Re: shadow and nis

To: Behan Webster <behanw@verisim.com>
Cc: Adriano Nagelschmidt Rodrigues <anr@ime.usp.br>, debian-user@lists.debian.org
Subject: Re: shadow and nis
From: "Jens B. Jorgensen" <jjorgens@bdsinc.com>
Date: Tue, 26 Aug 1997 13:45:01 -0500
Message-id: <[🔎] 3403242D.32F1@bdsinc.com>
Reply-to: jjorgens@bdsinc.com
References: <[🔎] 33FCBF69.66EF7829@verisim.com> <[🔎] 19970822184637.11566.qmail@jaca.ime.usp.br> <[🔎] 340302D1.122DEF9D@verisim.com>

Behan Webster wrote:
> 
> Adriano Nagelschmidt Rodrigues wrote:
> >
> > Yes, apparently the clients don't bother to look up the shadow map (or maybe
> > there's a protocol error), the error messages are something like "user foo
> > doesn't have a password".
> 
> It sure seems that way to me too.
> 
> > What I did was install shadow in _all_ machines. In the server, I put the
> > NIS source password & group files in /var/etc (remember to turn off rx
> > permission for others in that dir and adjust /var/yp/Makefile).
> 
> Ouch.  But I thought there was a way to get nis to work _with_ shadow.
> I mean, the yp Makefile has support for distributing the shadow map.
> There's got to be a way to do it.
> 
> > * 'finger' appears not to like getting an 'x' instead of the encrypted
> >   password ('finger -m foo' works, 'finger foo' only works if you're root).
> >
> > * yppasswdd wasn't compiled with shadow support, so you can't use yppasswd to
> >   change a user's password from your root shell (unless you recompile).
> 
> Perhaps these should be reported as bugs?  My impression was that all
> Debian packages were to be compiled or patched to work with shadow
> passwords.
> 

My guess is that the libc function getpwent isn't supporting yp 
passwords correctly. I have a 1.3.1 machine which uses YP which is
coming from a *sun* server. I put the usual:

+::::::

as the last line of /etc/passwd. Now, the Sun also has shadow passwords,
and it's NIS (NIS+ actually) is set up to handle this. To get it to
work I had to build the maps *with* passwd info included, like thus
on the sun:

/usr/lib/nis/nisaddent -p -f /etc/passwd.net passwd

with the '-p' telling it to go ahead and include the password 
field. I tried to use shadow in the maps, but no luck. NOTE: this
matters little anyway since NIS (as opposed to NIS+) will give up
*any* map to *anyone* who asks for it. Thus NIS exposes you to 
the same problems as non-shadow passwords. Ooops, I didn't mention
it before but I *am* using shadow passwords on the debian box too.

I guess we'll just have to wait for the nis+ support coming with glibc.
Doh.

-- 
Jens B. Jorgensen
jjorgens@bdsinc.com

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: shadow and nis
  - From: Behan Webster <behanw@verisim.com>

References:
- shadow and nis
  - From: Behan Webster <behanw@verisim.com>
- Re: shadow and nis
  - From: Adriano Nagelschmidt Rodrigues <anr@ime.usp.br>
- Re: shadow and nis
  - From: Behan Webster <behanw@verisim.com>

Prev by Date: Re: Green monitor functions
Next by Date: Re: shadow and nis
Previous by thread: Re: shadow and nis
Next by thread: Re: shadow and nis
Index(es):
- Date
- Thread