Re: NIS oops
and thats the one error I made in setting it up likely... (I saw that note after rebooting in the handbook) I have been there, I have done that. Luckily my server is next door :) Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NIS oops
is there any way to use an other machine on the net to kick start it Unless you have an account on that master server that is not depending on NIS, I see no way. Bests, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NIS oops
Olivier Nicole wrote: is there any way to use an other machine on the net to kick start it Unless you have an account on that master server that is not depending on NIS, I see no way. Bests, Olivier and thats the one error I made in setting it up likely... (I saw that note after rebooting in the handbook) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NIS users can't login with FTPD
what's in /etc/nsswitch.conf ? Markiyan. Frank Bonnet wrote: Hello I've installed a nes machine ( 7.2 / 64 bits ) which runs like a charm EXCEPT for the FTP service for NIS users ... Local users ( which are present in /etc/passwd file ) have no problem BUT NIS users cannot log in when using telnet NIS users have no problem to log in ... Thank for any help the /etc/pam.d/ftpd looks like the following # # $FreeBSD: src/etc/pam.d/ftpd,v 1.19.8.1 2009/04/15 03:14:26 kensmith # # PAM configuration for the ftpd service # # auth authsufficientpam_opie.sono_warn no_fake_prompts authrequisitepam_opieaccess.sono_warn allow_local #authsufficientpam_krb5.sono_warn #auth sufficient pam_ssh.sono_warn try_first_pass authrequiredpam_unix.sono_warn try_first_pass # account accountrequiredpam_nologin.so #account requiredpam_krb5.so accountrequiredpam_unix.so # session sessionrequiredpam_permit.so mail# ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NIS Linux - Ubuntu
On Wed, Dec 26, 2007 at 09:10:00PM -0500, Lowell Gilbert wrote: Chad Perrin [EMAIL PROTECTED] writes: The behavior with an asterisk instead of an X is pretty worrisome, however, and is not strictly Ubuntu's fault. Security of a server should not rely on the good will and competence of the client developers. I agree with the latter sentence, but not the former. When using NFS (without Kerberos), it is built into the protocol that the server trusts the client on the UID/GID. That is a good reason not to use NFS in an untrusted environment, but there really isn't anything FreeBSD can do about it. I'm not clear on how that makes it Ubuntu's fault -- which seems to be what you're saying, since you disagreed with the sentence in which I stated it is not strictly Ubuntu's fault. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] John Kenneth Galbraith: If all else fails, immortality can always be assured through spectacular error. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS Linux - Ubuntu
Chad Perrin [EMAIL PROTECTED] writes: On Thu, Dec 20, 2007 at 09:32:50AM -0500, Lowell Gilbert wrote: RA Cohen [EMAIL PROTECTED] writes: I am sorry, here is an addendum to my previous post: Somehow Ubuntu was given root user permissions Actually, upon rereading my notes, Ubuntu was only given permissions of the user doing the login - not root - but we could login with any valid user apparently FreeBSD thought it was presented with a wildcard password. And I can also verify that FreeBSD clients are able to use the password map when x is used instead of * in the map to represent the password. So I can secure the system using the x but still cannot get Ubuntu clients to authenticate. Sounds like Ubuntu is using the wrong map, probably one where it's getting a different and empty field where it expects to find a password. The behavior with an asterisk instead of an X is pretty worrisome, however, and is not strictly Ubuntu's fault. Security of a server should not rely on the good will and competence of the client developers. I agree with the latter sentence, but not the former. When using NFS (without Kerberos), it is built into the protocol that the server trusts the client on the UID/GID. That is a good reason not to use NFS in an untrusted environment, but there really isn't anything FreeBSD can do about it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS Linux - Ubuntu
RA Cohen [EMAIL PROTECTED] writes: I am sorry, here is an addendum to my previous post: Somehow Ubuntu was given root user permissions Actually, upon rereading my notes, Ubuntu was only given permissions of the user doing the login - not root - but we could login with any valid user apparently FreeBSD thought it was presented with a wildcard password. And I can also verify that FreeBSD clients are able to use the password map when x is used instead of * in the map to represent the password. So I can secure the system using the x but still cannot get Ubuntu clients to authenticate. Sounds like Ubuntu is using the wrong map, probably one where it's getting a different and empty field where it expects to find a password. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS Linux - Ubuntu
On Thu, Dec 20, 2007 at 09:32:50AM -0500, Lowell Gilbert wrote: RA Cohen [EMAIL PROTECTED] writes: I am sorry, here is an addendum to my previous post: Somehow Ubuntu was given root user permissions Actually, upon rereading my notes, Ubuntu was only given permissions of the user doing the login - not root - but we could login with any valid user apparently FreeBSD thought it was presented with a wildcard password. And I can also verify that FreeBSD clients are able to use the password map when x is used instead of * in the map to represent the password. So I can secure the system using the x but still cannot get Ubuntu clients to authenticate. Sounds like Ubuntu is using the wrong map, probably one where it's getting a different and empty field where it expects to find a password. The behavior with an asterisk instead of an X is pretty worrisome, however, and is not strictly Ubuntu's fault. Security of a server should not rely on the good will and competence of the client developers. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Baltasar Gracian: A wise man gets more from his enemies than a fool from his friends. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS group mQuestion
Hello, I'm trying to setup a NIS Server under FreeBSD 6.2 to serve Linux Clients (CentOS4). The main problem i have is with the group map. When FreeBSD generates the maps it gets the info for this from /etc/group, which gets imported from the Linux clients. My question is: Is there anyway to avoid this? I would like to use a different group file, not the one in /etc in the same way it's done with master.passwd Best regards Hi again, i'll answer to myself. To change the way NIS works in FreeBSD i have just to edit /var/yp/Makefile and change the place where NIS takes the source files. I just had to read the Makefile first to send the question to the list! Thanks again ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS
Manolis Kiagias [EMAIL PROTECTED] writes: Lowell Gilbert wrote: Manolis Kiagias [EMAIL PROTECTED] writes: I've read this the first time I tried and decided not to go with it. The manual says: If you plan to use a FreeBSD system to serve non-FreeBSD clients that have no support for password shadowing (which is most of them), you will have to disable the password shadowing entirely by uncommenting the UNSECURE=True entry in /var/yp/Makefile. Linux certainly uses password shadowing, and I can see in my debian server maps passwd.byname and shadow.byname files If I perform ypcat passwd.byname from a client I get the standard passwd file with no passwords (exactly like /etc/passwd) The encrypted passwords are in the shadow.byname map. Now, if I understand correctly, the above solution would put the passwords in the passwd.byname map, thus making the system less secure, where in fact I should be able to make FreeBSD export a shadow.byname map that would be compatible with Linux. Am I missing something here / are my assumptions wrong? I think you are assuming that Linux uses password shadowing over NIS. This is not possible, and no system does it. The FreeBSD security method in question just forces requests for the password maps to come from privileged ports. This is a very minor security method, and other systems don't support it. Fundamentally, NIS assumes that you trust the machines you are serving. Or at least are willing to let them have the encrypted passwords. No OS can change this; it's not a Linux/FreeBSD issue. I have experimented a bit further with my debian NIS server, and this is what I found: From a NIS client, I can do with my standard user account: [EMAIL PROTECTED]:~$ ypcat passwd.byname user1:x:1010:1010:Joe User,,,:/home/user1:/bin/bash and I get the standard, world-readable password file (the one without the passwords) However, the standard user cannot run: This is the answer: [EMAIL PROTECTED]:~$ ypcat shadow.byname No such map shadow.byname. Reason: No such map in server's domain As root, however: [EMAIL PROTECTED]:~# ypcat shadow.byname user1:$1$1233245435435345543545345sfsdfsfdf:13577:0:9:7::: ... This seems to be consistent with the FreeBSD NIS Server behaviour described in nis(8) manual page: To help prevent this, FreeBSD's NIS server handles the shadow password maps (master.passwd.byname and master.passwd.byuid) in a special way: the server will only provide access to these maps in response to requests that originate on privileged ports. Since only the super-user is allowed to bind to a privileged port, the server assumes that all such requests come from privileged users. All other requests are denied: requests from non-privileged ports will receive only an error code from the server. So, it seems linux handles this the same way. Difference is linux has a shadow.byname map while FreeBSD has a master.passwd.byname map (possibly also internal differences in the files) Now, if I understand correctly, If I where to add the UNSECURE feature in the FreeBSD server, I expect the shadow passwords would be inserted in the passwd.byname map which is world readable and hence a security issue. (Perhaps I will do this experiment next and let you know of the outcome) This is hardly important for my home server scenario, but it would be, should I decide to implement a FreeBSD NIS server somewhere else. Hence, the best possible solution would be to get a Makefile for the FreeBSD NIS server that would produce completely Linux compatible maps. Hmm. What you're saying makes sense; unfortunately, I haven't had a network configured this way in a while, so I'm rather rusty on the details. It sounds as though this is just a matter of the map names. Perhaps you could handle that with nicknames? I believe that the master.passwd.byname map is in the same FreeBSD- specific format as master.passwd, but that on all systems passwd.byname is the standard old format that YP always used. In most (not all, but most) cases, I don't think it's worth worrying about the secure modes available, whether you're taking the FreeBSD or the Linux map names and formats. It's based on the assumption that someone untrusted can be on your network but can't use low-numbered TCP ports. This is unusual in my experience. Good luck. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS
