Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!nntp.coast.net!chi-news.cic.net!newsfeed.internetmci.com!news.msfc.nasa.gov!sol.ctr.columbia.edu!startide.ctr.columbia.edu!wpaul From: wpaul@ctr.columbia.edu (Bill Paul) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: NIS like SUNOS ? Date: 25 Dec 1995 17:35:56 GMT Organization: Columbia University Center for Telecommunications Research Lines: 106 Message-ID: <4bmnds$ini@sol.ctr.columbia.edu> References: <4bfi0f$955@calweb.calweb.com> <4bkp47$kg@sol.ctr.columbia.edu> <4bmk6e$6l@downbelow.pell.chi.il.us> NNTP-Posting-Host: startide.ctr.columbia.edu X-Newsreader: TIN [version 1.2 PL2] Daring to challenge the will of the almighty Leviam00se, Orc (orc@pell.chi.il.us) had the courage to say: : In article <4bkp47$kg@sol.ctr.columbia.edu>, : Bill Paul <wpaul@ctr.columbia.edu> wrote: : >Daring to challenge the will of the almighty Leviam00se, Chris Hancock : >(ochanco@calweb.com) had the courage to say: : > : >: I'am looking to get NIS working on a group of FreeBSD PC's. : >FreeBSD's NIS client facilities are very similar to what you get with : >SunOS, with one exception: FreeBSD tries to use master.passwd.byname : >and master.passwd.byuid maps for a limited form of shadow password : >support through NIS. Is works best when used in conjunction with a : >FreeBSD NIS server. If your server doesn't have these maps, FreeBSD will : >use the standard passwd.byname and passwd.buiid maps instead. (You : >don't have to configure anything for this: it selects the right maps : >automagically.) : Hmm. Are there any special hoops that have to be leapt through : to convince the system to use passwd.by* for normal name lookups? No, you just have to avoid one of the silly configuration errors that I'm going to tell you about below. :) The getpwent(3) routines will attempt to do a yp_first() on the master.passwd.byname map (in 2.0.5 it was yp_order() -- this turned out to be a mistake because Solaris 2.x in NIS compat mode doesn't support YPPROC_ORDER). If the yp_first() fails, it defaults over to using passwd.byname and passwd.byuid instead. : I'm trying to integrate 2.0.5 into my network, which uses a Linux : box for the server, and I can get ypbind to talk to my yp domain, : I can get ypcat to spit out passwd,by* (I don't have shadow : passwords here), but I can't for the life of me get getpwby*() to : actually get at the yellow pages when I try to log in. The 2.0.5 man pages don't really contain the secret, but the 2.1.0 ones do. The basic steps are: 1) set up your domain name and have ypbind run at startup -- you've already done this. 2) Add +::::::::: to the end of /etc/master.passwd using the vipw program. Important points: - I said edit /etc/master.passwd, not /etc/passwd. - You _MUST_ use vipw to do this. If you use another editor (emacs, joe, pico, whatever...), you must understand what pwd_mkdb does and remember to RUN IT AFTER YOU EDIT THE PASSWORD DATABASE. If you don't use pwd_mkdb (vipw runs it for you automativally) then your changes will not be propagated to /etc/spwd.db and /etc/pwd.db, which is where the getpwent(3) functions really go to look up password information. - I said +:::::::::. Not +:*::::::::, not +::0:0::::::, and not +:*:0:0::::::. FreeBSD allows you to remap _all_ of the fields in an NIS password entry. So if you put a * in the password field in the magic '+' entry, you'll make everybody's password a '*' and thereby prevent everybody from logging in. Putting '0' in the UID field makes everybody root, which will prevent them from logging in over the network since root logins are only allowed from the console. - Note the nine colons. The /etc/master.passwd file has ten total fields, and pwd_mkdb enforces this: if you try to use less than nine colons, it'll complain that the entry is invalid. 3) Add a + to the end of /etc/group. Avoid using +::: -- there was a bug in 2.0.5 that caused NULL pointer dereferences inside getgrent.c if you had three colons. This is fixed in 2.1.0. That's it. The most common mistake people make is to use +:*:::::::: instead of +::::::::: in /etc/master.passwd. (BTW: I think people may be doing this because of a bug in one of the Linux distributions (which I'm sure has been fixed by now) that allowed people to log in as user '+' with no password; apparently the +:::::: entry was being interpreted as a real password entry. The workaround for this was to put a '*' in the password field (+:*:::::) so that logins for user '+' would be denied. FreeBSD parses the magic '+' entries differently and never suffered from this bug, so it's dafe to leave the password field empty.) : ____ : david parsons \bi/ unfortunately, the manpages haven't been helpful, and : \/ from looking at the sources to libc, I think I'm doing : everything right, so I'm officially lost and confused. The best thing to do in this case is to write a small program that actually calls getpwent() (or getpwnam() or getpwuid()) and see what it returns as a result. When you finally see what it's doing, it makes configuration errors a bit easier to spot. Hope this helps. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= License error: The license for this .sig file has expired. You must obtain a new license key before any more witty phrases will appear in this space. =============================================================================