Re: nis client and shadow passwords

To: netbsd-users%netbsd.org@localhost
Subject: Re: nis client and shadow passwords
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Thu, 20 Jan 2011 07:37:50 +0000 (UTC)

theo_nbusr%borm.org@localhost ("theo borm") writes:

>Linux NIS clients *appear* (I could be wrong) to deal with shadow
>passwords natively by querying two separate databases (passwd.byid and
>shadow.byid), and I expected the NetBSD NIS client to do this too,

It does, the database is just not called 'shadow' but follows SunOS
conventions.

The client looks wether the server provides a master.passwd.*
or a passwd.adjunct.* map.

The master.passwd maps have full passwd entries that are just
used instead of the passwd entry.

The passwd.adjunct maps contain the crypted password (and some other
account data) and augment the data from passwd _if_ the password
field in passwd contains "##".

Teaching the client Linux compatibility is surely possible, if you
would want this. The next problem is then compatibility with the
specific crypt function for the password.

All this is done only when root queries the password database,
unprivileged users just query passwd. The NIS server then only
allows queries to the map from a privileged port unless you
had something like SecureRPC implemented (basically: NIS+).

At that point, people tend to ignore shadow maps for NIS and
migrate to LDAP and Kerberos...

-- 
-- 
                                Michael van Elst
Internet: mlelstv%serpens.de@localhost
                                "A potential Snark may lurk in every tree."

References:
- nis client and shadow passwords
  - From: theo borm
- Re: nis client and shadow passwords
  - From: Hauke Fath
- Re: nis client and shadow passwords
  - From: theo borm

Prev by Date: Re: patrolling network thoughput
Next by Date: Re: patrolling network thoughput
Previous by Thread: Re: nis client and shadow passwords
Next by Thread: Re: nis client and shadow passwords
Indexes:

Home | Main Index | Thread Index | Old Index