*BSD News Article 58089


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!nntp.coast.net!chi-news.cic.net!newsfeed.internetmci.com!news.msfc.nasa.gov!sol.ctr.columbia.edu!startide.ctr.columbia.edu!wpaul
From: wpaul@ctr.columbia.edu (Bill Paul)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: NIS like SUNOS ?
Date: 25 Dec 1995 17:35:56 GMT
Organization: Columbia University Center for Telecommunications Research
Lines: 106
Message-ID: <4bmnds$ini@sol.ctr.columbia.edu>
References: <4bfi0f$955@calweb.calweb.com> <4bkp47$kg@sol.ctr.columbia.edu> <4bmk6e$6l@downbelow.pell.chi.il.us>
NNTP-Posting-Host: startide.ctr.columbia.edu
X-Newsreader: TIN [version 1.2 PL2]

Daring to challenge the will of the almighty Leviam00se,
Orc (orc@pell.chi.il.us) had the courage to say:

: In article <4bkp47$kg@sol.ctr.columbia.edu>,
: Bill Paul <wpaul@ctr.columbia.edu> wrote:
: >Daring to challenge the will of the almighty Leviam00se, Chris Hancock
: >(ochanco@calweb.com) had the courage to say:
: >
: >:  I'am looking to get NIS working on a group of FreeBSD PC's.

: >FreeBSD's NIS client facilities are very similar to what you get with
: >SunOS, with one exception: FreeBSD tries to use master.passwd.byname
: >and master.passwd.byuid maps for a limited form of shadow password
: >support through NIS. Is works best when used in conjunction with a
: >FreeBSD NIS server. If your server doesn't have these maps, FreeBSD will
: >use the standard passwd.byname and passwd.buiid maps instead. (You
: >don't have to configure anything for this: it selects the right maps
: >automagically.)


:    Hmm.  Are there any special hoops that have to be leapt through
: to convince the system to use passwd.by* for normal name lookups?

No, you just have to avoid one of the silly configuration errors
that I'm going to tell you about below. :) The getpwent(3) routines
will attempt to do a yp_first() on the master.passwd.byname map (in
2.0.5 it was yp_order() -- this turned out to be a mistake because
Solaris 2.x in NIS compat mode doesn't support YPPROC_ORDER). If
the yp_first() fails, it defaults over to using passwd.byname and
passwd.byuid instead.

: I'm trying to integrate 2.0.5 into my network, which uses a Linux
: box for the server, and I can get ypbind to talk to my yp domain,
: I can get ypcat to spit out passwd,by* (I don't have shadow
: passwords here), but I can't for the life of me get getpwby*() to
: actually get at the yellow pages when I try to log in.

The 2.0.5 man pages don't really contain the secret, but the 2.1.0
ones do. The basic steps are:

1) set up your domain name and have ypbind run at startup -- you've
   already done this.

2) Add +::::::::: to the end of /etc/master.passwd using the vipw
   program. Important points:

   - I said edit /etc/master.passwd, not /etc/passwd.

   - You _MUST_ use vipw to do this. If you use another editor
     (emacs, joe, pico, whatever...), you must understand what
     pwd_mkdb does and remember to RUN IT AFTER YOU EDIT THE
     PASSWORD DATABASE. If you don't use pwd_mkdb (vipw runs it for
     you automativally) then your changes will not be propagated
     to /etc/spwd.db and /etc/pwd.db, which is where the getpwent(3)
     functions really go to look up password information.

   - I said +:::::::::. Not +:*::::::::, not +::0:0::::::, and
     not +:*:0:0::::::. FreeBSD allows you to remap _all_ of the
     fields in an NIS password entry. So if you put a * in the
     password field in the magic '+' entry, you'll make everybody's
     password a '*' and thereby prevent everybody from logging in.
     Putting '0' in the UID field makes everybody root, which will
     prevent them from logging in over the network since root logins
     are only allowed from the console.

   - Note the nine colons. The /etc/master.passwd file has ten total
     fields, and pwd_mkdb enforces this: if you try to use less than
     nine colons, it'll complain that the entry is invalid.

3) Add a + to the end of /etc/group. Avoid using +::: -- there was a
   bug in 2.0.5 that caused NULL pointer dereferences inside getgrent.c
   if you had three colons. This is fixed in 2.1.0.

That's it. The most common mistake people make is to use +:*::::::::
instead of +::::::::: in /etc/master.passwd. (BTW: I think people may
be doing this because of a bug in one of the Linux distributions (which
I'm sure has been fixed by now) that allowed people to log in as user
'+' with no password; apparently the +:::::: entry was being interpreted
as a real password entry. The workaround for this was to put a '*'
in the password field (+:*:::::) so that logins for user '+' would be
denied. FreeBSD parses the magic '+' entries differently and never
suffered from this bug, so it's dafe to leave the password field empty.)

:                  ____
:    david parsons \bi/ unfortunately, the manpages haven't been helpful, and
:                   \/ from looking at the sources to libc, I think I'm doing
: 		      everything right, so I'm officially lost and confused.

The best thing to do in this case is to write a small program that
actually calls getpwent() (or getpwnam() or getpwuid()) and see
what it returns as a result. When you finally see what it's doing,
it makes configuration errors a bit easier to spot.

Hope this helps.

-Bill

--
=============================================================================
-Bill Paul            (212) 854-6020 | System Manager
Work:         wpaul@ctr.columbia.edu | Center for Telecommunications Research
Home:  wpaul@skynet.ctr.columbia.edu | Columbia University, New York City
=============================================================================
License error: The license for this .sig file has expired. You must obtain
a new license key before any more witty phrases will appear in this space.
=============================================================================