Lowell Gilbert wrote: Manolis Kiagias [EMAIL PROTECTED] writes: I have experimented a bit further with my debian NIS server, and this is what I found: From a NIS client, I can do with my standard user account: [EMAIL PROTECTED]:~$ ypcat passwd.byname user1:x:1010:1010:Joe User,,,:/home/user1:/bin/bash and I get the standard, world-readable password file (the one without the passwords) However, the standard user cannot run: This is the answer: [EMAIL PROTECTED]:~$ ypcat shadow.byname No such map shadow.byname. Reason: No such map in server's domain As root, however: [EMAIL PROTECTED]:~# ypcat shadow.byname user1:$1$1233245435435345543545345sfsdfsfdf:13577:0:9:7::: ... This seems to be consistent with the FreeBSD NIS Server behaviour described in nis(8) manual page: To help prevent this, FreeBSD's NIS server handles the shadow password maps (master.passwd.byname and master.passwd.byuid) in a special way: the server will only provide access to these maps in response to requests that originate on privileged ports. Since only the super-user is allowed to bind to a privileged port, the server assumes that all such requests come from privileged users. All other requests are denied: requests from non-privileged ports will receive only an error code from the server. So, it seems linux handles this the same way. Difference is linux has a shadow.byname map while FreeBSD has a master.passwd.byname map (possibly also internal differences in the files) Now, if I understand correctly, If I where to add the UNSECURE feature in the FreeBSD server, I expect the shadow passwords would be inserted in the passwd.byname map which is world readable and hence a security issue. (Perhaps I will do this experiment next and let you know of the outcome) This is hardly important for my home server scenario, but it would be, should I decide to implement a FreeBSD NIS server somewhere else. Hence, the best possible solution would be to get a Makefile for the FreeBSD NIS server that would produce completely Linux compatible maps. Hmm. What you're saying makes sense; unfortunately, I haven't had a network configured this way in a while, so I'm rather rusty on the details. It sounds as though this is just a matter of the map names. Perhaps you could handle that with nicknames? It is a matter of names, but also there are changes internally in the file. All can be handled by a modified Makefile, which I hope to be able to patch I have a few more urgent experiments with the test machine, so this will have to wait for a while. I believe that the master.passwd.byname map is in the same FreeBSD- specific format as master.passwd, but that on all systems passwd.byname is the standard old format that YP always used. In fact, in Linux, shadow.byname is the exact same format as /etc/shadow, so I believe your assumption about master.passwd.byname is true. In most (not all, but most) cases, I don't think it's worth worrying about the secure modes available, whether you're taking the FreeBSD or the Linux map names and formats. It's based on the assumption that someone untrusted can be on your network but can't use low-numbered TCP ports. This is unusual in my experience. True, and as I said for my home network this is more of an academic exercise. However considering the (probable) outcome of the UNSECURE line in Makefile, it would reduce the security of a host to pre-shadow days. The hashes would be available to anyone, and then someone could discover john the ripper and give brute force a try. This is probably something to keep in mind for more security-conscious environments. Combine it with the fact it would affect all nis clients and not a single machine, and you may get a serious security incident. Good luck. ___ Thanks, should I decide to wrestle with the Makefile, I will need it :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS
Manolis Kiagias [EMAIL PROTECTED] writes: I've read this the first time I tried and decided not to go with it. The manual says: If you plan to use a FreeBSD system to serve non-FreeBSD clients that have no support for password shadowing (which is most of them), you will have to disable the password shadowing entirely by uncommenting the UNSECURE=True entry in /var/yp/Makefile. Linux certainly uses password shadowing, and I can see in my debian server maps passwd.byname and shadow.byname files If I perform ypcat passwd.byname from a client I get the standard passwd file with no passwords (exactly like /etc/passwd) The encrypted passwords are in the shadow.byname map. Now, if I understand correctly, the above solution would put the passwords in the passwd.byname map, thus making the system less secure, where in fact I should be able to make FreeBSD export a shadow.byname map that would be compatible with Linux. Am I missing something here / are my assumptions wrong? I think you are assuming that Linux uses password shadowing over NIS. This is not possible, and no system does it. The FreeBSD security method in question just forces requests for the password maps to come from privileged ports. This is a very minor security method, and other systems don't support it. Fundamentally, NIS assumes that you trust the machines you are serving. Or at least are willing to let them have the encrypted passwords. No OS can change this; it's not a Linux/FreeBSD issue. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS
Lowell Gilbert wrote: Manolis Kiagias [EMAIL PROTECTED] writes: I've read this the first time I tried and decided not to go with it. The manual says: If you plan to use a FreeBSD system to serve non-FreeBSD clients that have no support for password shadowing (which is most of them), you will have to disable the password shadowing entirely by uncommenting the UNSECURE=True entry in /var/yp/Makefile. Linux certainly uses password shadowing, and I can see in my debian server maps passwd.byname and shadow.byname files If I perform ypcat passwd.byname from a client I get the standard passwd file with no passwords (exactly like /etc/passwd) The encrypted passwords are in the shadow.byname map. Now, if I understand correctly, the above solution would put the passwords in the passwd.byname map, thus making the system less secure, where in fact I should be able to make FreeBSD export a shadow.byname map that would be compatible with Linux. Am I missing something here / are my assumptions wrong? I think you are assuming that Linux uses password shadowing over NIS. This is not possible, and no system does it. The FreeBSD security method in question just forces requests for the password maps to come from privileged ports. This is a very minor security method, and other systems don't support it. Fundamentally, NIS assumes that you trust the machines you are serving. Or at least are willing to let them have the encrypted passwords. No OS can change this; it's not a Linux/FreeBSD issue. I have experimented a bit further with my debian NIS server, and this is what I found: From a NIS client, I can do with my standard user account: [EMAIL PROTECTED]:~$ ypcat passwd.byname user1:x:1010:1010:Joe User,,,:/home/user1:/bin/bash and I get the standard, world-readable password file (the one without the passwords) However, the standard user cannot run: This is the answer: [EMAIL PROTECTED]:~$ ypcat shadow.byname No such map shadow.byname. Reason: No such map in server's domain As root, however: [EMAIL PROTECTED]:~# ypcat shadow.byname user1:$1$1233245435435345543545345sfsdfsfdf:13577:0:9:7::: ... This seems to be consistent with the FreeBSD NIS Server behaviour described in nis(8) manual page: To help prevent this, FreeBSD's NIS server handles the shadow password maps (master.passwd.byname and master.passwd.byuid) in a special way: the server will only provide access to these maps in response to requests that originate on privileged ports. Since only the super-user is allowed to bind to a privileged port, the server assumes that all such requests come from privileged users. All other requests are denied: requests from non-privileged ports will receive only an error code from the server. So, it seems linux handles this the same way. Difference is linux has a shadow.byname map while FreeBSD has a master.passwd.byname map (possibly also internal differences in the files) Now, if I understand correctly, If I where to add the UNSECURE feature in the FreeBSD server, I expect the shadow passwords would be inserted in the passwd.byname map which is world readable and hence a security issue. (Perhaps I will do this experiment next and let you know of the outcome) This is hardly important for my home server scenario, but it would be, should I decide to implement a FreeBSD NIS server somewhere else. Hence, the best possible solution would be to get a Makefile for the FreeBSD NIS server that would produce completely Linux compatible maps. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS
Manolis Kiagias [EMAIL PROTECTED] writes: Olivier Nicole wrote: Linux doesn't normally use master.passwd. If I recall correctly, it uses /etc/shadow instead (but I don't have such a box at hand right now to check). And yes, the internal format is different (and, again, I don't remember details). If I am not wrong, NIS does not know anything about master.passwd or shadow, it has only passwd.byname passwd.byuid as password maps, both maps including password in them. Olivier You are probably right, I don't remember the exact files right now, the thing is the maps are not linux compatible, so if anyone has a NIS Makefile for this, I'd be glad to get a copy. I already tried a patch I found but was not successful. Don't patch anything. Just edit /var/yp/Makefile to remove the comment character from the UNSECURE line, rebuild, and you're done. This is fully explained inline in that file, as well as in the manual for ypserv(8). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS
