Package: nis
Version: 3.17-31
Severity: normal
Tags: patch
*** Please type your report below this line ***
Hi
I was experimenting with the following setup:
- debian NIS master (squeeze/amd64)
- separate passwd and shadow maps
- passwd and shadow files distinct from master's /etc/{passwd,shadow}
- passwd.adjunct for solaris clients, generated from shadow
To make the solaris clients check passwd.adjunct.byname I needed to have
the special '##username' string in field 2 of the passwd map, instead
of the usual 'x' that tells debian clients to check the shadow.byname map.
But I found to get password changes to work from debian hosts I had to
have 'x' in field 2 of the master file for the NIS passwd map; just
mangling the map with ypserv.conf was insufficient.
When I looked at the code to see why '##username' would not work,
I found that yppasswd and rpc.yppasswdd do the check-for-shadow differently:
yppasswd.c:
hashpass = alloca (strlen (pwd->pw_name) + 3);
cp = stpcpy (hashpass, "##");
strcpy (cp, pwd->pw_name);
if (strncmp(pwd->pw_passwd, "$1$", 3) == 0)
has_md5_passwd = 1;
/* We can't check the password with shadow passwords enabled. We
* leave the checking to yppasswdd */
if (uid != 0 && strcmp (pwd->pw_passwd, "x") != 0 &&
strcmp (pwd->pw_passwd, hashpass ) != 0)
rpc.yppasswdd, update.c:
/* Check the password. At first check for a shadow password. */
if (oldsf != NULL &&
pw->pw_passwd[0] == 'x' && pw->pw_passwd[1] == '\0')
{
#ifdef HAVE_GETSPNAM /* shadow password */
/* Search for the shadow entry of this user */
The patch below changes the rpc.yppasswdd check regarding shadow passwords
to be consistent with yppasswd. I've tested changing passwords from a client
machine using yppasswd and passwd (the latter with the pam_unix2 module)
and it seems to work ok.
It has another nice side effect - when I run yppasswd on the NIS master,
it now updates the entry in the master file for the _shadow_ map, not the
entry in the master file for the _passwd_ map.
Please consider applying this patch.
Kind regards
Vince
--- nis-3.17/ypserv-2.19/rpc.yppasswdd/update.c.orig 2013-04-17
01:19:31.0000 00000 +0000
+++ nis-3.17/ypserv-2.19/rpc.yppasswdd/update.c 2013-04-17 02:20:12.000000000
+0000
@@ -365,6 +365,8 @@
FILE *oldpf = NULL, *newpf = NULL, *oldsf = NULL, *newsf = NULL;
struct stat passwd_stat, shadow_stat;
char *rootpass = "x";
+ char *hashpass, *cp;
+
#if CHECKROOT
if ((pw = getpwnam ("root")) != NULL)
@@ -473,9 +475,16 @@
{
++gotit;
+ /* We will also check for passwd.adjunct-style shadow passwords */
+ hashpass = alloca (strlen (pw->pw_name) + 3);
+ cp = stpcpy (hashpass, "##");
+ strcpy (cp, pw->pw_name);
+
/* Check the password. At first check for a shadow password. */
+ /* This check should match the semantics of the one yppasswd makes. */
if (oldsf != NULL &&
- pw->pw_passwd[0] == 'x' && pw->pw_passwd[1] == '\0')
+ (strcmp (pw->pw_passwd, "x") == 0 ||
+ strcmp (pw->pw_passwd, hashpass ) == 0))
{
#ifdef HAVE_GETSPNAM /* shadow password */
/* Search for the shadow entry of this user */
-- Package-specific info:
-- System Information:
Debian Release: 6.0.7
APT prefers stable
APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages nis depends on:
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii hostname 3.04 utility to set/show the host name
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libdbus-1-3 1.2.24-4+squeeze2 simple interprocess messaging syst
ii libdbus-glib-1-2 0.88-2.1+squeeze1 simple interprocess messaging syst
ii libgdbm3 1.8.3-9 GNU dbm database routines (runtime
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
ii libslp1 1.2.1-7.8 OpenSLP libraries
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii make 3.81-8 An utility for Directing compilati
ii netbase 4.45 Basic TCP/IP networking system
ii portmap 6.0.0-2 RPC port mapper
nis recommends no packages.
Versions of packages nis suggests:
pn nscd <none> (no description available)
-- Configuration Files:
/etc/ypserv.conf changed [not included]
/var/yp/Makefile changed [not included]
-- debconf information excluded
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]