Need help with NIS+, addding users, changing passwds, etc.

Need help with NIS+, addding users, changing passwds, etc.

Post by garrett curti » Sun, 27 Oct 1996 04:00:00



Help!

I'm a sys admin (6 years) with Sun OS 4.1.x just migrating to Solaris 2.5
and trying to usr NIS+.  The problem is that I'm not clear on adding
users to the NIS+ system and changing passwords seems not to work
correctly.  I've read the documentation, but have yet to come across
anything that explains the procedure adequately.  I get error about the
new password not decoding, secret keys not decrypting, etc.

I'd also like to know, when replicating the NIS+ server, do I want to do
a root replica? or what?  Root replica seems to only copy the root files.
 I expected the root replica to copy the whole NIS+ database.

Basically the system seems to work otherwise, machines are talking to
each other, etc.

I've not been able to get any help from our support provider.
Exasperating!

Thanks in advance.

Garrett Curtis
Lehr Precision Inc.
513-489-9800 x109

 
 
 

Need help with NIS+, addding users, changing passwds, etc.

Post by Ray W. Hiltbran » Tue, 29 Oct 1996 04:00:00


You need two things:

        All About Administering NIS+ by Ramsey
and
        NIS+ FAQ:
        http://www.eng.auburn.edu/users/rayh/solaris/NIS+_FAQ.html

If you have other questions let me know and I will try to help.

        -- Ray


> Help!

> I'm a sys admin (6 years) with Sun OS 4.1.x just migrating to Solaris 2.5
> and trying to usr NIS+.

--

Engineering Network Services
Auburn University     http://www.eng.auburn.edu/~rayh/rayh.html
   If it doesn't do what you want, subclass and override.

 
 
 

Need help with NIS+, addding users, changing passwds, etc.

Post by Winton Davi » Tue, 29 Oct 1996 04:00:00


Yep,

Your problem is that the local passwd file is still the default. However,
if you remove the acocunts from it (or presumably stick as the second
source), then you must reset all the user passwords (and then synch with
the network password). However, after this it works. Note, though that
this might*up your email for a while, and you have to unsecure your
system until all the users change their new passwords.

  It sucks - I must have spent $100 on related books, and the whole user
management idea is appalling badly documented.

o  For example, root & daemon accounts must stay on the passwd file...
  But nowhere is the default config described.

o  Also there is no way to deny a user access to a machine in a particular
domain.

o Oh and also there is little discussion of how to manage a NIS+ island in
an existing DNS based organisation.

  Sun is next to useless for support as well.

   My 5 cents worth...

   Winton

 
 
 

Need help with NIS+, addding users, changing passwds, etc.

Post by Willi Burmeist » Wed, 30 Oct 1996 04:00:00



Quote:>Your problem is that the local passwd file is still the default.

It's easy to change. Just edit /etc/nsswitch.conf. But why is this
default a problem?

Quote:>However, if you remove the acocunts from it

a client /etc/passwd only holds system accounts. The are necessary during system
startup. NEVER remove them.

Quote:> (or presumably stick as the second source),

why that?

Quote:> then you must reset all the user passwords (and then synch with
>the network password).

Why? User login information should only be in NIS+ databases.

Quote:>However, after this it works. Note, though that
>this might*up your email for a while, and you have to unsecure your
>system until all the users change their new passwords.

Nonsense.

Quote:>  It sucks - I must have spent $100 on related books, and the whole user
>management idea is appalling badly documented.

Did you really read the manuals?

Quote:>o  For example, root & daemon accounts must stay on the passwd file...
>  But nowhere is the default config described.

NIS+ is not working during startup. A minimum of systems users have to
be there, so everything can be started.

Quote:>o  Also there is no way to deny a user access to a machine in a particular
>domain.

Try reading the man page of nsswitch.conf. Look for 'Interaction with +/- syntax'

Quote:>o Oh and also there is little discussion of how to manage a NIS+ island in
>an existing DNS based organisation.

NIS+ works without problems in DNS based organisation. NIS+ domains don't have
to match DNS domains.

Quote:>  Sun is next to useless for support as well.

That's simply not true. I'm using NIS+ since Solaris 2.2. In this old (NIS+)
days, we had problems with NIS+, and Suns help was really good.

Willi

 
 
 

Need help with NIS+, addding users, changing passwds, etc.

Post by Winton Davi » Thu, 31 Oct 1996 04:00:00


I> >Your problem is that the local passwd file is still the default.

Quote:

> It's easy to change. Just edit /etc/nsswitch.conf. But why is this
> default a problem?

Because existing users get their passwords out of synch. I tried, and
found that changing password by the user didnot get reflected centrally,
and the synched passwords were unsynched.

Quote:> >However, if you remove the acocunts from it
>> a client /etc/passwd only holds system accounts. The are necessary
during system
> startup. NEVER remove them.

I wasnt suggesting removing them, just the users accounts. The point is I
couldnt find anywhere to say EXPLICITLY which accounts (other than root)
should be left local.

Quote:> > then you must reset all the user passwords (and then synch with
> >the network password).

> Why? User login information should only be in NIS+ databases.

Not if you have passwd: files nisplus.

