch.conf(5), so I'm not actually sure that it's required for system authentication. I'm a bit unsure about it myself. I tried exactly what you suggested, putting files on the compat line and before nis for both passwd and groups on the NIS slave server only, and no go. Perhaps it is the master server that actually controls this? I don't know. Any further advice would be greatly appreciated. Just to clarify - you're running a single NIS master, and you're having this problem on a new NIS client? Or is it a NIS slave server as well? I don't think that this should affect things, but I just wanted to clear up the nomenclature. Hmm, odd. I don't know if you have to restart any services to pick up changes in nsswitch.conf, but I doubt it. However, re-reading the manpage reminded me that nsswitch doesn't actually control authentication in many cases - PAM handles this, on Linux at any rate. Someone (quite possibly me) has kicked the cable out of my FreeBSD box, so I can't check this at the moment, but you may well need to edit something in /etc/pam.d. In particular, if you have NIS as sufficient, it'll take precedence over pam_unix (i.e., files). Cheers, David Adam [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
On Wed, Nov 22, 2006 at 10:49:01PM +0800, David Adam wrote: On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K?hn wrote: On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy [EMAIL PROTECTED] wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf: MH I'm a bit unsure about it myself. MH I tried exactly what you suggested, putting files on the compat line MH and before nis for both passwd and groups on the NIS slave server MH only, and no go. Perhaps it is the master server that actually MH controls this? I don't know. Any further advice would be greatly MH appreciated. Sorry to disturb, but I don't understand why you distribute the server's root pw via NIS at all. Is it really shown by ypcat passwd on the client? If so, how about removing it from the list of exported accounts? That's a really good point. When you consider the inherent insecurity of NIS, having a root password in the maps is a pretty bad plan anyway. Given my vague handwaving at PAM, and the fact that the OP probably has NIS as sufficient above pam_unix, the obvious solution if my unverified assertions are correct is to remove the root password from the NIS maps. I could be mistaken, but isn't the 'compat' entry to cover the case with the old format passwd/group files, in which one used '+:...' or similar to include NIS (or other authentication). As such, 'compat' means use the file, plus whatever is added under 'compat', further meaning that you can have only one entry under 'compat'. So, if you want old style behavior, what you want is something like: passwd: compat passwd_compat: nis Alternatively, you can use something like: passwd: files nis # passwd_compat: nis or even: passwd: winbind nis files # passwd_compat: nis [Corrections welcome if I have this wrong] -- greg byshenk - [EMAIL PROTECTED] - Leiden, NL ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
quote who=Mark Hennessy David Adam [EMAIL PROTECTED] wrote: On Tue, 21 Nov 2006, Mark Hennessy wrote: I have a new system that has FreeBSD 6.1 on it to replace a system with FreeBSD 4.11 being put out of service. I want to keep to using local root passwords only, but export other users' logins over NIS. It acts presently as an NIS slave server. The NIS master server was upgraded a few months ago to FreeBSD 6.0 and then 6.1. All other machines are running FreeBSD 4.11. A weird thing started to happen with the new machine. Only on this new machine, the local root password doesn't work and only the root password of the NIS master server will work to attain root. Perhaps something needs to be changed somewhere to make the local root password work again? Here's the /etc/nsswitch.conf from the master server: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files Here's the /etc/nsswitch.conf from the slave server: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files They both appear to be set to defaults. I tried changing group and passwd to include 'files', I also tried changing group_compat and passwd_compat to include 'files', but no positive change. Mark, Careful here. The line needs to read 'files nis', not 'nis files' - if you used the latter, try switching it around so that the local /etc/passwd is checked for root logins before NIS is consulted. As I understand the man page, you want to change the {group,passwd}_compat lines, not the {group,passwd} lines themselves. I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They are served by NIS as clients and all of their local root passwords work fine. From nsswitch.conf(5): The nsswitch.conf file format first appeared in FreeBSD 5.0. It was imported from the NetBSD Project, where it appeared first in NetBSD 1.4. The NIS section of the handbook contains no mention of nsswitch.conf(5), so I'm not actually sure that it's required for system authentication. David Adam [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] I'm a bit unsure about it myself. I tried exactly what you suggested, putting files on the compat line and before nis for both passwd and groups on the NIS slave server only, and no go. Perhaps it is the master server that actually controls this? I don't know. Any further advice would be greatly appreciated. You can try this config: group: files nis hosts: files dns networks: files dns passwd: files nis shells: files just removes *compat* stuff works for me. :) -- Sincerely yours, Artyom Viklenko. --- [EMAIL PROTECTED] | http://www.aws-net.org.ua/~artem FreeBSD: The Power to Serve - http://www.freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
