NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: nis client and shadow passwords ("theo borm") writes:

>Linux NIS clients *appear* (I could be wrong) to deal with shadow
>passwords natively by querying two separate databases (passwd.byid and
>shadow.byid), and I expected the NetBSD NIS client to do this too,

It does, the database is just not called 'shadow' but follows SunOS

The client looks wether the server provides a master.passwd.*
or a passwd.adjunct.* map.

The master.passwd maps have full passwd entries that are just
used instead of the passwd entry.

The passwd.adjunct maps contain the crypted password (and some other
account data) and augment the data from passwd _if_ the password
field in passwd contains "##".

Teaching the client Linux compatibility is surely possible, if you
would want this. The next problem is then compatibility with the
specific crypt function for the password.

All this is done only when root queries the password database,
unprivileged users just query passwd. The NIS server then only
allows queries to the map from a privileged port unless you
had something like SecureRPC implemented (basically: NIS+).

At that point, people tend to ignore shadow maps for NIS and
migrate to LDAP and Kerberos...

                                Michael van Elst
                                "A potential Snark may lurk in every tree."

Home | Main Index | Thread Index | Old Index