FreeBSD + Solaris NIS setup: authentication problems

FreeBSD + Solaris NIS setup: authentication problems

Post by wbp » Wed, 21 Sep 2005 02:12:02


I am trying to set up a FreeBSD (5.4-RELEASE) machine as an NIS server with
a machine running Solaris 8 as a client. Following the handbook, I added
nisdomain=..., nis_client_enable="YES", nis_server_enable="YES", and
nis_yppassword_enable="YES" to rc.conf, created a /var/yp/master.passwd and
run ypinit -m <domainname>. The handbook states that since I have a
Solaris NIS client, I need to use DES password encryption, so (following
the handbook) I changed /etc/login.conf to have passwrd_format=des and
/etc/auth.conf to have cryp_default = des md5. I reset the password for
one of the users, and see that the new password is showing up in
/var/yp/master.passwd in a DES-encrypted form. Nevertheless, an attempt to
log in as the user fails with an "Login incorrect" error when done from the
Solaris machine. (I can log in as the user from the FreeBSD machine
without a problem.)

As far as I can tell, the Solaris machine is set up correctly as the NIS
client. (At least, ypwhich shows the FreeBSD server, and ypcat passwd
shows the users I have configured.)

Any hints on what might be wrong?

- Will
 
 
 

FreeBSD + Solaris NIS setup: authentication problems

Post by jpd » Thu, 22 Sep 2005 02:56:26

Begin < XXXX@XXXXX.COM >


nsswitch.conf? This might be better asked in a solaris related group. If
your claim that ypcat passwd on the sun box works *and* provides correct
output (passwd entries with des encrypted passwords) is true, it would
be a configuration issue on the solaris box.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .

 
 
 

FreeBSD + Solaris NIS setup: authentication problems

Post by wbp » Fri, 23 Sep 2005 00:44:12


Thanks for the hint - nsswitch.conf was indeed not set up correctly on the
Solaris side. Unfortunately, I corrected (I think) nsswitch.conf and still
cannot authenticate. On Solaris, the output of "ypcat passwd" shows
asterisks instead of encrypted passwords, so I cannot prove that the
DES-encrypted password is being seen on the client. For the time being,
however, I am assuming that it is indeed a Solaris configuration issue, and
will pursue it from there.

- Will
 
 
 

FreeBSD + Solaris NIS setup: authentication problems

Post by G. Paul Zi » Fri, 23 Sep 2005 01:25:00


Perhaps you need to set UNSECURE = "True" in /var/yp/Makefile on the
FreeBSD NIS server? (See comments therein)


--
G. Paul Ziemba
FreeBSD unix:
9:21AM up 59 days, 22:43, 10 users, load averages: 0.28, 0.19, 0.12
 
 
 

FreeBSD + Solaris NIS setup: authentication problems

Post by wbp » Fri, 23 Sep 2005 02:10:17


I did that, and typed "make", and got a message that NIS Map update
complete, but still no success. "ypcat passwd" shows asterisks for
passwords on both the FreeBSD machine and the Solaris machine. Is this to
be expected, or should I see actual encrypted passwords?

- Will
 
 
 

FreeBSD + Solaris NIS setup: authentication problems

Post by jpd » Fri, 23 Sep 2005 03:04:37

Begin < XXXX@XXXXX.COM >


With `old' nis you do need to see the actual passwords in ypcat passwd
output. This is of course one of the very reasons why it is insecure and
obsolete, but there you go.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
 
 
 

FreeBSD + Solaris NIS setup: authentication problems

Post by G. Paul Zi » Fri, 23 Sep 2005 06:25:00


It's possible that this step did not actually rebuild the passwd map
if you did not also "touch" the source file (master.passwd).

--
G. Paul Ziemba
FreeBSD unix:
1:46PM up 1:15, 3 users, load averages: 0.05, 0.07, 0.05
 
 
 

FreeBSD + Solaris NIS setup: authentication problems

Post by wbp » Fri, 23 Sep 2005 19:55:16


Thank you! That was indeed the problem.

Another responder stated that the "old" NIS was "insecure" and "obsolete".
I can appreciate "insecure", since the encrypted passwords are visible with
"ypcat passwd", but I would think that "obsolete" doesn't apply if it is
the only way to have FreeBSD and Solaris in a NIS domain. Is this a matter
of Solaris and FreeBSD having gone their own separate ways with NIS, or no
one having gotten around to implementing NIS+ for FreeBSD? (Or are there
other solutions which I am not aware of?)

- Will