Subject: Re: Console login fails with NIS
To: Aaron J. Grier <>
From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
List: current-users
Date: 06/14/2005 22:13:03
At 15:09 Uhr -0700 13.6.2005, Aaron J. Grier wrote:
>as greywolf made obvious to me, /etc/group has mappings of group names
>to users, and not the other way around.  hitting the NIS copy of group
>is necessary to find all the groups a user is in, even if they aren't a
>member of any NIS groups.
>I guess this makes logging in as root impossible if NIS is bound to a
>remote server and the network dissapears.  possible workarounds would be
>distributed local files or running ypserv on every machine.  both
>solutions seem like horrid hacks.

OTOH, per /var/yp/Makefile.yp

# Only include UID's >= ${MINUID} in the maps. Setting this to ~1000
# and using uid's > 1000 for users allows heterogeneous system support
# where low numbered uids and gids may have different meanings.
MINUID?=        99
MINGID?=        99

you can (and should) exclude system accounts from YP distribution.

If I do that, YP has no business locking out root from the console.

(Communicating the Makefile variable to /sbin/login is a different issue ;)