Very Computer

Help!

I'm a sys admin (6 years) with Sun OS 4.1.x just migrating to Solaris 2.5
and trying to usr NIS+.  The problem is that I'm not clear on adding
users to the NIS+ system and changing passwords seems not to work
correctly.  I've read the documentation, but have yet to come across
anything that explains the procedure adequately.  I get error about the
new password not decoding, secret keys not decrypting, etc.

I'd also like to know, when replicating the NIS+ server, do I want to do
a root replica? or what?  Root replica seems to only copy the root files.
 I expected the root replica to copy the whole NIS+ database.

Basically the system seems to work otherwise, machines are talking to
each other, etc.

I've not been able to get any help from our support provider.
Exasperating!

Thanks in advance.

Garrett Curtis
Lehr Precision Inc.
513-489-9800 x109

You need two things:

        All About Administering NIS+ by Ramsey
and
        NIS+ FAQ:
        http://www.eng.auburn.edu/users/rayh/solaris/NIS+_FAQ.html

If you have other questions let me know and I will try to help.

        -- Ray

Yep,

Your problem is that the local passwd file is still the default. However,
if you remove the acocunts from it (or presumably stick as the second
source), then you must reset all the user passwords (and then synch with
the network password). However, after this it works. Note, though that
this might*up your email for a while, and you have to unsecure your
system until all the users change their new passwords.

  It sucks - I must have spent $100 on related books, and the whole user
management idea is appalling badly documented.

o  For example, root & daemon accounts must stay on the passwd file...
  But nowhere is the default config described.

o  Also there is no way to deny a user access to a machine in a particular
domain.

o Oh and also there is little discussion of how to manage a NIS+ island in
an existing DNS based organisation.

  Sun is next to useless for support as well.

   My 5 cents worth...

   Winton

Quote:>Your problem is that the local passwd file is still the default.

Quote:>However, if you remove the acocunts from it

Quote:> (or presumably stick as the second source),

Quote:> then you must reset all the user passwords (and then synch with
>the network password).

Quote:>However, after this it works. Note, though that
>this might*up your email for a while, and you have to unsecure your
>system until all the users change their new passwords.

Quote:>  It sucks - I must have spent $100 on related books, and the whole user
>management idea is appalling badly documented.

Quote:>o  For example, root & daemon accounts must stay on the passwd file...
>  But nowhere is the default config described.

Quote:>o  Also there is no way to deny a user access to a machine in a particular
>domain.

Quote:>o Oh and also there is little discussion of how to manage a NIS+ island in
>an existing DNS based organisation.

Quote:>  Sun is next to useless for support as well.

Willi

I> >Your problem is that the local passwd file is still the default.

Quote:

> It's easy to change. Just edit /etc/nsswitch.conf. But why is this
> default a problem?

Quote:> >However, if you remove the acocunts from it
>> a client /etc/passwd only holds system accounts. The are necessary
during system
> startup. NEVER remove them.

Quote:> > then you must reset all the user passwords (and then synch with
> >the network password).

> Why? User login information should only be in NIS+ databases.

Quote:> >However, after this it works. Note, though that
> >this might*up your email for a while, and you have to unsecure your
> >system until all the users change their new passwords.

Quote:> >  It sucks - I must have spent $100 on related books, and the whole user
> >management idea is appalling badly documented.
> Did you really read the manuals?

Quote:> >o  Also there is no way to deny a user access to a machine in a particular
> >domain.

> Try reading the man page of nsswitch.conf. Look for 'Interaction with

 One has to switch back to NIS compat mode - which seems a bit retrograde
- not too mention perhaps unlikely on 2.5 systems that require the
installation of a seperate NIS Tranistion kit.

Quote:> >o Oh and also there is little discussion of how to manage a NIS+ island in
> >an existing DNS based organisation.

> NIS+ works without problems in DNS based organisation. NIS+ domains don't have
> to match DNS domains.

Cheers,
  Winton

Quote:>I> >Your problem is that the local passwd file is still the default.

