[Solaris 10]NIS works only from "su"

Tex-Twil · April 1, 2009, 11:16am

Hi,
I'm trying to set up NIS in my Solaris 10 but it works only if I 1st login as a root to my server and then "su - myuser". When I try to login (via console or ssh) directly as "myuser" the authentication fails.

Here is what I've done:

client ~$ echo "mydomain.loc" > /etc/defaultdomain
client ~$ domainname mydomain.loc
client ~$ domainname
mydomain.loc

client ~$ echo "192.168.0.1   nis.mydomain.loc" >> /etc/hosts

client ~$ ypinit -c
## add nis.mydomain.loc

# added "nis" in /etc/nsswitch.conf on the following lines
passwd:     files nis
group:      files nis


client ~$ svcadm enable nis/client
client ~$ ypwhich
nis.mydomain.loc

~$ ypcat passwd
## displays the passwd entries

client ~$ su - myuser
myuser@client ~$

What am I doing wrong ?

Thanks for your help.

Tex

TonyFullerMalv · April 1, 2009, 6:33pm

If your "ypcat passwd does not include displaying the users' encrypted passwords then:

I'm rusty in this now but you need to copy your /etc/passwd, /etc/shadow and /etc/group files to a separate directory into which you have also copied the NIS Makefile and then run make to populate the NIS database with your users (from passwd) and their passwords (from shadow). If your users have NFS mounted home directories from a central NFS file server you may want to put the auto_home map file into NIS as well.

NIS is no longer in favour because someone may run:

$ ypcat passwd > textfile.txt

and the run cracker against the text file to determine the users passwords because NIS makes the users' encrypted password world readable.

I hope this gives you some helpful pointers...

Tex-Twil · April 2, 2009, 3:47am

No it doesn't. I think that I now understand the problem: I can access the uids but not the hashed passwords. When I'm root I can su to anybody without any password verification. When I connect as a user, the credentials has to be checked and I do not have the NIS passwords.

If I uderstand, this should be done on the NIS server but I don't have an admin access to the server and even if I had I do not want to "unshadow" the passwords for the security reasons you mention later.

Yes I've already set up this and it works ok.

So any idea how I can fix the password problem ?

Thanks,
Tex

TonyFullerMalv · April 2, 2009, 3:47pm

You cannot unshadow NIS except by moving to NIS+ which is complicated and Sun have or are in the process of dropping support for NIS+, I believe an LDAP server (e.g. Sun ONE Directory Service, see: http://docs.sun.com/source/816-6698-10/useracct.html ) is the way to go now.

On the getting the user's passwords included into NIS, it does have to be done on the NIS server so if you do not have root on the NIS server then you will need to ask those who do have root on the NIS server to remake the NIS maps to include a copy of /etc/shadow.

Tex-Twil · April 3, 2009, 10:23am

It is supposed to be included. From Linux machine it works fine. I think that the problem comes from the fact that the NIS server is a Linux OS which doesn't seem to be compatible with Sun nis client.

Thanks anyway,
Tex

Renjesh · April 6, 2009, 2:31am

Hi Tex

The password display issue in NIS can be resolved by creating a passwd.adjunct file in the NIS server.

You can get a lot of help on passwd.adjunct file from the net. I recently configured an NIS environment on my lab (of around 10 machines) and they are running pretty fine.

HG

Tex-Twil · April 6, 2009, 9:18am

ok. Do you also have a Linux server with Solaris clients ?

regards,
Tex

Renjesh · April 7, 2009, 8:33am

No,Tex.
My NIS farm is (unfortunately)a Solaris only Farm.

HG

Tex-Twil · April 7, 2009, 5:02pm

ok. So I consider that a Linux nis server is just not 100% compatible with Solaris clients and I'll stick wit my current configuration

regards,
Tex