Subject: Re: Console login fails with NIS
To: Aaron J. Grier <agrier@poofygoof.com>
From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
List: current-users
Date: 06/14/2005 22:13:03
At 15:09 Uhr -0700 13.6.2005, Aaron J. Grier wrote:
>as greywolf made obvious to me, /etc/group has mappings of group names
>to users, and not the other way around. hitting the NIS copy of group
>is necessary to find all the groups a user is in, even if they aren't a
>member of any NIS groups.
>
>I guess this makes logging in as root impossible if NIS is bound to a
>remote server and the network dissapears. possible workarounds would be
>distributed local files or running ypserv on every machine. both
>solutions seem like horrid hacks.
OTOH, per /var/yp/Makefile.yp
# Only include UID's >= ${MINUID} in the maps. Setting this to ~1000
# and using uid's > 1000 for users allows heterogeneous system support
# where low numbered uids and gids may have different meanings.
MINUID?= 99
MINGID?= 99
you can (and should) exclude system accounts from YP distribution.
If I do that, YP has no business locking out root from the console.
(Communicating the Makefile variable to /sbin/login is a different issue ;)
hauke