Lowell Gilbert wrote: Manolis Kiagias [EMAIL PROTECTED] writes: Olivier Nicole wrote: Linux doesn't normally use master.passwd. If I recall correctly, it uses /etc/shadow instead (but I don't have such a box at hand right now to check). And yes, the internal format is different (and, again, I don't remember details). If I am not wrong, NIS does not know anything about master.passwd or shadow, it has only passwd.byname passwd.byuid as password maps, both maps including password in them. Olivier You are probably right, I don't remember the exact files right now, the thing is the maps are not linux compatible, so if anyone has a NIS Makefile for this, I'd be glad to get a copy. I already tried a patch I found but was not successful. Don't patch anything. Just edit /var/yp/Makefile to remove the comment character from the UNSECURE line, rebuild, and you're done. This is fully explained inline in that file, as well as in the manual for ypserv(8). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] I've read this the first time I tried and decided not to go with it. The manual says: If you plan to use a FreeBSD system to serve non-FreeBSD clients that have no support for password shadowing (which is most of them), you will have to disable the password shadowing entirely by uncommenting the UNSECURE=True entry in /var/yp/Makefile. Linux certainly uses password shadowing, and I can see in my debian server maps passwd.byname and shadow.byname files If I perform ypcat passwd.byname from a client I get the standard passwd file with no passwords (exactly like /etc/passwd) The encrypted passwords are in the shadow.byname map. Now, if I understand correctly, the above solution would put the passwords in the passwd.byname map, thus making the system less secure, where in fact I should be able to make FreeBSD export a shadow.byname map that would be compatible with Linux. Am I missing something here / are my assumptions wrong? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS
Linux doesn't normally use master.passwd. If I recall correctly, it uses /etc/shadow instead (but I don't have such a box at hand right now to check). And yes, the internal format is different (and, again, I don't remember details). If I am not wrong, NIS does not know anything about master.passwd or shadow, it has only passwd.byname passwd.byuid as password maps, both maps including password in them. Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS
Olivier Nicole wrote: Linux doesn't normally use master.passwd. If I recall correctly, it uses /etc/shadow instead (but I don't have such a box at hand right now to check). And yes, the internal format is different (and, again, I don't remember details). If I am not wrong, NIS does not know anything about master.passwd or shadow, it has only passwd.byname passwd.byuid as password maps, both maps including password in them. Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] You are probably right, I don't remember the exact files right now, the thing is the maps are not linux compatible, so if anyone has a NIS Makefile for this, I'd be glad to get a copy. I already tried a patch I found but was not successful. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS server over IPv6
On Friday 31 August 2007 11:15:51 Prabhu Harihar wrote: I wish to know whether FreeBSD supports NIS server running over IPv6 protocol? I'm clueless in getting information about NIS server over IPv6 configuration and availability in any Unix flavors including *BSDs, Solaris or Linux distros. Except from configuring IPv6 and host resolving correctly, I don't think there's anything different with respect to NIS. It's all based on host and domainnames, so if a domain has one or more hosts with only IPv6 address, then it'll use IPv6. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS server over IPv6
I think, the underlying RPC portmapper needs to be ipv6-aware. Whether this is supported in FreeBSD? Do you think no other configuration changes needed for NIS server / client running natively over IPv6 network? Thanks! On 8/31/07, Mel [EMAIL PROTECTED] wrote: On Friday 31 August 2007 11:15:51 Prabhu Harihar wrote: I wish to know whether FreeBSD supports NIS server running over IPv6 protocol? I'm clueless in getting information about NIS server over IPv6 configuration and availability in any Unix flavors including *BSDs, Solaris or Linux distros. Except from configuring IPv6 and host resolving correctly, I don't think there's anything different with respect to NIS. It's all based on host and domainnames, so if a domain has one or more hosts with only IPv6 address, then it'll use IPv6. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS server over IPv6
On Friday 31 August 2007 15:23:23 Prabhu Harihar wrote: reformatted for clarity(tm) On 8/31/07, Mel [EMAIL PROTECTED] wrote: On Friday 31 August 2007 11:15:51 Prabhu Harihar wrote: I wish to know whether FreeBSD supports NIS server running over IPv6 protocol? I'm clueless in getting information about NIS server over IPv6 configuration and availability in any Unix flavors including *BSDs, Solaris or Linux distros. Except from configuring IPv6 and host resolving correctly, I don't think there's anything different with respect to NIS. It's all based on host and domainnames, so if a domain has one or more hosts with only IPv6 address, then it'll use IPv6. I think, the underlying RPC portmapper needs to be ipv6-aware. Whether this is supported in FreeBSD? Do you think no other configuration changes needed for NIS server / client running natively over IPv6 network? man rpcbind shows a -6 option, giving it the ability to only bind to IPv6 addresses, so I assume it's IPv6 ready. I can't think of a network utility/daemon in stock FreeBSD that isn't actually. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS and Kerberos 5 : is it possible / smart?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Peshak wrote: On 8/4/06, Garrett Cooper [EMAIL PROTECTED] wrote: Hi all, Just wondering if it's possible for NIS and Kerberos 5 to work in tandem with one another, such that NIS would handle groups and configuration file management and Kerberos would handle authentication only. Also, is this sort of overkill perhaps, where NIS is not really needed? I basically have 3+ machines (2 desktops, 1 laptop, currently), and I want to keep my credentials and information uniform across the machines as much as possible. The network I would be implementing this on is a low-traffic, private network. On my low-traffic, private network I use a combination of krb5 and hesiod. If you're already running a dns server I would suggest at least a look at hesiod, you wouldn't need to add any new services. Scott H... the only problem with this is that it doesn't look like it's easily enabled out of the box for OSX authentication (assuming that I actually did filesharing via hesoid). - -Garrett -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE29Pi6CkrZkzMC68RAn2HAJ4+4mvliNBjKNPnA8sxxUL0VjlwdACfbsnl Rw/mNOVYi+ZTW5zraIR4cCg= =/G3v -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS and Kerberos 5 : is it possible / smart?
On 8/4/06, Garrett Cooper [EMAIL PROTECTED] wrote: Hi all, Just wondering if it's possible for NIS and Kerberos 5 to work in tandem with one another, such that NIS would handle groups and configuration file management and Kerberos would handle authentication only. Also, is this sort of overkill perhaps, where NIS is not really needed? I basically have 3+ machines (2 desktops, 1 laptop, currently), and I want to keep my credentials and information uniform across the machines as much as possible. The network I would be implementing this on is a low-traffic, private network. (sorry for hijacking another persons reply, but I didn't have the original post available to reply to) Kerberos works fine with NIS. It's more secure if you run both over IPsec (host-to-host transport mode for the local network) because that ensures that the NIS maps themselves maintain integrity (secrecy isn't needed with them, integrity is), though it's not necessary for many environments. This has come up on these lists a few times in the past. Here's some links to the threads in the archives: http://lists.freebsd.org/pipermail/freebsd-questions/2003-September/018487.html http://lists.freebsd.org/pipermail/freebsd-questions/2003-September/018838.html http://archives.neohapsis.com/archives/freebsd/2003-09/0224.html -T -- Who would have suspected that life was all going to turn out well? -- Robert Allen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS
Normally you add the account to the master then do a yppush to push the new maps out right away. -Derek At 09:15 PM 4/7/2006, [EMAIL PROTECTED] wrote: I have nis setup and working great. I made a copy of master.passwd in /var/yp and removed the system accounts. The manual says that when I add a user to the primary server and issue make nisdomainname(in /var/yp) the new user should be added to the nis maps. Am I missing something, as I have to copy over master.passwd and remove all system accounts everytime I add an account. I know there has to be an easier way. I am running FreeBSD 6.1(Current Branch) Thanks for your time, Freesbie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS
On Fri, 7 Apr 2006 20:15:15 -0600 (MDT) [EMAIL PROTECTED] wrote: I have nis setup and working great. I made a copy of master.passwd in /var/yp and removed the system accounts. The manual says that when I add a user to the primary server and issue make nisdomainname(in /var/yp) the new user should be added to the nis maps. Am I missing something, as I have to copy over master.passwd and remove all system accounts everytime I add an account. I know there has to be an easier way. I am running FreeBSD 6.1(Current Branch) pw can be pointed at where you are storing the files for NIS. Look at the man page for it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS versus LDAP authentication