Quote:> >However, after this it works. Note, though that
> >this might*up your email for a while, and you have to unsecure your
> >system until all the users change their new passwords.

Of course one can change every account to have a hard to crack passwd...

Quote:> >  It sucks - I must have spent $100 on related books, and the whole user
> >management idea is appalling badly documented.
> Did you really read the manuals?

  Yes...

Quote:> >o  Also there is no way to deny a user access to a machine in a particular
> >domain.

> Try reading the man page of nsswitch.conf. Look for 'Interaction with

+/- syntax'

 One has to switch back to NIS compat mode - which seems a bit retrograde
- not too mention perhaps unlikely on 2.5 systems that require the
installation of a seperate NIS Tranistion kit.

Quote:> >o Oh and also there is little discussion of how to manage a NIS+ island in
> >an existing DNS based organisation.

> NIS+ works without problems in DNS based organisation. NIS+ domains don't have
> to match DNS domains.

The point is, that it is *NOT DOCUMENTED* explicitly. I'm sure if you take
a bunch of machines out of their boxes, or maybe even an existing set of
NIS machines, then the transition works. My experience, is that it less
well documented for a bunch of workstations with pre-existing users using
DNS.

Cheers,
  Winton

 
 
 

Need help with NIS+, addding users, changing passwds, etc.

Post by Willi Burmeist » Thu, 31 Oct 1996 04:00:00



Quote:>I> >Your problem is that the local passwd file is still the default.

>> It's easy to change. Just edit /etc/nsswitch.conf. But why is this
>> default a problem?
>Because existing users get their passwords out of synch. I tried, and
>found that changing password by the user didnot get reflected centrally,
>and the synched passwords were unsynched.

This never happens here. Maybe your setup (permissions of NIS+
tables) is not correct.

[...]

Quote:>I wasnt suggesting removing them, just the users accounts. The point is I
>couldnt find anywhere to say EXPLICITLY which accounts (other than root)
>should be left local.

Install one machine, and just look in the standard /etc/passwd.
But you are right, documentation could be better here. I never
found any hint why 'smtp' has to be there.

Quote:>> > then you must reset all the user passwords (and then synch with
>> >the network password).

>> Why? User login information should only be in NIS+ databases.
>Not if you have passwd: files nisplus.

No. I use this on most of our machines, and ALL users are found
ONLY inside NIS+. 'files' are only used for standard system
accounts. This entry means: first check /etc/passwd and if you
don't find the searched name there, look in NIS+ database.

Quote:>> >However, after this it works. Note, though that
>> >this might*up your email for a while, and you have to unsecure your
>> >system until all the users change their new passwords.
>Of course one can change every account to have a hard to crack passwd...

I have some problems understanding, why you get 'out of sync' with
the users passwords. We never had such a problem here. Could you
please explain your problem with some more details?

[...]

Quote:>> >o  Also there is no way to deny a user access to a machine in a particular
>> >domain.

>> Try reading the man page of nsswitch.conf. Look for 'Interaction with
>+/- syntax'
> One has to switch back to NIS compat mode - which seems a bit retrograde
>- not too mention perhaps unlikely on 2.5 systems that require the
>installation of a seperate NIS Tranistion kit.

No, no. You don't have to switch to NIS compat mode. You just use
the old NIS syntax for your /etc/passwd. You don't have to install
NIS Tranistion kit.

Here what I'm using for some machines:

/etc/nsswitch.conf:

...
passwd:         compat
passwd_compat:  nisplus
group:          files nisplus
...

/etc/passwd

root:x:0:1:root:/:/sbin/sh
[all this mysterious accounts]
wib:x:90:14:Willi Burmeister:/home/wib:/bin/ksh
+:x:60002:60002:::/bin/false

This gives me access and looked out all other

[...]

Quote:>The point is, that it is *NOT DOCUMENTED* explicitly. I'm sure if you take
>a bunch of machines out of their boxes, or maybe even an existing set of
>NIS machines, then the transition works. My experience, is that it less
>well documented for a bunch of workstations with pre-existing users using
>DNS.

Ok, you are right. The documentation is not the best in all points.
Maybe a professional it not the best to check a books usefullness
for beginners :-)

Willi

 
 
 

Need help with NIS+, addding users, changing passwds, etc.

Post by Mario Klebs » Fri, 01 Nov 1996 04:00:00



>Because existing users get their passwords out of synch. I tried, and
>found that changing password by the user didnot get reflected centrally,
>and the synched passwords were unsynched.

So, you have the password entries of your users double, on entriy in
/etc/passwd and the other one in org_dir/passwd? I do have almost no
users (except root &co) in /etc/passwd. All our usrs are stored in
passwd.org_dir.

If a passwd entry is not in /etc/passwd, how can it get out of synch?

73, Mario
--

Institut fuer Robotik und Prozessinformatik der TU Braunschweig
Hamburger Strasse 267, 38114 Braunschweig, Germany

 
 
 

Need help with NIS+, addding users, changing passwds, etc.

Post by Winton Davi » Sat, 02 Nov 1996 04:00:00


Hi !

  Thanks both of you for replying again!

