Re: NIS broken in debian 2.2?
According to Brent Kearney: Thanks to your reply though, I realized I forgot to take the +:: entries out of /etc/passwd and /etc/group. Now that I've done so, ldap is working for authentication, and I don't need NIS :). OK. However, as far as I can tell, NIS is indeed broken in this distro. Then you are wrong. NIS is working perfectly. I'm running it on multiple networks, each with 2-4 NIS servers, total about 40 clients, some mixed potato/woody setup, some pure woody. Mike. -- Deadlock, n.: Deceased rastaman.
Re: NIS broken in debian 2.2?
On Fri, Dec 14, 2001 at 10:09:03AM +, Miquel van Smoorenburg wrote: In article [EMAIL PROTECTED], Brent Kearney [EMAIL PROTECTED] wrote: I'm running the 'woody' distro on a PC with Linux 2.4.12-ac6. I installed the 'nis' debian package, and followed the nis.debian.howto that comes with that package. The setup went smoothly, and ypbind was able to contact the NIS server. ypcat works. However, NIS users are unable to authenticate to the system using SSH. Did you setup /etc/nsswitch.conf and /etc/passwd correctly? My /etc/nsswitch.conf says: passwd: files ldap group: files ldap shadow: files ldap My /etc/passwd ends in: +::0:0::: It appears that Redhat had a similar problem, but has a solution. I tried copying the pam_pwdb modules from a redhat box (with the libs), and subsituting it for pam_unix in /etc/pam.d/ssh and login, but no luck. Do NOT use pam_pwdb. It's evil and must die. Mike. I know nothing about it. Why is pam_pwdb evil? Since it didn't work anyways, I removed it. Now, my /etc/pam.d/ssh looks like this: auth required /lib/security/pam_nologin.so auth sufficient/lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so try_first_pass accountsufficient /lib/security/pam_ldap.so accountrequired /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password sufficient /lib/security/pam_ldap.so password required /lib/security/pam_pwdb.so use_first_pass sessionrequired /lib/security/pam_unix_session.so Thanks for your help, Brent
Re: NIS broken in debian 2.2?
In article [EMAIL PROTECTED], Brent Kearney [EMAIL PROTECTED] wrote: On Fri, Dec 14, 2001 at 10:09:03AM +, Miquel van Smoorenburg wrote: In article [EMAIL PROTECTED], Brent Kearney [EMAIL PROTECTED] wrote: I'm running the 'woody' distro on a PC with Linux 2.4.12-ac6. I installed the 'nis' debian package, and followed the nis.debian.howto that comes with that package. The setup went smoothly, and ypbind was able to contact the NIS server. ypcat works. However, NIS users are unable to authenticate to the system using SSH. Did you setup /etc/nsswitch.conf and /etc/passwd correctly? My /etc/nsswitch.conf says: passwd: files ldap group: files ldap shadow: files ldap Right, that's the problem. You didn't read /usr/share/doc/nis/ nis.debian.howto.gz did you, it's all spelled out in there. In particular, /etc/nsswitch.conf needs to read: passwd: compat group: compat shadow: compat netgroup: nis Mike. -- Deadlock, n.: Deceased rastaman.
Re: NIS broken in debian 2.2?
On Mon, Dec 17, 2001 at 08:44:49PM +, Miquel van Smoorenburg wrote: In article [EMAIL PROTECTED], Brent Kearney [EMAIL PROTECTED] wrote: On Fri, Dec 14, 2001 at 10:09:03AM +, Miquel van Smoorenburg wrote: In article [EMAIL PROTECTED], Brent Kearney [EMAIL PROTECTED] wrote: I'm running the 'woody' distro on a PC with Linux 2.4.12-ac6. I installed the 'nis' debian package, and followed the nis.debian.howto that comes with that package. The setup went smoothly, and ypbind was able to contact the NIS server. ypcat works. However, NIS users are unable to authenticate to the system using SSH. Did you setup /etc/nsswitch.conf and /etc/passwd correctly? My /etc/nsswitch.conf says: passwd: files ldap group: files ldap shadow: files ldap Right, that's the problem. You didn't read /usr/share/doc/nis/ nis.debian.howto.gz did you, it's all spelled out in there. In particular, /etc/nsswitch.conf needs to read: passwd: compat group:compat shadow: compat netgroup: nis Oops; yes, in fact I did read the howto. I had since changed it to files ldap from compat. At the time of my original post, nsswitch.conf was setup as per the howto. I originally wanted to setup NIS as a temporary solution to give the users access while I worked on setting up ldap. In the mean time, I did get ldap setup, however, the same thing happened with ldap as happened with NIS. Thanks to your reply though, I realized I forgot to take the +:: entries out of /etc/passwd and /etc/group. Now that I've done so, ldap is working for authentication, and I don't need NIS :). However, as far as I can tell, NIS is indeed broken in this distro. Cheers, Brent
Re: NIS broken in debian 2.2?