Brent wrote: We are getting ready to migrate from a single super server solution to a group of Freebsd servers doing seperate tasks...I was wondering whats everyones opinions on NIS versus LDAP for authentication ...and if anyone can point me at any good howto's for both NIS or LDAP in a multi server environment on Freebsd? I think that unless you have a legacy NIS server to support, LDAP is the way to go. LDAP system administration from O'Reilly is a good book that tells you how to migrate your users and groups to LDAP and even how to migrate NIS to LDAP. http://www.oreilly.com/catalog/ldapsa/index.html The book is more a practical guide on how to instead of getting lost in technicalities and history. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS on FreeBSD 5.4/4.11
Michael Jeung [EMAIL PROTECTED] writes: Good evening all, I am desperately trying to get NIS working in my FreeBSD 5.4 and 4.11 environment - specifically, I'm trying to get NIS set up such that a NIS client is able to change the password for an account. Like a good little rabbit, I have followed, step-by-step the NIS guide in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network- nis.html In my test environment, I have two servers set up: BoxA and BoxB. BoxA is the NIS Master running 5.4, BoxB is the NIS client running 4.11. I have created a NIS user named charlie on BoxA. I am able to log into BoxB as charlie. Great so far, right? ypcat demonstrates that the correct user on BoxB is coming down and ypwhich passwd shows that BoxA is BoxB's daddy. Now, I want to be able to change charlie's NIS password while I'm logged into BoxB. Here's where I run into problems. Whenever I run yppasswd or passwd as charlie, I get Permission Denied. I know I've run into this error before (without ever being able to fix it) and after googling for quite some time, I've been unable to find anyone else who seems to be running into this problem -- but I know other people must have encountered this before, because I'm not doing anything fancy. This is the most vanilla install of NIS I can create. If anyone has any hints on where I should look from here, I would very much appreciate it! I just set it up yesterday with no problem, working from the same doc. Have you got yppasswdd running? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS problems on FreeBSD 5.4
On 8/8/05, Dan Nelson [EMAIL PROTECTED] wrote: In the last episode (Aug 08), Jeremy Utley said: I'm trying to use FreeBSD 5.4 as an NIS client, and am encountering problems. I've followed the instructions given in the FreeBSD docs (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-nis.html) successfully, but the system does not recognize my NIS users. Running ypcat passwd shows expected output: freebsd5# ypcat passwd Administrator:omitted:0:0::/root:/bin/bash jeremy:omitted:500:100::/home/jeremy:/bin/bash test:omitted:501:100::/home/test:/bin/bash You might want to change these passwords now that everyone knows the hash :) No worries - this is a reserved network with no direct connectivity to the net at large, otherwise I would have done so. I suppose I should also mention that the NIS master server is a W2K3 AD controller with Services for Unix, but that doesn't seem to be involved, since a linux system on the same NIS domain appears to work properly. However, when I try to login as any of these 3 users, it rejects the login - even using the id command fails: freebsd5# id jeremy id: jeremy: no such user You need either a plus line in your master.passwd file (best way to add it is to use the vipw command): +: This part has already been done - it was part of the docs I followed from the FreeBSD site. Or you need this in /etc/nsswitch.conf: passwd: files nis Haven't done this...the passwd section of my current nsswitch.conf is: passwd: compat passwd_compat: nis Adding this to nsswitch.conf seems to have resolved the problem - perhaps doing so should be added to the docs. Jeremy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS problems on FreeBSD 5.4
In the last episode (Aug 09), Jeremy Utley said: On 8/8/05, Dan Nelson [EMAIL PROTECTED] wrote: In the last episode (Aug 08), Jeremy Utley said: I'm trying to use FreeBSD 5.4 as an NIS client, and am encountering problems. I've followed the instructions given in the FreeBSD docs ( http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-nis.html ) successfully, but the system does not recognize my NIS users. You need either a plus line in your master.passwd file (best way to add it is to use the vipw command): +: This part has already been done - it was part of the docs I followed from the FreeBSD site. Or you need this in /etc/nsswitch.conf: passwd: files nis Haven't done this...the passwd section of my current nsswitch.conf is: passwd: compat passwd_compat: nis Adding this to nsswitch.conf seems to have resolved the problem - perhaps doing so should be added to the docs. Only one is necessary. You can remove the plus line from master.passwd if you're using the passwd: files nis line. With passwd: compat, the NIS tables are consulted whenever there's a + or - line in master.passwd and netgroups are used. With passwd: files nis, nis is checked if the user isn't in the local passwd file, and you can't use netgroups. Also remember to change the group: line in nsswitch.conf to match, and remove the + line from /etc/groups. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS problems on FreeBSD 5.4
In the last episode (Aug 08), Jeremy Utley said: I'm trying to use FreeBSD 5.4 as an NIS client, and am encountering problems. I've followed the instructions given in the FreeBSD docs (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-nis.html) successfully, but the system does not recognize my NIS users. Running ypcat passwd shows expected output: freebsd5# ypcat passwd Administrator:omitted:0:0::/root:/bin/bash jeremy:omitted:500:100::/home/jeremy:/bin/bash test:omitted:501:100::/home/test:/bin/bash You might want to change these passwords now that everyone knows the hash :) However, when I try to login as any of these 3 users, it rejects the login - even using the id command fails: freebsd5# id jeremy id: jeremy: no such user You need either a plus line in your master.passwd file (best way to add it is to use the vipw command): +: Or you need this in /etc/nsswitch.conf: passwd: files nis -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS login - argh!
Follow-up Follow-up (for google'rs):
On Thu, 17 Feb 2005, Tom Huppi wrote:
*NOTE* to those fighting these issues (and seeing this via google
or some such...): There seems to be some sort of a bug which is
tickled by this kind of fooling around. It manifests itself by
setting the user's account expire time to 1969! This kept me
occupied for _hours_ when I couldn't even get that user's account
to let me log in when I made things complety local and unplugged
the stupid machine from the network!
Try: # chpass {user} to see what I mean.
This wasn't a bug per-se. More it was a result of my entering the
wrong items in the wrong fields when using 'vipw'. man(5) passwd
is what I should have done rather than relying on my faulty
memory.
At any rate, chpass(1) is a good utility to keep in mind if
struggle with logins that don't work.
Thanks,
- Tom
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS login - argh!
Follow-up:
No clear resolution. I believe that _perhaps_ the problem is, in
part, that the NIS server is not serving master.passwd even though
it claims to be (i.e., 'ypwhich -x' shows it.) Anyone know if
that map needs to be distributed in order for 5.3-ish NIS clients
to work?
*NOTE* to those fighting these issues (and seeing this via google
or some such...): There seems to be some sort of a bug which is
tickled by this kind of fooling around. It manifests itself by
setting the user's account expire time to 1969! This kept me
occupied for _hours_ when I couldn't even get that user's account
to let me log in when I made things complety local and unplugged
the stupid machine from the network!
Try: # chpass {user} to see what I mean.
I'm functional now only by turning off NIS in /etc/nsswitch.conf
and maintaining a local password entry :( It is worth note,
however, that the $1$xxx style (md5) password hash from the Linux
side _does_ work and is _not_ a problem.
Thanks,
- Tom
On Thu, 17 Feb 2005, Tom Huppi wrote:
I've never had much trouble getting NIS to work before. Can
anyone make any debugging suggestions? ...
My machine: 5.3-STABLE (makeworld update from 5.1 orig circa early
Jan 05.)
NIS actually seems to be working fine...
gila# ypcat -k passwd | grep tomh
tomh tomh:$1$hZ...UK/:1012:500:Tom Huppi:/home/tomh:/bin/tcsh
Also:
- /etc/shells exists and has /bin/tcsh
- /bin/tcsh exists
- no other 'tomh' user or 1012 uid in local passwd file
- home dir automounts fine when I cd to it.
I've tried various things with /etc/nsswitch.conf, and the latest
is:
...
group: compat
group_compat: nis
...
passwd: compat
passwd_compat: nis
...
while I adjust my passwd file with 'vipw' making the last line:
+:
which generates an /etc/password tail of:
+:*:
(I've tried this w/ and w/o the '*')
with /etc/groups similar.
I also tried
passwd: files nis
passwd_compat:
with and without the trailing +::... to no avail.
Always I get a 'login incorrect' message and nothing of any real
interest in the /var/log/messages. Is there somewhere else to
look for debug? I tried fooling with /etc/pam.d/passwd (to turn
on debugging) but it had no effect which I could see. I'm really
not sure if I'm even using pam or what?
It is interesting to note that I can generate another hash for
another user locally with the same password and I get a different
hash (which also starts out $1$ meaning MD5 I guess.) In fact, I
never get the same hash even when I use the same password it
seems?!
The NIS server is a FreeBSD box, but I don't have access to see
what exactly (though I know it to be 5.x) It serves many
Fedora-II boxes just fine, and they have 'files nis' in their
nsswich.conf.
I've also tried adding an entry in my local passwd file which is
identical to what is served out with no joy.
I'm at my wits end here. I've x-checked all of the problems I
could find referenced in google searches. I see some references
about a 'gradual migration' to pam (specifically in the
/etc/auth.conf file), but I don't know what stage that is in, and
what it entails. If any one has any tips, ideas, or suggestions,
I'd love to hear them.