   Yes, I am a novice at Unix Sys Admin (not a career I hope to pursue :))
Perhaps NIS+ is not something a Novice admin should play with :)

  I think you both correctly identified the source of the problem:

*  Dealing with existing _user_ entries in the passwd file.

   It does seem (according to Mario) that the expectation of the documentation
  is a * machine.

   Perhaps someone could provide a walkthrough of dealing with existing users.

This was my sorry attempt:

 (i)   I populated the org_dir from passwd.
 (ii)  I then found (with security at 0), that it was awkward to
       get the user password and secure-RPC/nispasswd to synch.
 (iii) I then deleted a test case from the passwd file, but then
       I had to mess around (I forget what I did) (using chkey, nispasswd)
       to get things set up for this user. It was so yucky that I had to
        back off from doing this from all accounts.

  Thanks,
   Winton

 
 
 

Need help with NIS+, addding users, changing passwds, etc.

Post by Mario Klebs » Tue, 05 Nov 1996 04:00:00



>   Perhaps someone could provide a walkthrough of dealing with existing users.

>This was my sorry attempt:
> (i)   I populated the org_dir from passwd.

Yes, this is what to do. But this does not populate
cred.org_dir. :-(. When I switched to NIS+, I did onluy creat
credentioals for myself and my fellow sysop and for all our
machines. This worked fine for everyone; the only exception was that
noone was able to change his password. When they came to me, I added
their credentials and then they were able to use nispasswd and changed
their passwd and they RPC passwd to a new one.

Quote:> (ii)  I then found (with security at 0), that it was awkward to
>       get the user password and secure-RPC/nispasswd to synch.
> (iii) I then deleted a test case from the passwd file, but then
>       I had to mess around (I forget what I did) (using chkey, nispasswd)
>       to get things set up for this user. It was so yucky that I had to
>        back off from doing this from all accounts.

Another sollution may be to give every user a "default RPC password"
and the instructions to do a keylogin and a chkey (or nispasswd).

I see no other sollution to this problem and they both require some
help from the users.

For all new users, I create a passwd entry and the cred entries at the
same time. Once the passwd and the RPC passwd are in sync, nispasswd
keeps them in sync (when called by a normal user).

73, Mario
--

Institut fuer Robotik und Prozessinformatik der TU Braunschweig
Hamburger Strasse 267, 38114 Braunschweig, Germany

 
 
 

Need help with NIS+, addding users, changing passwds, etc.

Post by William Mall » Thu, 07 Nov 1996 04:00:00





>>   Perhaps someone could provide a walkthrough of dealing with existing users.

>>This was my sorry attempt:

>> (i)   I populated the org_dir from passwd.

>Yes, this is what to do. But this does not populate
>cred.org_dir. :-(. When I switched to NIS+, I did onluy creat
>credentioals for myself and my fellow sysop and for all our
>machines. This worked fine for everyone; the only exception was that
>noone was able to change his password. When they came to me, I added
>their credentials and then they were able to use nispasswd and changed
>their passwd and they RPC passwd to a new one.

>> (ii)  I then found (with security at 0), that it was awkward to
>>       get the user password and secure-RPC/nispasswd to synch.
>> (iii) I then deleted a test case from the passwd file, but then
>>       I had to mess around (I forget what I did) (using chkey, nispasswd)
>>       to get things set up for this user. It was so yucky that I had to
>>        back off from doing this from all accounts.

>Another sollution may be to give every user a "default RPC password"
>and the instructions to do a keylogin and a chkey (or nispasswd).

>I see no other sollution to this problem and they both require some
>help from the users.

>For all new users, I create a passwd entry and the cred entries at the
>same time. Once the passwd and the RPC passwd are in sync, nispasswd
>keeps them in sync (when called by a normal user).

Another solution (so long as the Master server and all the clients are running
Solaris 2.5 and later) is the NIS+ Password Daemon /usr/sbin/rpc.nispasswdd.

It allows Users to change their password based upon them knowing their old
passwords.  A DES key is generated on the fly (to encrypt the password across
the wire) and even yppasswd is supported (if the Master server is running
in NIS(YP) compat mode, rpc.nispasswdd automatically registers as yppasswdd).

Then the users do not need a Secure RPC credential.

=wpm    William P. Malloy       SunSoft         Networking

 
 
 

1. Need help with resetting NIS+ user passwds

Here is my dilemma. . . Our sysadmins get tons of requests for password
resets because they forgot their new password or haven't logged in for a
long time and can't remember.

What I need is a script or something simple that my helpdesk personnel
can run that will reset an individuals password in NIS+ to a default
password, like "dummy".

Any suggestions?

Thanks in advance,
Dave Wilber

2. Syslogd/Klogd

3. Help - want to add users and passwds not as root.

4. Serial network ?

5. The linux journal

6. Help with non-anonymous users via NIS passwds

7. Viper V770

8. Help - want to add users and passwds not as root.

9. NIS+ user management [Was: Re: root changing a user's password (NIS)]

10. Changing Users PID in NIS+ w/o delete,add

11. Bad stuff happening; can't add new users, change passwords, etc

12. How to add user account and change password with NIS+ in Solaris 8?