David Adam [EMAIL PROTECTED] wrote: On Wed, 22 Nov 2006, Mark Hennessy wrote: David Adam [EMAIL PROTECTED] wrote: On Tue, 21 Nov 2006, Mark Hennessy wrote: I have a new system that has FreeBSD 6.1 on it to replace a system with FreeBSD 4.11 being put out of service. I want to keep to using local root passwords only, but export other users' logins over NIS. It acts presently as an NIS slave server. The NIS master server was upgraded a few months ago to FreeBSD 6.0 and then 6.1. All other machines are running FreeBSD 4.11. A weird thing started to happen with the new machine. Only on this new machine, the local root password doesn't work and only the root password of the NIS master server will work to attain root. Perhaps something needs to be changed somewhere to make the local root password work again? snip I tried changing group and passwd to include 'files', I also tried changing group_compat and passwd_compat to include 'files', but no positive change. Mark, Careful here. The line needs to read 'files nis', not 'nis files' - if you used the latter, try switching it around so that the local /etc/passwd is checked for root logins before NIS is consulted. As I understand the man page, you want to change the {group,passwd}_compat lines, not the {group,passwd} lines themselves. I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They are served by NIS as clients and all of their local root passwords work fine. From nsswitch.conf(5): The nsswitch.conf file format first appeared in FreeBSD 5.0. It was imported from the NetBSD Project, where it appeared first in NetBSD 1.4. The NIS section of the handbook contains no mention of nsswitch.conf(5), so I'm not actually sure that it's required for system authentication. I'm a bit unsure about it myself. I tried exactly what you suggested, putting files on the compat line and before nis for both passwd and groups on the NIS slave server only, and no go. Perhaps it is the master server that actually controls this? I don't know. Any further advice would be greatly appreciated. Just to clarify - you're running a single NIS master, and you're having this problem on a new NIS client? Or is it a NIS slave server as well? I don't think that this should affect things, but I just wanted to clear up the nomenclature. Hmm, odd. I don't know if you have to restart any services to pick up changes in nsswitch.conf, but I doubt it. However, re-reading the manpage reminded me that nsswitch doesn't actually control authentication in many cases - PAM handles this, on Linux at any rate. Someone (quite possibly me) has kicked the cable out of my FreeBSD box, so I can't check this at the moment, but you may well need to edit something in /etc/pam.d. In particular, if you have NIS as sufficient, it'll take precedence over pam_unix (i.e., files). Cheers, David Adam [EMAIL PROTECTED] The machine in question having the problem with its root password being clobbered by NIS is an NIS Slave Server running FreeBSD 6.1, the other machines that aren't having this problem are clients running FreeBSD 4.11, and the NIS Master Server is running FreeBSD 6.1. The pam config for login and su don't appear to be pointing specifically to NIS for anything, just system. -- Mark P. Hennessy ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
Mark Hennessy wrote: The machine in question having the problem with its root password being clobbered by NIS is an NIS Slave Server running FreeBSD 6.1, the other machines that aren't having this problem are clients running FreeBSD 4.11, and the NIS Master Server is running FreeBSD 6.1. The pam config for login and su don't appear to be pointing specifically to NIS for anything, just system. What does /etc/passwd look like? I've seen this happen in our environment when a +entry in /etc/password is above the equivalent user account. Like if +root... or [EMAIL PROTECTED] were above the default root account. Incidentally, my /etc/nsswitch.conf looks like this and does work appropriately with NIS: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis -Proto ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf
quote who=David Adam On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K�hn wrote: On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy [EMAIL PROTECTED] wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf: MH I'm a bit unsure about it myself. MH I tried exactly what you suggested, putting files on the compat line MH and before nis for both passwd and groups on the NIS slave server MH only, and no go. Perhaps it is the master server that actually MH controls this? I don't know. Any further advice would be greatly MH appreciated. Sorry to disturb, but I don't understand why you distribute the server's root pw via NIS at all. Is it really shown by ypcat passwd on the client? If so, how about removing it from the list of exported accounts? That's a really good point. When you consider the inherent insecurity of NIS, having a root password in the maps is a pretty bad plan anyway. Given my vague handwaving at PAM, and the fact that the OP probably has NIS as sufficient above pam_unix, the obvious solution if my unverified assertions are correct is to remove the root password from the NIS maps. Sure. In my case, there is separate master.passwd and group files in /var/yp directory. All regular user accounts (typically with uid=1000) resides here. Same for groups. In local /etc/master.passwd resides only system accounts and some accounts for applications. This works for 4.x, 5.x, 6.x without problems. I even have Linux clients authorising against FreeBSD NIS servers. (Some modifications to /var/yp/Makefile needed). So, from interoperability and security points of view, much better to separate system accounts and keep them localy. -- Sincerely yours, Artyom Viklenko. --- [EMAIL PROTECTED] | http://www.aws-net.org.ua/~artem FreeBSD: The Power to Serve - http://www.freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]