Thanks,
- Tom
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS
Nope...just tried that with no luck. Thanks though. Any other ideas anyone? --Brian On Tue, 04 Jan 2005 15:43:40 -0800, Bob Van Zant [EMAIL PROTECTED] wrote: Are your dates screwed up? By that I mean is master.passwd newer than your NIS file? Try touch(1)ing your NIS file and then running make. I've never actually setup NIS before. My comment is just based on my experiences with make. -Bob On Tue, 2005-01-04 at 17:29 -0500, Brian McCann wrote: HI all...I'm having a NIS problem I can't figure out. I've done this before on 4.7, and countless other times on RedHat...but this is evading me. I'm trying to re-make my databases since I've added a user, I go into /var/yp and run make mynis and get `mynis' is up to date., which I know can't be right. I've got to be missing something somewhere. I've added the line to the Makefile MASTER_PASSWD = /etc/master.passwd so that YP uses the file in /etc...or at least...that's all I recall having to do on 4.7, and doctored up the sections that involve the passwd files changed it to only look at UIDs greater then 3. Can someone point out my probably obvious mistake? Thanks, --Brian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] === This footer was appended by the Honeypot Injector The message was injected from 216.136.204.119 on 04 Jan 2005 14:29:24 -0800. This IP was classified in the WHITELIST sender group. The org ID is 1681939, and the SBRS is 2.1 === ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS
- Original Message - From: Brian McCann [EMAIL PROTECTED] To: FreeBSD mailinglist freebsd-questions@freebsd.org Cc: Bob Van Zant [EMAIL PROTECTED] Sent: Wednesday, January 05, 2005 7:36 AM Subject: Re: NIS Nope...just tried that with no luck. Thanks though. Any other ideas anyone? --Brian On Tue, 04 Jan 2005 15:43:40 -0800, Bob Van Zant [EMAIL PROTECTED] wrote: Are your dates screwed up? By that I mean is master.passwd newer than your NIS file? Try touch(1)ing your NIS file and then running make. I've never actually setup NIS before. My comment is just based on my experiences with make. -Bob On Tue, 2005-01-04 at 17:29 -0500, Brian McCann wrote: HI all...I'm having a NIS problem I can't figure out. I've done this before on 4.7, and countless other times on RedHat...but this is evading me. I'm trying to re-make my databases since I've added a user, I go into /var/yp and run make mynis and get `mynis' is up to date., which I know can't be right. I've got to be missing something somewhere. I've added the line to the Makefile MASTER_PASSWD = /etc/master.passwd so that YP uses the file in /etc...or at least...that's all I recall having to do on 4.7, and doctored up the sections that involve the passwd files changed it to only look at UIDs greater then 3. Can someone point out my probably obvious mistake? Thanks, --Brian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] === This footer was appended by the Honeypot Injector The message was injected from 216.136.204.119 on 04 Jan 2005 14:29:24 -0800. This IP was classified in the WHITELIST sender group. The org ID is 1681939, and the SBRS is 2.1 === ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] If you've added a user with adduser and need to update your nis maps, cd /var/yp and type make. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS
Are your dates screwed up? By that I mean is master.passwd newer than your NIS file? Try touch(1)ing your NIS file and then running make. I've never actually setup NIS before. My comment is just based on my experiences with make. -Bob On Tue, 2005-01-04 at 17:29 -0500, Brian McCann wrote: HI all...I'm having a NIS problem I can't figure out. I've done this before on 4.7, and countless other times on RedHat...but this is evading me. I'm trying to re-make my databases since I've added a user, I go into /var/yp and run make mynis and get `mynis' is up to date., which I know can't be right. I've got to be missing something somewhere. I've added the line to the Makefile MASTER_PASSWD = /etc/master.passwd so that YP uses the file in /etc...or at least...that's all I recall having to do on 4.7, and doctored up the sections that involve the passwd files changed it to only look at UIDs greater then 3. Can someone point out my probably obvious mistake? Thanks, --Brian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] === This footer was appended by the Honeypot Injector The message was injected from 216.136.204.119 on 04 Jan 2005 14:29:24 -0800. This IP was classified in the WHITELIST sender group. The org ID is 1681939, and the SBRS is 2.1 === ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS and non-NIS question
On Sat, 11 Dec 2004 01:33:43 -0500 Chuck Swiger [EMAIL PROTECTED] wrote: Vulpes Velox wrote: I have a box I want to rework to allow it to operate outside a NIS enviroment when outside my LAN and use NIS and NFS when it is not. Any suggestions on how to go about this? Set up a cron job to invoke a shell script which rsync's your YP master's password file (and /etc/group, and anything else you might care about) when you are on your LAN, and not if you are not, every X minutes. Have it run pwd_mkdb too. Maybe add a little awk or perl magic spice to add or screen out a range of userid's. Then disable NIS and rely on plain old flatfiles. If you use rsync-via-ssh (which is now the default behavior), the process above will transmit sensitive password data with considerably more security than you get when using plain NIS. On the other hand, if you are running NFS, you risk profile against someone who can sniff your local subnet isn't significantly altered, so don't worry too much about this, but the issue of security is worth considering at least a little. For NFS, you might give the automounter (see man amd) a try. So long as you don't descend into a mount point deliberately (or accidentally via recursion using find, grep, etc), the machine will not actually attempt to NFS-mount the remote filesystem. For that matter, you might even consider switching models of operation to using CIFS/samba instead of NFS. Oddly enough, even though NFS is a stateless remote filesharing system by design, it's pretty easy to wedge a lot of important processes if an NFS share becomes not available. MacOS X seems to tolerate CIFS shares going away better than it handles NFS going away, and FreeBSD might well be similar. (I haven't exhaustively tested either problem case *deliberately*, mind you...! :-) Not using fstab becuase of that :) What I am doing is I run a small program to fingerprint my server and then dump it all to a file. I then hash that file. When it starts up it reruns that trying to grab info for that IP and then it is hashed and compare it to what the hash is suppose to be. If they don't match it mounts 127.0.0.1:/usr/localhome to /usr/home. If it does match, it runs a different script that mounts the stuff that should be mounted for being on the LAN. Any ways, got my big problem with it sorted out... was forgeting to rebuild the password database. BTW any one know of any way to change the timeout time for getting a NIS password? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS and non-NIS question
Vulpes Velox wrote: I have a box I want to rework to allow it to operate outside a NIS enviroment when outside my LAN and use NIS and NFS when it is not. Any suggestions on how to go about this? Set up a cron job to invoke a shell script which rsync's your YP master's password file (and /etc/group, and anything else you might care about) when you are on your LAN, and not if you are not, every X minutes. Have it run pwd_mkdb too. Maybe add a little awk or perl magic spice to add or screen out a range of userid's. Then disable NIS and rely on plain old flatfiles. If you use rsync-via-ssh (which is now the default behavior), the process above will transmit sensitive password data with considerably more security than you get when using plain NIS. On the other hand, if you are running NFS, you risk profile against someone who can sniff your local subnet isn't significantly altered, so don't worry too much about this, but the issue of security is worth considering at least a little. For NFS, you might give the automounter (see man amd) a try. So long as you don't descend into a mount point deliberately (or accidentally via recursion using find, grep, etc), the machine will not actually attempt to NFS-mount the remote filesystem. For that matter, you might even consider switching models of operation to using CIFS/samba instead of NFS. Oddly enough, even though NFS is a stateless remote filesharing system by design, it's pretty easy to wedge a lot of important processes if an NFS share becomes not available. MacOS X seems to tolerate CIFS shares going away better than it handles NFS going away, and FreeBSD might well be similar. (I haven't exhaustively tested either problem case *deliberately*, mind you...! :-) -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS issue
I may be misunderstanding what you are saying here, but master.passwd on the slave servers should never get updated with NIS information. That line that goes at the end tells the authentication process to look to NIS for further information...same goes with the line that goes in the group file. To test that NIS is working correctly, try using ypcat on a client/slave server to see if it can pull the maps from the primary server. If that doesn't work, I may be able to shed some other light on your problem. (as usual, just include any error messages) ypcat 'works' in the sense that it displays information, but the information it displays is old, and not synchronous with the master server. This is only the case for master.passwd, however. ypcat passwd shows the correct information (thus things that use passwd rather than master.passwd; ie finger work fine). Because of this, there really is no error message to include. Hope that is more specific, and I appreciate your assistance. (sorry, Brian if you get this twice. I didn't realize there was no Reply-to to redirect my message to the list) Regards, Bill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS issue
Be hot on typo. My case : % sudo tail -1 /etc/ma*d +: % sudo tail -1 /etc/ma*d|wc -c 11 % Sorry, this was a typo in my email, not the master.passwd. There are 9 colons in the actual file. (Again apologies if you get this multiple times .. it's late and I did not notice the lack of a Reply-to address) Bill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS issue
Interesting...something that pops into my mind is something obvious since it was stated in the handbook, but needs to be said anyway...when you add stuff to the master.passwd file, do you re-make the database? Also, if you follow the directions in the handbook, they suggest you make a different master.passwd file in /var/yp to store the accounts that go into nisI re-wrote the make file section for passwd.* and told it to look to /etc/passwd where the UID is greater then 1000and it works great for me...if you'd like a copy of the entries in the Makefile, I'll send them to you. It sounds like that's what's going on (and I've had endless students make this mistake in class as well...it's a common one). --Brian On Sun, 10 Oct 2004 21:44:18 -1000, William Bierman [EMAIL PROTECTED] wrote: Be hot on typo. My case : % sudo tail -1 /etc/ma*d +: % sudo tail -1 /etc/ma*d|wc -c 11 % Sorry, this was a typo in my email, not the master.passwd. There are 9 colons in the actual file. (Again apologies if you get this multiple times .. it's late and I did not notice the lack of a Reply-to address) Bill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS issue
Interesting...something that pops into my mind is something obvious since it was stated in the handbook, but needs to be said anyway...when you add stuff to the master.passwd file, do you re-make the database? Also, if you follow the directions in the handbook, they suggest you make a different master.passwd file in /var/yp to store the accounts that go into nisI re-wrote the make file section for passwd.* and told it to look to /etc/passwd where the UID is greater then 1000and it works great for me...if you'd like a copy of the entries in the Makefile, I'll send them to you. It sounds like that's what's going on (and I've had endless students make this mistake in class as well...it's a common one). Yes, I have re-made the database multiple times, and I have copied my master.passwd to /var/yp beforehand every time I did it. You make an interesting suggestion, however. Is there something magical about the number 1000 as it pertains to UIDs? All of my users have UIDs above this number. The very odd thing about this issue is the information that the server is giving out is not on the master anywhere that I can find. /var/yp/cluster/master.passwd.* (cluster is my NIS domain) seems to contain the current and correct information. I even attempted a find / -exec grep (on test -r files only) for this information, and came up with nothing. Thanks again for your assistance! Bill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS issue (now resolved!)
Interesting...something that pops into my mind is something obvious since it was stated in the handbook, but needs to be said anyway...when you add stuff to the master.passwd file, do you re-make the database? Also, if you follow the directions in the handbook, they suggest you make a different master.passwd file in /var/yp to store the accounts that go into nisI re-wrote the make file section for passwd.* and told it to look to /etc/passwd where the UID is greater then 1000and it works great for me...if you'd like a copy of the entries in the Makefile, I'll send them to you. It sounds like that's what's going on (and I've had endless students make this mistake in class as well...it's a common one). I solved the problem! It turns out there were other machines on the network which somehow or another turned themselves into slave servers, and were propogating the old information. I did rm -rf /var/yp/cluster on all of them, and rebooted them all, and now it works. Thanks for your assistance, Brian! Bill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS issue
On Sun, 10 Oct 2004 12:55:06 -1000 William Bierman [EMAIL PROTECTED] wrote: Hello. I have searched the archives for this, to no avail. I am attempting to setup an NIS domain. I have followed the steps in the handbook, and have succesfully setup my master and clients (I have no slave server, as this is a small domain). The relevant information is propogated correctly to all slave servers, with the exception of master.passwd. This contains very old information. I do have * in my /etc/master.passwd file on each client machine. /var/yp/master.passwd is chmod 600 on the master machine Can anyone shed some light on this issue? Thanks, Bill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Be hot on typo. My case : % sudo tail -1 /etc/ma*d +: % sudo tail -1 /etc/ma*d|wc -c 11 % As you see, nine colons are necessary after plus. horio shoichi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS issue
I may be misunderstanding what you are saying here, but master.passwd on the slave servers should never get updated with NIS information. That line that goes at the end tells the authentication process to look to NIS for further information...same goes with the line that goes in the group file. To test that NIS is working correctly, try using ypcat on a client/slave server to see if it can pull the maps from the primary server. If that doesn't work, I may be able to shed some other light on your problem. (as usual, just include any error messages) Hope that helps, --Brian On Sun, 10 Oct 2004 12:55:06 -1000, William Bierman [EMAIL PROTECTED] wrote: Hello. I have searched the archives for this, to no avail. I am attempting to setup an NIS domain. I have followed the steps in the handbook, and have succesfully setup my master and clients (I have no slave server, as this is a small domain). The relevant information is propogated correctly to all slave servers, with the exception of master.passwd. This contains very old information. I do have * in my /etc/master.passwd file on each client machine. /var/yp/master.passwd is chmod 600 on the master machine Can anyone shed some light on this issue? Thanks, Bill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis/yp question about password file
David Wolfskill wrote: can anybody tell what changed in nis/yp that it doesnt work as before anymore? PAM, perhaps? Ah well, I figured the problem out actually... I was too impatient when I sent the email... I just upgraded my master nis server to a completely new machine and the old one was working in a different IP. Somehow the 4.x freebsd version clients were connecting to the new one and the 5.x freebsd version clients were connecting to the old one... The old one had the old passwd file so 5.x versions showed the old data which seemed to be funnily wrong. Now when I disabled NIS server in the old 4.x FreeBSD master server I was using, everything came back to normal. I was so stupid :) Thanks, Evren ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: NIS on a school network - need some clarifications
Hi Hugo, Look to NFS to do that for you. Here's a link to a page in the online handbook. NFS can do exactly what you want http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-nfs.ht ml -Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of Hugo Silva Sent: Wednesday, August 25, 2004 10:36 AM To: [EMAIL PROTECTED] Subject: NIS on a school network - need some clarifications Hi, I'm working on a project to change the network on my school to open source software only (FreeBSD/Linux workstations only). I knew about NIS from readings of the handbook years ago, so I revisited it today, but there' is something that's missing. I understand the NIS accounts reside on the master server and I have to add users on the master server. But then, users on workstations will have their home directories etc referring only to the local machine. I want to have users get their home directories from a central location too. Is there any 'official' process to make this work, with NIS if possible ? I plan to have a 'student-shared-area' that will be NFS mounted on every workstation on boot, but I want each user to have their files available, wherever they login from. Also, I assume there is no problem in using NIS accounts with X. From the logic of it, there shouldn't be any problems. A few last questions, Since I plan to switch the whole network from windows to FreeBSD / Linux (only adding linux because other people want it :-P), I'll need to substitute the following applications: - Visual C++ (anjuta) - MS Access (?) I don't know much about access, but I believe it's possible to have a ms-access database server.. if that's the case, is there a open source client with a similiar GUI to ms access available ? (note: mysql/etc won't do, the school program says ms access, so we need something similiar) Any insight on these issues is most welcome Regards, Hugo ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS on a school network - need some clarifications
On Wed, 25 Aug 2004 14:36:03 - (GMT) Hugo Silva [EMAIL PROTECTED] wrote: Hi, I'm working on a project to change the network on my school to open source software only (FreeBSD/Linux workstations only). I knew about NIS from readings of the handbook years ago, so I revisited it today, but there' is something that's missing. I understand the NIS accounts reside on the master server and I have to add users on the master server. But then, users on workstations will have their home directories etc referring only to the local machine. I want to have users get their home directories from a central location too. Is there any 'official' process to make this work, with NIS if possible ? I plan to have a 'student-shared-area' that will be NFS mounted on every workstation on boot, but I want each user to have their files available, wherever they login from. Also, I assume there is no problem in using NIS accounts with X. From the logic of it, there shouldn't be any problems. NIS exports info from a passwd file. So this will include user information and ect... groups can also be exported to... the means using NFS you can export a file system or place on a fs. Allowing you to export /usr/home or the like A few last questions, Since I plan to switch the whole network from windows to FreeBSD / Linux(only adding linux because other people want it :-P), I'll need to substitute the following applications: - Visual C++ (anjuta) - MS Access (?) Just browse till you find a few you like... I personally like xemacs... eclipse and a few others may be a possability too. For Databases, there are quite a few aviable... check them out till you find one that fits what you need. I don't know much about access, but I believe it's possible to have a ms-access database server.. if that's the case, is there a open source client with a similiar GUI to ms access available ? (note: mysql/etc won't do, the school program says ms access, so we need something similiar) If the school's whack jobs say you need specifically MS Access, you are screwed then since afaik it has not been ported to any thing except windows yet. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS on a school network - need some clarifications
NIS exports info from a passwd file. So this will include user information and ect... groups can also be exported to... the means using NFS you can export a file system or place on a fs. Allowing you to export /usr/home or the like Point well taken, I didn't think on this. Should do the trick :-) If the school's whack jobs say you need specifically MS Access, you are screwed then since afaik it has not been ported to any thing except windows yet. Tell me about it. Who knows if they'll end up using mysql mysqlcc instead :-P Thanks for the suggestions ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS on a school network - need some clarifications
On Wednesday 25 August 2004 09:36 am, Hugo Silva wrote: Hi, I'm working on a project to change the network on my school to open source software only (FreeBSD/Linux workstations only). snip Since I plan to switch the whole network from windows to FreeBSD / Linux (only adding linux because other people want it :-P), I'll need to substitute the following applications: - Visual C++ (anjuta) - MS Access (?) I don't know much about access, but I believe it's possible to have a ms-access database server.. if that's the case, is there a open source client with a similiar GUI to ms access available ? (note: mysql/etc won't do, the school program says ms access, so we need something similiar) Any insight on these issues is most welcome Regards, Hugo Hugo, You're out of luck where MS Access is concerned. FreeBSD comes with several outstanding database servers; but nothing that matches MS Access as a RAD for database clients or a tool for complex, ad hoc analysis. Access makes for a lousy server; but excels as a GUI client. You can install MS Access on Linux using Codeweaver's Crossover Office (a WINE thing); but it seems to have memory limitations, and crashes under moderate workloads. MS Access (Win2K or XP Pro) + PostgreSQL (FreeBSD) is a very powerful combination. Best of luck, Andrew Gould ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS on a school network - need some clarifications
I'm working on a project to change the network on my school to open source software only (FreeBSD/Linux workstations only). Excellent. Some lucky students there! I knew about NIS from readings of the handbook years ago, so I revisited it today, but there' is something that's missing. I understand the NIS accounts reside on the master server and I have to add users on the master server. But then, users on workstations will have their home directories etc referring only to the local machine. I considered doing the same thing... using NFS mounts. My problem with it was security. I think NFS v4 has better security. I ended up using thin clients to one single server. Works quite well. Depends on how many clients you need though. Since I plan to switch the whole network from windows to FreeBSD / Linux (only adding linux because other people want it :-P), I'll need to substitute the following applications: - Visual C++ (anjuta) KDevelop is quite nice - MS Access (?) There are a few still in early stages of development. I think that Kexi (http://www.koffice.org/kexi/) and rekall (http://www.rekallrevealed.org/) are the most access-like, but there are others too... I don't know much about access, but I believe it's possible to have a ms-access database server.. if that's the case, is there a open source client with a similiar GUI to ms access available ? (note: mysql/etc won't do, the school program says ms access, so we need something similiar) I think that's backwards, really. The database that comes with access is pretty weak, but many people use access as a front end to better database engines like postgresql. _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS server selection
In the last episode (Jul 08), Doug Hardie said: I have NIS running on a few servers. I have had them configured with the -S option with only their host name so they would use the local resolver. However, after a few problems with ypserv dying I tried adding additional servers to the -S list. Everything was as normal till I killed ypserv on the local machine. Then it switched to the first host listed after the local name in the -S list. Access to NIS records worked fine. Then I tried to revert back to the local server. Restarting ypserv had no effect. NIS requests were still sent to the other server. I killed ypbind and restarted it with the full list. All requests were still sent to the other server. I killed ypbind again and restarted it with just the local server in the -S list. The request then were split about half and half with the local server and other server. How does ypbind know about the other server anymore? Running processes will talk to the server they originally made a connection to, until that connection fails. Only then will they contact their local ypbind and ask for another server. ypbind is not contacted on every lookup. I had to kill ypserv on the other server, wait for some requests to timeout (ypbind is a persistent bugger) and then it switched. Surely there has to be an easier way to do this. I am trying to have ypbind use the local server if its working and otherwise one of the other servers. If the local ypbind gets restarted i would like it to revert back to using it. The best you can do is make sure ypwhich points to the local machine so that subsequent processes will use it. You can't force existing processes to switch. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS server selection
On Jul 8, 2004, at 13:44, Dan Nelson wrote: In the last episode (Jul 08), Doug Hardie said: I have NIS running on a few servers. I have had them configured with the -S option with only their host name so they would use the local resolver. However, after a few problems with ypserv dying I tried adding additional servers to the -S list. Everything was as normal till I killed ypserv on the local machine. Then it switched to the first host listed after the local name in the -S list. Access to NIS records worked fine. Then I tried to revert back to the local server. Restarting ypserv had no effect. NIS requests were still sent to the other server. I killed ypbind and restarted it with the full list. All requests were still sent to the other server. I killed ypbind again and restarted it with just the local server in the -S list. The request then were split about half and half with the local server and other server. How does ypbind know about the other server anymore? Running processes will talk to the server they originally made a connection to, until that connection fails. Only then will they contact their local ypbind and ask for another server. ypbind is not contacted on every lookup. I had to kill ypserv on the other server, wait for some requests to timeout (ypbind is a persistent bugger) and then it switched. Surely there has to be an easier way to do this. I am trying to have ypbind use the local server if its working and otherwise one of the other servers. If the local ypbind gets restarted i would like it to revert back to using it. The best you can do is make sure ypwhich points to the local machine so that subsequent processes will use it. You can't force existing processes to switch. Thanks. I have now set 3 servers in the -S list. ypwhich shows the one currently being used. I need to be able to change that. It appears that ypset is the way to do that. However, when I start ypbind with the -ypsetme argument I still get sorry, cannot ypset for domain NAME on host. I am running ypset on that server. That message comes from a request to rpc prog 14 which is registered to rpserv so I don't see how an argument to ypbind would help this. I don't find any similar arguments to ypserv. How do you make ypset work without opening it up to the entire world? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS server selection
In the last episode (Jul 08), Doug Hardie said: On Jul 8, 2004, at 13:44, Dan Nelson wrote: The best you can do is make sure ypwhich points to the local machine so that subsequent processes will use it. You can't force existing processes to switch. Thanks. I have now set 3 servers in the -S list. ypwhich shows the one currently being used. I need to be able to change that. It appears that ypset is the way to do that. However, when I start ypbind with the -ypsetme argument I still get sorry, cannot ypset for domain NAME on host. I am running ypset on that server. That message comes from a request to rpc prog 14 which is registered to rpserv so I don't see how an argument to ypbind would help this. I don't find any similar arguments to ypserv. How do you make ypset work without opening it up to the entire world? From looking at the source, the -S flag resets the -ypset and -ypsetme flags. See if putting -ypsetme after the -S xxx arguments helps. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS server selection
On Jul 8, 2004, at 18:34, Dan Nelson wrote: In the last episode (Jul 08), Doug Hardie said: On Jul 8, 2004, at 13:44, Dan Nelson wrote: The best you can do is make sure ypwhich points to the local machine so that subsequent processes will use it. You can't force existing processes to switch. Thanks. I have now set 3 servers in the -S list. ypwhich shows the one currently being used. I need to be able to change that. It appears that ypset is the way to do that. However, when I start ypbind with the -ypsetme argument I still get sorry, cannot ypset for domain NAME on host. I am running ypset on that server. That message comes from a request to rpc prog 14 which is registered to rpserv so I don't see how an argument to ypbind would help this. I don't find any similar arguments to ypserv. How do you make ypset work without opening it up to the entire world? From looking at the source, the -S flag resets the -ypset and -ypsetme flags. See if putting -ypsetme after the -S xxx arguments helps. That did it. Somehow I missed that in the source. Thanks. I appreciate the assistance. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS - FreeBSD server and Linux clients
Did you enable the insecure option from /var/yp/Makefile so that passwords appear in the passwd map? By default I believe it expects clients to read the master.passwd map, which naturally Linux does not. On Sun, May 30, 2004 at 05:50:14PM +1200, Tom Munro Glass wrote: This should work; I've got a Linux machine at work succesfully authenticating NIS accounts against a FreeBSD server. I believe that the differences in passwd files are strictly in the master.passwd (FreeBSD) and shadow (Linux) files; the files /etc/passwd have the same format in both OS'. I'd suspect problems in the way the clients have been configured. Check that the password and group files have been set up correctly (I screw up the sequence of plus signs and colons regularly), and that the NIS domain has been set. So how does Linux authenticate the password? 'ypwhich -m' shows passwd.byname, passwd.byuid, master.passwd.byname, master.passwd.byuid but of course there is no shadow.byname or shadow.byuid. I believe that I have the passwd and group files set up correctly on the Linux machines, and I don't really know where to look next. Tom ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Joe Rhett Chief Geek [EMAIL PROTECTED] Isite Services, Inc. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS - FreeBSD server and Linux clients
Tom Munro Glass disturbed my sleep to write: I've set up NIS server as described in the handbook, and if I run ypcat on the Linux client, it is obtaining information from the server. However, it is faiing to authenticate users defined on the FreeBSD machine. Should this work, or is there a problem with the differences between how FreeBSD/Linux use the passwd file? This should work; I've got a Linux machine at work succesfully authenticating NIS accounts against a FreeBSD server. I believe that the differences in passwd files are strictly in the master.passwd (FreeBSD) and shadow (Linux) files; the files /etc/passwd have the same format in both OS'. I'd suspect problems in the way the clients have been configured. Check that the password and group files have been set up correctly (I screw up the sequence of plus signs and colons regularly), and that the NIS domain has been set. Hope that helps! -- Saint Aardvark the Carpeted [EMAIL PROTECTED] Because the plural of Anecdote is Myth. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS - FreeBSD server and Linux clients
This should work; I've got a Linux machine at work succesfully authenticating NIS accounts against a FreeBSD server. I believe that the differences in passwd files are strictly in the master.passwd (FreeBSD) and shadow (Linux) files; the files /etc/passwd have the same format in both OS'. I'd suspect problems in the way the clients have been configured. Check that the password and group files have been set up correctly (I screw up the sequence of plus signs and colons regularly), and that the NIS domain has been set. So how does Linux authenticate the password? 'ypwhich -m' shows passwd.byname, passwd.byuid, master.passwd.byname, master.passwd.byuid but of course there is no shadow.byname or shadow.byuid. I believe that I have the passwd and group files set up correctly on the Linux machines, and I don't really know where to look next. Tom ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS problems solved
On Sat, 24 Jan 2004 12:47:32 -0600 Vulpes Velox [EMAIL PROTECTED] wrote: I've recently set up a NIS server on my lan. All machines are running freebsd 4stable. I have added the nisdomainname and nis_client_enable lines to the client machines along with the correct lines on the server in rc.conf. I have also added +: to the end of /etc/master.passwd and +:*:: to the end of /etc/group. Ypcat passwd all the correct usernames, but I can't login or su as any of them. On the login if I try to login using one, I eventually get the messagelogin: Login timed out after 300 seconds awhile after it kicks outLogin incorrect Any one have any idea what is going on? Found my problem... a pwd_mkdb is required... but not mentioned in the hand book... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS problems solved
On Sat, Jan 24, 2004 at 04:07:51PM -0600, kitsune wrote: Found my problem... a pwd_mkdb is required... but not mentioned in the hand book... The handbook section dealing with setting up NIS clients tells you to use 'vipw' to edit master.passwd, which will make sure that a pwd_mkdb is done. Scott -- === Scott Mitchell | PGP Key ID | Eagles may soar, but weasels Cambridge, England | 0x54B171B9 | don't get sucked into jet engines scott at fishballoon.org | 0xAA775B8B | -- Anon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Nis
[EMAIL PROTECTED] wrote:
Hi,
I'm running NIS with freebsd as the server and using redhat clients.
I have authentication working fine but I cant seem to get changing the
passwords to work. If you change the password from a redhat
box it just
changes the NIS password not the system password and changing the
password while on the freebsd server complains and says passwd
Unknown NIS user: username . I have in rc.conf
nisdomainname=nisdomain # Domain Name
nis_server_enable=YES # run NIS server
nis_server_flags= # Flags to ypserv
nis_yppasswdd_enable=YES # Run Passwd Server
nis_yppasswdd_flags= -sf -t /etc/master.passwd
and I'm changing the password from the server with passwd -y.
Thanks in advance
If I'm understanding you correctly, you want to have all your local NIS
users in the same passwd file (/etc/master.passwd) - is that right?
I suspect you can get the effect you want by editing /var/yp/Makefile so
that the line:
MASTER= $(YPDIR)/master.passwd
says:
MASTER= /etc/master.passwd
although I've never tried doing it this way myself, so YMMV.
That said, I'd recommend that rather than putting your NIS users in
/etc/master.passwd, you use the default settings and keep them in
/var/yp/master.passwd. If you want your NIS users to be able to log into
the server, see passwd(5) for the magic that needs to be added to the local
passwd and group files (or nsswitch.conf(5) of you're running 5.X). This
way you're not exporting a bunch of FreeBSD- or server- specific users over
NIS (root, games, xten, etc.)
FYI, the NIS-related stuff in rc.conf on my master server is below. This
machine is a NIS client of itself, so all the network users can also log
onto the server. I also have a slave server, you won't need the ypxfrd line
if you don't do this. Multiple servers are very useful though - so your
users can still log in even if the master server is down for whatever
reason.
nisdomainname=whatever
nis_client_enable=YES
nis_client_flags=-S ${nisdomainname},`hostname`
nis_server_enable=YES
# Next 3 are only needed on NIS master server
nis_yppasswdd_enable=YES
nis_yppasswdd_flags=-u
nis_ypxfrd_enable=YES
BTW, have you got shadow passwords working for your NIS users on their Linux
clients? I had to make some changes to /var/yp/Makefile to generate the
shadow.byname map in the particular format that Linux seemed to want it.
