solaris 9, NIS, passwd.adjunct break passwd cmd

solaris 9, NIS, passwd.adjunct break passwd cmd

Post by Martin Pau » Sat, 20 Jul 2002 22:05:34

I'm running a NIS server under Solaris 9, using the passwd.adjunct
map (c2secure). When logged in on a client running Solaris 9 which
uses this NIS server, it's not possible to change the user's password:

  % passwd
  passwd: Changing password for tst
  Enter existing login password: <Enter correct password here>
  passwd: Sorry, wrong passwd
  Permission denied

When changing the server to use passwd/shadow for the passwd map
instead, it works.

The same setup works when the client is running Solaris 8.

Here's some snoop output for both the Solaris 8 and Solaris 9 client.
The traffic occurs before the user even types his old password:

        clnt -> srv          NIS C MATCH tst in passwd.byname
         srv -> clnt         NIS R MATCH OK
        clnt -> srv          NIS C MATCH tst in passwd.adjunct.byname
         srv -> clnt         NIS R MATCH OK
        clnt -> srv          NIS C MASTER map passwd.byname in par.test
         srv -> clnt         NIS R MASTER OK peer=srv
        clnt -> srv          NIS C MATCH tst in passwd.byname
         srv -> clnt         NIS R MATCH OK

The Solaris 9 client doesn't ever request the passwd.adjunct map.

This leads to two bug reports on sunsolve, which describe a similar
behaviour (for login, not for passwd):

  4703750 "Login incorrect" in a nis C2security env on Solaris 9 client
  4670947 logins failing when NIS is backend for authentication

They propose a change to /etc/pam.conf to fix the problem. A similar
change for the passwd service in pam.conf fixed my problem, too:

    passwd auth required 
    passwd auth required 

I'm reluctant to keep this change in production without really
knowing about the impact this could have on other things. Ideas,
anyone ?

The real problem is probably hidden in the pam modules themselves,
anyway. If anybody has information/experiences/etc. with this
problem, I'd be happy to hear about it.

                         Martin Paul | Systems Administrator

       University of Vienna, Austria |


solaris 9, NIS, passwd.adjunct break passwd cmd

Post by Casper H.S. Di » Sat, 20 Jul 2002 22:36:56

>The Solaris 9 client doesn't ever request the passwd.adjunct map.

It's a known regression in Solaris 9; we're fixing it.

Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.


1. NIS passwd.adjunct and Solaris

We are running a network of some 50 Sun workstations. Almost all of these
are running SunOS 4.1.3. We have a very small number running Solaris 2.3.
As sunch we are using NIS rather than NIS+. We are considering installing C2
security on the 4.x machines. This would mean all login passwords would
now be in passwd.adjunct, as opposed to the shadow file of NIS+. We have
not been able to find anywhere in the documentation if the Solaris machines
can cope with this. Can anybody out there tell us?
Pat Macdonald, Computer Services, University of Manitoba
Phone: (204) 474-9870                FAX: (204) 275-5420

2. modelines

3. NIS and Solaris passwd.adjunct

4. Need information on 3B2-300 ports.

5. NIS passwd.adjunct and Solaris

6. Linux & router

7. 2.2 and nis passwd adjunct

8. Wierd find error

9. Announcement: Shadow passwords from NIS (SunOS passwd.adjunct)

10. Passwd (adjunct) and NIS+

11. passwd (NIS): Couldn't change passwd/attributes for joeblogg

12. How to keep consistancy between /etc/passwd and NIS+ passwd table.

13. Convert NIS passwd back to standard /etc/passwd & /etc/shadow