Bug#36584: nss' compat does not work with shadow nis
Package: libc6
Version: 2.0.7.19981211-6
Severity: important
Our setup is as follows:
- Machine C: . runs debian linux
. package libc6 is at version 2.0.7.19981211-6
. package nis is at 3.3.1-1
. is setup as nis client
- Machine S: . runs Solaris 2.5 + NSkit-2.1
. is the nis (not nis+) server. Runs in C2 secure
mode, i.e. serves a passwd file with mangled
passwords, and a passwd.adjunct.byname file to
requests that come from a privileged port.
(mangled passwords are of the form: ##<login>)
On machine C, a ypcat passwd works for both privileged and non-priv.
users, whereas the ypcat passwd.adjunct.byname only works for priv.
users. So I know that the server is behaving the way I want it to.
When nsswitch.conf on C is set to the following:
> passwd: files nis
> group: files nis
> shadow: files nis
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
...and when the '+' syntax is not used in either passwd, shadow or
group files, everything works fine. All users from the NIS passwd
file are seen and can be authenticated. Unfortunately, no
user-level or netgroup restrictions can be set.
However, when I use 'compat' for passwd, group and shadow like this:
> passwd: compat
> group: compat
> shadow: compat
>
> (the rest is the same)
... eventhough I add '+mylogin::::::' and '+mylogin::::::::' at the
end of /etc/passwd and /etc/shadow respectfully, the uid <-> login
mapping still occurs, but authentication does not. For example,
su'ing from mylogin to mylogin does not work, and neither does
telneting or rloging into the machine.
I suspect that there might be a problem with the libnss_compat
library. It might not be pulling the shadow password correctly from
the Solaris server. Also, since I have not seen anyone else
complain about this problem, maybe it is because others are using
debian linux systems as both server and client.
I don't know if this can help, but I have run tcpdump and noticed
that when 'files nis' is used, and I su from myself to myself, 5
packets are sent to the server; whereas when 'compat' is used, only
3 are sent. (output of tcpdump has been stripped of irrelevant
information: <t> is timestamp, C is linux box, S is solaris nis
server)
Using 'files nis' and su'ing from myself to myself:
<t>.478458 C.809 > S.895: udp 84
<t>.488458 S.895 > C.809: udp 108 (DF)
<t>.488458 C.810 > S.895: udp 92
<t>.488458 S.895 > C.810: udp 116 (DF)
<t>.488458 C.811 > S.895: udp 84
<t>.488458 S.895 > C.811: udp 32 (DF)
<t>.488458 C.812 > S.895: udp 84
<t>.498458 S.895 > C.812: udp 108 (DF)
<t>.498458 C.814 > S.895: udp 92
<t>.498458 S.895 > C.814: udp 116 (DF)
Using 'compat' and su'ing from myself to myself:
<t>.898594 C.810 > S.895: udp 84
<t>.898594 S.895 > C.810: udp 108 (DF)
<t>.908594 C.811 > S.895: udp 84
<t>.908594 S.895 > C.811: udp 32 (DF)
<t>.908594 C.812 > S.895: udp 84
<t>.908594 S.895 > C.812: udp 108 (DF)
Thank you in advance for looking into this.
--
-Jacques
Reply to: