Mark Hennessy
2006-Nov-21 17:37 UTC
FreeBSD 6.x, NIS, local root password, and nsswitch.conf
I have a new system that has FreeBSD 6.1 on it to replace a system with FreeBSD 4.11 being put out of service. I want to keep to using local root passwords only, but export other users' logins over NIS. It acts presently as an NIS slave server. The NIS master server was upgraded a few months ago to FreeBSD 6.0 and then 6.1. All other machines are running FreeBSD 4.11. A weird thing started to happen with the new machine. Only on this new machine, the local root password doesn't work and only the root password of the NIS master server will work to attain root. Perhaps something needs to be changed somewhere to make the local root password work again? Here's the /etc/nsswitch.conf from the master server: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files Here's the /etc/nsswitch.conf from the slave server: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files They both appear to be set to defaults. I tried changing group and passwd to include 'files', I also tried changing group_compat and passwd_compat to include 'files', but no positive change. I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They are served by NIS as clients and all of their local root passwords work fine. Where should I look next? Thanks! -- Mark P. Hennessy
freebsd-stable-archive@cloud9.net
2006-Nov-21 17:39 UTC
FreeBSD 6.x, NIS, local root password, and nsswitch.conf
I have a new system that has FreeBSD 6.1 on it to replace a system with FreeBSD 4.11 being put out of service. I want to keep to using local root passwords only, but export other users' logins over NIS. It acts presently as an NIS slave server. The NIS master server was upgraded a few months ago to FreeBSD 6.0 and then 6.1. All other machines are running FreeBSD 4.11. A weird thing started to happen with the new machine. Only on this new machine, the local root password doesn't work and only the root password of the NIS master server will work to attain root. Perhaps something needs to be changed somewhere to make the local root password work again? Here's the /etc/nsswitch.conf from the master server: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files Here's the /etc/nsswitch.conf from the slave server: group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files They both appear to be set to defaults. I tried changing group and passwd to include 'files', I also tried changing group_compat and passwd_compat to include 'files', but no positive change. I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They are served by NIS as clients and all of their local root passwords work fine. Where should I look next? Thanks! -- Mark P. Hennessy
On Tue, 21 Nov 2006, Mark Hennessy wrote:> I have a new system that has FreeBSD 6.1 on it to replace a system with > FreeBSD 4.11 being put out of service. > > I want to keep to using local root passwords only, but export other users' > logins over NIS. It acts presently as an NIS slave server. > > The NIS master server was upgraded a few months ago to FreeBSD 6.0 and > then 6.1. > > All other machines are running FreeBSD 4.11. > > A weird thing started to happen with the new machine. Only on this new > machine, the local root password doesn't work and only the root password > of the NIS master server will work to attain root. Perhaps something > needs to be changed somewhere to make the local root password work again? > > Here's the /etc/nsswitch.conf from the master server: > group: compat > group_compat: nis > hosts: files dns > networks: files > passwd: compat > passwd_compat: nis > shells: files > > Here's the /etc/nsswitch.conf from the slave server: > group: compat > group_compat: nis > hosts: files dns > networks: files > passwd: compat > passwd_compat: nis > shells: files > > They both appear to be set to defaults. > > I tried changing group and passwd to include 'files', I also tried > changing group_compat and passwd_compat to include 'files', but no > positive change.Mark, Careful here. The line needs to read 'files nis', not 'nis files' - if you used the latter, try switching it around so that the local /etc/passwd is checked for root logins before NIS is consulted. As I understand the man page, you want to change the {group,passwd}_compat lines, not the {group,passwd} lines themselves.> I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They > are served by NIS as clients and all of their local root passwords work > fine.>From nsswitch.conf(5):"The nsswitch.conf file format first appeared in FreeBSD 5.0. It was imported from the NetBSD Project, where it appeared first in NetBSD 1.4." The NIS section of the handbook contains no mention of nsswitch.conf(5), so I'm not actually sure that it's required for system authentication. David Adam zanchey@ucc.gu.uwa.edu.au
Mark Hennessy
2006-Nov-22 14:07 UTC
FreeBSD 6.x, NIS, local root password, and nsswitch.conf
David Adam [zanchey@ucc.gu.uwa.edu.au] wrote:>On Tue, 21 Nov 2006, Mark Hennessy wrote: >> I have a new system that has FreeBSD 6.1 on it to replace a system with >> FreeBSD 4.11 being put out of service. >> >> I want to keep to using local root passwords only, but export other users' >> logins over NIS. It acts presently as an NIS slave server. >> >> The NIS master server was upgraded a few months ago to FreeBSD 6.0 and >> then 6.1. >> >> All other machines are running FreeBSD 4.11. >> >> A weird thing started to happen with the new machine. Only on this new >> machine, the local root password doesn't work and only the root password >> of the NIS master server will work to attain root. Perhaps something >> needs to be changed somewhere to make the local root password work again? >> >> Here's the /etc/nsswitch.conf from the master server: >> group: compat >> group_compat: nis >> hosts: files dns >> networks: files >> passwd: compat >> passwd_compat: nis >> shells: files >> >> Here's the /etc/nsswitch.conf from the slave server: >> group: compat >> group_compat: nis >> hosts: files dns >> networks: files >> passwd: compat >> passwd_compat: nis >> shells: files >> >> They both appear to be set to defaults. >> >> I tried changing group and passwd to include 'files', I also tried >> changing group_compat and passwd_compat to include 'files', but no >> positive change. > >Mark, > >Careful here. > >The line needs to read 'files nis', not 'nis files' - if you used the >latter, try switching it around so that the local /etc/passwd is checked >for root logins before NIS is consulted. > >As I understand the man page, you want to change the {group,passwd}_compat >lines, not the {group,passwd} lines themselves. > >> I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. They >> are served by NIS as clients and all of their local root passwords work >> fine. > >>From nsswitch.conf(5): > >"The nsswitch.conf file format first appeared in FreeBSD 5.0. It was >imported from the NetBSD Project, where it appeared first in NetBSD 1.4." > >The NIS section of the handbook contains no mention of nsswitch.conf(5), >so I'm not actually sure that it's required for system authentication. > >David Adam >zanchey@ucc.gu.uwa.edu.au >_______________________________________________ >freebsd-stable@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-stable >To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"I'm a bit unsure about it myself. I tried exactly what you suggested, putting files on the compat line and before nis for both passwd and groups on the NIS slave server only, and no go. Perhaps it is the master server that actually controls this? I don't know. Any further advice would be greatly appreciated. -- Mark P. Hennessy
Mark Hennessy
2006-Nov-22 15:50 UTC
FreeBSD 6.x, NIS, local root password, and nsswitch.conf
David Adam [zanchey@ucc.gu.uwa.edu.au] wrote:>On Wed, 22 Nov 2006, Mark Hennessy wrote: >> David Adam [zanchey@ucc.gu.uwa.edu.au] wrote: >> >On Tue, 21 Nov 2006, Mark Hennessy wrote: >> >> I have a new system that has FreeBSD 6.1 on it to replace a system >with >> >> FreeBSD 4.11 being put out of service. >> >> >> >> I want to keep to using local root passwords only, but export other >users' >> >> logins over NIS. It acts presently as an NIS slave server. >> >> >> >> The NIS master server was upgraded a few months ago to FreeBSD 6.0 >and >> >> then 6.1. >> >> >> >> All other machines are running FreeBSD 4.11. >> >> >> >> A weird thing started to happen with the new machine. Only on this >new >> >> machine, the local root password doesn't work and only the root >password >> >> of the NIS master server will work to attain root. Perhaps >something >> >> needs to be changed somewhere to make the local root password work >again? ><snip> >> >> >> >> I tried changing group and passwd to include 'files', I also tried >> >> changing group_compat and passwd_compat to include 'files', but no >> >> positive change. >> > >> >Mark, >> > >> >Careful here. >> > >> >The line needs to read 'files nis', not 'nis files' - if you used the >> >latter, try switching it around so that the local /etc/passwd is >checked >> >for root logins before NIS is consulted. >> > >> >As I understand the man page, you want to change the >{group,passwd}_compat >> >lines, not the {group,passwd} lines themselves. >> > >> >> I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. >They >> >> are served by NIS as clients and all of their local root passwords >work >> >> fine. >> > >> >>From nsswitch.conf(5): >> > >> >"The nsswitch.conf file format first appeared in FreeBSD 5.0. It was >> >imported from the NetBSD Project, where it appeared first in NetBSD >1.4." >> > >> >The NIS section of the handbook contains no mention of >nsswitch.conf(5), >> >so I'm not actually sure that it's required for system authentication. >> > >> >> I'm a bit unsure about it myself. >> I tried exactly what you suggested, putting files on the compat line >and >> before nis for both passwd and groups on the NIS slave server only, and >no >> go. Perhaps it is the master server that actually controls this? I >don't >> know. Any further advice would be greatly appreciated. > >Just to clarify - you're running a single NIS master, and you're having >this problem on a new NIS client? Or is it a NIS slave server as well? I >don't think that this should affect things, but I just wanted to clear up >the nomenclature. > >Hmm, odd. I don't know if you have to restart any services to pick up >changes in nsswitch.conf, but I doubt it. > >However, re-reading the manpage reminded me that nsswitch doesn't actually >control authentication in many cases - PAM handles this, on Linux at any >rate. > >Someone (quite possibly me) has kicked the cable out of my FreeBSD box, so >I can't check this at the moment, but you may well need to edit something >in /etc/pam.d. In particular, if you have NIS as sufficient, it'll take >precedence over pam_unix (i.e., files). > >Cheers, > >David Adam >zanchey@ucc.gu.uwa.edu.auThe machine in question having the problem with its root password being clobbered by NIS is an NIS Slave Server running FreeBSD 6.1, the other machines that aren't having this problem are clients running FreeBSD 4.11, and the NIS Master Server is running FreeBSD 6.1. The pam config for login and su don't appear to be pointing specifically to NIS for anything, just system. -- Mark P. Hennessy