In article [EMAIL PROTECTED], Brent Kearney [EMAIL PROTECTED] wrote: I'm running the 'woody' distro on a PC with Linux 2.4.12-ac6. I installed the 'nis' debian package, and followed the nis.debian.howto that comes with that package. The setup went smoothly, and ypbind was able to contact the NIS server. ypcat works. However, NIS users are unable to authenticate to the system using SSH. Did you setup /etc/nsswitch.conf and /etc/passwd correctly? hostname:/var/log# tail -f auth.log Dec 13 17:25:52 hostname sshd[1204]: input_userauth_request: illegal user brent In other words, the system doesn't use NIS yet. hostname:/var/log# ypcat passwd | grep brent brent:CrYpT3DP4ss:1059:200::/home/foo/brent:/usr/local/bin/tcsh Okay, so ypbind works, and your NIS server is up. That doesn't mean the system is actually using it. What does 'id brent' say? It appears that Redhat had a similar problem, but has a solution. I tried copying the pam_pwdb modules from a redhat box (with the libs), and subsituting it for pam_unix in /etc/pam.d/ssh and login, but no luck. Do NOT use pam_pwdb. It's evil and must die. Mike. -- Deadlock, n.: Deceased rastaman.
NIS broken in debian 2.2?
Greetings,
I'm running the 'woody' distro on a PC with Linux 2.4.12-ac6. I
installed the 'nis' debian package, and followed the nis.debian.howto
that comes with that package. The setup went smoothly, and ypbind was
able to contact the NIS server. ypcat works. However, NIS users are
unable to authenticate to the system using SSH.
Here's what it looks like from the outside:
{myhost}(~)$ ssh hostname
[EMAIL PROTECTED]'s password:
Permission denied, please try again.
[EMAIL PROTECTED]'s password:
Permission denied, please try again.
[EMAIL PROTECTED]'s password:
Permission denied (publickey,password,keyboard-interactive).
Here's what it looks like from the inside:
hostname:/var/log# tail -f auth.log
Dec 13 17:25:52 hostname sshd[1204]: input_userauth_request: illegal
user brent
Dec 13 17:25:52 hostname sshd[1204]: Failed none for illegal user
brent
from 123.45.67.89 port 53110 ssh2
Dec 13 17:25:53 hostname sshd[1204]: Failed password for illegal user
brent from
123.45.67.89 port 53110 ssh2
Dec 13 17:26:20 hostname last message repeated 2 times
Dec 13 17:26:20 hostname sshd[1204]: Failed keyboard-interactive for
illegal user brent from 123.45.67.89 port 53110 ssh2
Dec 13 17:26:20 hostname last message repeated 2 times
Dec 13 17:26:20 hostname sshd[1204]: Connection closed by 123.45.67.89
hostname:/var/log# ypcat passwd | grep brent
brent:CrYpT3DP4ss:1059:200::/home/foo/brent:/usr/local/bin/tcsh
My first thought was that it was a PAM issue. Some websearches turned
up this:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=55011
It appears that Redhat had a similar problem, but has a solution. I
tried copying the pam_pwdb modules from a redhat box (with the libs),
and subsituting it for pam_unix in /etc/pam.d/ssh and login, but no
luck.
Any suggestions?
Thanks,
Brent