>> It's easy to change. Just edit /etc/nsswitch.conf. But why is this
>> default a problem?
>Because existing users get their passwords out of synch. I tried, and
>found that changing password by the user didnot get reflected centrally,
>and the synched passwords were unsynched.

[...]

Quote:>I wasnt suggesting removing them, just the users accounts. The point is I
>couldnt find anywhere to say EXPLICITLY which accounts (other than root)
>should be left local.

Quote:>> > then you must reset all the user passwords (and then synch with
>> >the network password).

>> Why? User login information should only be in NIS+ databases.
>Not if you have passwd: files nisplus.

Quote:>> >However, after this it works. Note, though that
>> >this might*up your email for a while, and you have to unsecure your
>> >system until all the users change their new passwords.
>Of course one can change every account to have a hard to crack passwd...

[...]

Quote:>> >o  Also there is no way to deny a user access to a machine in a particular
>> >domain.

>> Try reading the man page of nsswitch.conf. Look for 'Interaction with
>+/- syntax'
> One has to switch back to NIS compat mode - which seems a bit retrograde
>- not too mention perhaps unlikely on 2.5 systems that require the
>installation of a seperate NIS Tranistion kit.

Here what I'm using for some machines:

/etc/nsswitch.conf:

...
passwd:         compat
passwd_compat:  nisplus
group:          files nisplus
...

/etc/passwd

root:x:0:1:root:/:/sbin/sh
[all this mysterious accounts]
wib:x:90:14:Willi Burmeister:/home/wib:/bin/ksh
+:x:60002:60002:::/bin/false

This gives me access and looked out all other

[...]

Quote:>The point is, that it is *NOT DOCUMENTED* explicitly. I'm sure if you take
>a bunch of machines out of their boxes, or maybe even an existing set of
>NIS machines, then the transition works. My experience, is that it less
>well documented for a bunch of workstations with pre-existing users using
>DNS.

Willi

If a passwd entry is not in /etc/passwd, how can it get out of synch?

73, Mario
--

Institut fuer Robotik und Prozessinformatik der TU Braunschweig
Hamburger Strasse 267, 38114 Braunschweig, Germany

Hi !

  Thanks both of you for replying again!

   Yes, I am a novice at Unix Sys Admin (not a career I hope to pursue :))
Perhaps NIS+ is not something a Novice admin should play with :)

  I think you both correctly identified the source of the problem:

*  Dealing with existing _user_ entries in the passwd file.

   It does seem (according to Mario) that the expectation of the documentation
  is a * machine.

   Perhaps someone could provide a walkthrough of dealing with existing users.

This was my sorry attempt:

 (i)   I populated the org_dir from passwd.
 (ii)  I then found (with security at 0), that it was awkward to
       get the user password and secure-RPC/nispasswd to synch.
 (iii) I then deleted a test case from the passwd file, but then
       I had to mess around (I forget what I did) (using chkey, nispasswd)
       to get things set up for this user. It was so yucky that I had to
        back off from doing this from all accounts.

  Thanks,
   Winton

Quote:> (ii)  I then found (with security at 0), that it was awkward to
>       get the user password and secure-RPC/nispasswd to synch.
> (iii) I then deleted a test case from the passwd file, but then
>       I had to mess around (I forget what I did) (using chkey, nispasswd)
>       to get things set up for this user. It was so yucky that I had to
>        back off from doing this from all accounts.

I see no other sollution to this problem and they both require some
help from the users.

For all new users, I create a passwd entry and the cred entries at the
same time. Once the passwd and the RPC passwd are in sync, nispasswd
keeps them in sync (when called by a normal user).

73, Mario
--

Institut fuer Robotik und Prozessinformatik der TU Braunschweig
Hamburger Strasse 267, 38114 Braunschweig, Germany

It allows Users to change their password based upon them knowing their old
passwords.  A DES key is generated on the fly (to encrypt the password across
the wire) and even yppasswd is supported (if the Master server is running
in NIS(YP) compat mode, rpc.nispasswdd automatically registers as yppasswdd).

Then the users do not need a Secure RPC credential.

=wpm    William P. Malloy       SunSoft         Networking