Linux nis client with solaris nis server in C2 security mode

Linux nis client with solaris nis server in C2 security mode

Post by Carlton Roy DAVI » Fri, 16 Apr 1999 04:00:00



Hello,

I have a solaris nis server running in C2 security mode: we need the C2
security mode in order to prevent ypcat and ypmatch from showing the
the encrypted passwords. I set up a linux machine with shadow enabled as a
nis client. Ypcat and ypmatch do not show the encrypted passwords;
however, the problem is that the linux client haven't been able to
authenticate users using the password map on the nis server. I tried

and "+" at the end of the shadow and group files: This works when the C2
security mode on the nis server is disabled but it doesn't work when the
C2 mode is enabled.

Does anyone out there knows what I need to do to allow the shadowed linux
nis client to authenticate users using the password map on the solar nis
server running in C2 security mode? Any feedback will be much appreciated.


Thanks,

-Carlton

 
 
 

Linux nis client with solaris nis server in C2 security mode

Post by Peter Ben » Fri, 16 Apr 1999 04:00:00




Quote:

>I set up a linux machine with shadow enabled as a nis client. Ypcat
>and ypmatch do not show the encrypted passwords; however, the problem
>is that the linux client haven't been able to authenticate users
>using the password map on the nis server.

If you are running a RedHat system, the chances are that you are using
libpwdb. While some of the ideas and the motivation behind pwdb are
good, the design is poor and the implementation is hopeless. When I
made our Linux and Solaris machines work together, I chose to try and
debug pwdb. I regret that decision; there are parts of the code that
could not have ever worked and so have never been tested, and the code
isn't finished anyway. The following should explain why you can't log in.
strings /lib/libpwdb.so | grep '\(shadow\.byname\|passwd\.adjunct\)' | wc -l
      0

Edit /etc/pam.d/* and use pam_unix rather than pam_pwdb. You should
then be using the password functions in glibc which understand
passwd.adjunct and shadow.byname. passwd.adjunct is handled by
fiddling the result of getpw*, whereas shadow.byname is handle by
getspnam. Pick whichever takes your fancy. If you believe in password
aging, you might have a slight preference for shadow.byname, but don't
rely on it for expiring accounts unless you use pam on _all_ methods
by which users start new sessions. (Compare 'ldd /usr/sbin/crond' on a
RedHat machine and a Solaris machine and spot the missing library.)

I replaced the password program with 'ssh -t master_host passwd'. (You
don't want to use yppasswdd if you care about password file locking.)

Finally, I patched my libc to use netid.byname for initgroups(),
rather than reading the entire group.nyname map - one line at a time.
That was for libc5 - glibc2 is still broken in this respect but the
code is _much_ cleaner so it should be easy to fix. If you have
few entries in the groups map and you don't start atrun from cron, you
might not care to fix this.

If I you have any choice in the matter, don't touch nis with a barge-pole.

Peter

 
 
 

1. (DU4.0 C2 + NIS Server) + (Solaris 2.5.1 NIS client) How do they work ?

  Hello

  I want to setup an AS1200 running Digital Unix 4.0B as a NIS
server with enhanced security (C2) option and a Solaris 2.5.1(2.6)
as a NIS client member.

   In a usual setting of C2 and NIS on Digital Unix 4.0B, the NIS
passwd map does not contain the valid encrypted password in a
second field, while the encrypted password is stored in the
prpasswd (ndbm protected password) map.  In this situation, the
Solaris 2.5.1  NIS client does not recognized the NIS passwd &
prpasswd maps correctly (although "ypcat passwd" and "ypcat
prpasswd"  seems to work correctly on Solaris 2.5.1) and login to
Solaris 2.5.1 using NIS account of Digital Unix is unavailable.

   Is there any way to configure the NIS server of Digital Unix
4.0B with enhanced security (C2) option, where the Solaris 2.5.1
works as NIS client member ?

   Thank you in advance in your suggestions.


        (please remove ".nspm" from my From: field)

2. Something like readkey in C ? (Linux)

3. NIS : auth problem with Linux nis server and SUN sparc nis client

4. Need your recommendation for a full-featured text editor

5. Reasonable nis security between Solaris & Linux (was Re: Is nis (yp) a security worry?

6. CDROM I/O failure of prior perfect performer

7. Solaris NIS server and Linux NIS client : problems

8. Matrox MGA SVGATextMode

9. Solaris 8 Nis+ server and RH Linux 7.3 Nis+ client ---- Problems and Questions

10. linux NIS client not binding to Solaris NIS+ server

11. linux nis server solaris nis client?

12. Linux NIS Server with Solaris NIS Client

13. NIS+ : Can an HP be a NIS client to a Sun NIS+ server