Subject: Re: Trouble serving NIS to Solaris 8.0 from NetBSD 1.5
To: NetBSD Users Mailing List <netbsd-users@netbsd.org>
From: Brian Chase <bdc@world.std.com>
List: netbsd-users
Date: 01/25/2001 18:42:37
Well... persistence pays. I haven't gotten a reply yet, but I figured out
my problem after some digging. It's not readily documented anywhere, but
burried within the /var/yp/Makefile.yp is the following comment:
# Password maps in standard YP are insecure, because the pw_passwd
# field is accessable by any user. FreeBSD, NetBSD and OpenBSD have
# a common solution: a secure map (generated with makedbm -s) can
# only be accessed by a client bound to a privileged port.
#
# Uncomment out the following if you need compatibility with
# sites that don't support this feature.
#
#INSECURE?= yes
Voila!
After editing the copy of this Makefile which lived in my /var/yp/domain.com
directory on the master server.
-brian.
On Thu, 25 Jan 2001, Brian Chase wrote:
> The setup is fairly simple. I've got a NetBSD/i386 1.5 box running as an
> NIS server. It's serving (or supposed to be) several Solaris x86 8.0
> boxes. As a test case, I took a NetBSD/arm32 1.4.2 system of mine and got
> it operate properly as an NIS client of the forementioned server. The
> Solaris 8.0 boxes aren't quite as happy. They do recognise the NIS
> server. I can `ypcat' the maps, and the uid/gid to user name and group
> mappings are working properly. Also, as root I can 'su -' to any of the
> NIS served users, and it works without fault. However, I can log into the
> Solaris boxes as an NIS served user.
>
> All I can eek out from the Solaris syslog is the following terse error:
>
> Jan 25 16:03:26 combat.ind.iproperty.com login: [ID 427203 auth.debug]
> pam_authenticate: error Authentication failed
>
> On the NetBSD side of things, when I run ypserv with the '-l -d' options,
> I get the following:
>
> Jan 25 16:00:00 ypserver newsyslog[4875]: logfile turned over
> Jan 25 16:00:00 ypserver syslogd: restart
> Jan 25 16:00:07 ypserver ypserv[4866]: domain_nonack_2: request from
> ypserver.domain.com, domain domain.com, served TRUE
> Jan 25 16:01:08 ypserver ypserv[4866]: domain_nonack_2: request from
> ypserver.domain.com, domain domain.com, served TRUE
> Jan 25 16:01:33 ypserver ypserv[4866]: all_2: request from
> ypserver.domain.com, secure FALSE, domain domain.com, map
> passwd.byname
> Jan 25 16:01:42 ypserver ypserv[4866]: all_2: request from
> client.domain.com, secure FALSE, domain domain.com, map passwd.byname
> Jan 25 16:02:09 ypserver ypserv[4866]: domain_nonack_2: request from
> ypserver.domain.com, domain domain.com, served TRUE
> Jan 25 16:03:10 ypserver ypserv[4866]: domain_nonack_2: request from
> ypserver.domain.com, domain domain.com, served TRUE
> Jan 25 16:03:10 ypserver ypserv[4866]: domain_2: request from
> client.domain.com, domain domain.com, served TRUE
> Jan 25 16:03:15 ypserver ypserv[4866]: match_2: request from
> client.domain.com, secure FALSE, domain domain.com, map
> passwd.byname, key bdc
> Jan 25 16:03:15 ypserver ypserv[4866]: match_2: request from
> client.domain.com, secure FALSE, domain domain.com, map
> passwd.byname, key bdc
> Jan 25 16:04:12 ypserver ypserv[4866]: domain_nonack_2: request from
> ypserver.domain.com, domain domain.com, served TRUE
>
> There appears to be some sort of authentication problem, but I don't know
> what precisely it is.
>
> BTW, ypcat on the both the NetBSD and Solaris clients returns the passwd
> map with '*' in the encrypted password field. It just seems to do the
> right thing and somehow gets the passwords under NetBSD. I'm not sure how
> to convince Solaris to do the same.
>
> -brian.
>
>
>
--- Brian Chase | bdc@world.std.com | http://world.std.com/~bdc/ -----
It is good that the world has Internet, for the world can see living math
done from the pouring of the concrete foundation all the way up to where
the beautiful pictures are hung on the wall and the microwave is warming
up cheese burritos. -- Archimedes Plutonium, 1995