Cheers,
Scott
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS authontication problem.
On Sun, Dec 14, 2003 at 06:13:39PM -0500, Hossein wrote: Hello every body; In our department we are going to use a 5.1 Stable FreeBSD, and it must run NIS client to authonticate the users through a Linux NIS server. The ypbind works well and when I do ypcat passwd I get the enteries in the passwd of the NIS server. I added the correct lines to passwd.master and group according to the handbook. But no user can log in and in the /var/log/auth.log it apears that the password is not corect. I haven't tried integrating non-BSD'ish machines into one of my NIS domains, but it occurs to me that the /etc/shadow vs /etc/master.passwd difference could cause /etc/passwd to propogate without actually distributing the passwords. You might want to investigate compatibility modes and so forth. -T -- Speak the truth. That is always much easier, and is often the most powerful argument. - Bene Gesserit Axiom ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS authontication problem.
In the last episode (Dec 14), Hossein said: In our department we are going to use a 5.1 Stable FreeBSD, and it must run NIS client to authonticate the users through a Linux NIS server. The ypbind works well and when I do ypcat passwd I get the enteries in the passwd of the NIS server. I added the correct lines to passwd.master and group according to the handbook. But no user can log in and in the /var/log/auth.log it apears that the password is not corect. If you edited passwd.master directly, you may need to run pwd_mkdb to rebuild the spwd.db and pwd.db database files that the system uses. The vipw command does this automatically. Does finger somenisuser on the client print the right info? -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS problem
In the last episode (Oct 16), Adam Maloney said: In the last couple of days we have seen a lot of messages like the one below appearing in /var/log/messages: Oct 13 06:14:58 x ypserv[45883]: access to master.passwd.byname denied -- client 1.2.3.4:3458 not privileged This goes on for a number of minutes, and then fixes itself. Obviously, the problem is that the NIS lookup request is coming from a non-priveleged ( 1024) port, and ypserv won't honor it. What's not so obvious is why/how this is happening. I'm suspecting it's Sendmail, since the frequency of the message somewhat coincides with the rate of incoming mail on this box. But I can't seem to find any clues on the web or usenet confirming this. Has anyone seen this before, or know of a solution? That message gets printed whenever a remote NIS client tries to access master.passwd.* over a non-privileged port. Only root should have access to the master maps, so a remote process has to bind to a port 1024 before doing the lookup, to prove that it's root. It looks like for some reason you have a process that's running as root but is using a port over 1024. I can't see anyplace in the NIS client code that binds the socket, though, so I must be looking in the wrong place. It has to work, or else you wouldn't be able to log in using NIS at all. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SOLVED Re: NIS authentication problems
* Joan Picanyol [EMAIL PROTECTED] [20031013 03:37]: What am I doing wrong or what could I be missing? I forgot to rebuild the passwd database after adding the +:: line sorry -- pica ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS authentication problems
In the last episode (Oct 13), Joan Picanyol said:
I'm trying to set up NIS with the simplest setup: one server and one
client. I've followed the procedure in the handbook, altering
{login,auth}.conf as suggested (BTW: how do I know what format are my
passwords stored in?). ypcat passwd shows me the user list, but I
can't log in (Login incorrect).
Make sure you have a plus line in your passwd and group files.
/etc/group: +:::
/etc/master.passwd: +:
Does id somenisuser work?
--
Dan Nelson
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS create homedir
Antoine Jacoutot [EMAIL PROTECTED] writes: I was wondering if it was possible to automaticaly create users home directories when creating NIS users ? Indeed, the -m switch for the command pw does not create them. Is it normal behaviour, or is it a bug ? I took a quick look, and it *looks* like it should work (although there are plenty of potential pitfalls there, obviously). I don't have an NIS setup, though, nor enough boxes to set one up, so I can't really debug it very far... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security (DES passwords)
I was looking arround for this, and I found that Kerberos uses DES encryption, John (on my sytem) reports it rather weak: Benchmarking: Standard DES [24/32 4K]... DONE Many salts: 151603 c/s real, 169200 c/s virtual Only one salt: 152806 c/s real, 155607 c/s virtual Benchmarking: BSDI DES (x725) [24/32 4K]... DONE Many salts: 5750 c/s real, 5940 c/s virtual Only one salt: 5630 c/s real, 5721 c/s virtual Benchmarking: FreeBSD MD5 [32/32]... DONE Raw:3092 c/s real, 3752 c/s virtual Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE Raw:222 c/s real, 227 c/s virtual Benchmarking: Kerberos AFS DES [24/32 4K]... DONE Short: 143462 c/s real, 153271 c/s virtual Long: 377600 c/s real, 394979 c/s virtual Benchmarking: NT LM DES [24/32 4K]... DONE Raw:1080115 c/s real, 1125120 c/s virtual I'm now using MD5 passwords in NIS. Yet it seems the consensus that Kerberos is secure, am I missing something? On Fri, 2003-09-12 at 15:00, Tillman Hodgson wrote: On Fri, Sep 12, 2003 at 11:35:16AM +0200, Guy Van Sanden wrote: On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote: The rough instructions are fairly simple: * Set up Kerberos and ensure you have a working realm * Set up NIS, but set all the passwd fields to something that doesn't map to a real password (I like 'krb5', others like '*') That's about it. It works because authentication in a Kerberized world doesn't check the password field in the NIS maps anyway (or the /etc/master.passwd file for that matter). Your non-Kerberos app's will break for users that aren't local, but I consider the incentive to replace them a benefit :-) Do you have some links to websites or so that you used to set this up? Not really. Kerberos and NIS are both in the Handbook, and as I mentioned above I just changed the /var/yp/master.passwd that NIS was working off of to have 'krb5' in the password field. A quick bit of Google spelunking dug up some references but no HowTos. The RedHat Security Guide mentions it explicitly in the NIS section, for example. I'm very interested in this setup, with the added complication that the clients are Linux (and Windows using SAMBA), yet the server is FreeBSD (5.0). Normally NIS is a pain between different Unix implementations (due to the different passwd designs such as DES vs. MD5). When using Kerberos to handle the authentication, those problems go away. On the other handle, you get to learn how to install NIS and Kerberos on multiple operating systems :-) -T ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security (DES passwords)
On Sat, Sep 13, 2003 at 05:01:31PM +0200, Guy Van Sanden wrote: I was looking arround for this, and I found that Kerberos uses DES encryption, John (on my sytem) reports it rather weak: snip I'm now using MD5 passwords in NIS. Yet it seems the consensus that Kerberos is secure, am I missing something? Yes :-) 1. Kerberos can use a variety of encryption methods 2. With NIS, arbitrary users can run John against the password database. With Kerberos, they can't because they don't have the Kerberos database to run John against. -T -- Beauty is not diminished by being shared. - Robert Heinlein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security (DES passwords)
On Sat, 13 Sep 2003 17:01:31 +0200 Guy Van Sanden [EMAIL PROTECTED] wrote: I was looking arround for this, and I found that Kerberos uses DES encryption, John (on my sytem) reports it rather weak: clip Yet it seems the consensus that Kerberos is secure, am I missing something? 1. Krb5 uses default salted 3DES. In addition, as Tillman wrote, krb5 allows other ciphers. 2. Even krb4, which uses unsalted DES, is considered difficult to crack because it does not expose ciphered text (i.e., passwd). On the wire, on the local files. horio shoichi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security
On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote: On Mon, Sep 08, 2003 at 07:02:06PM -0500, Bruce Pea wrote: xnip I'm a bit biased, however: I use NIS with Kerberos and think it's the cats pajamas :-) Hey Tilman, s/l/ll/ :-) This sounds exactly like what we are looking for. Can you point us to any docs explaining how you do this?? The rough instructions are fairly simple: * Set up Kerberos and ensure you have a working realm * Set up NIS, but set all the passwd fields to something that doesn't map to a real password (I like 'krb5', others like '*') That's about it. It works because authentication in a Kerberized world doesn't check the password field in the NIS maps anyway (or the /etc/master.passwd file for that matter). Your non-Kerberos app's will break for users that aren't local, but I consider the incentive to replace them a benefit :-) Do you have some links to websites or so that you used to set this up? I'm very interested in this setup, with the added complication that the clients are Linux (and Windows using SAMBA), yet the server is FreeBSD (5.0). Thanks! You can get fancy and make a nice little Makefile to do all kinds of maintenance tasks for you (I'm just about finished tying in Mailman into the central auth for the rospa.ca domain). You can try some of the neater features of NIS (netgroups, etc) or fiddle with the config of Kerberos (I like longer ticket lifetimes), but the basic get it working stuff isn't complicated. -T ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security
On Fri, Sep 12, 2003 at 11:35:16AM +0200, Guy Van Sanden wrote: On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote: The rough instructions are fairly simple: * Set up Kerberos and ensure you have a working realm * Set up NIS, but set all the passwd fields to something that doesn't map to a real password (I like 'krb5', others like '*') That's about it. It works because authentication in a Kerberized world doesn't check the password field in the NIS maps anyway (or the /etc/master.passwd file for that matter). Your non-Kerberos app's will break for users that aren't local, but I consider the incentive to replace them a benefit :-) Do you have some links to websites or so that you used to set this up? Not really. Kerberos and NIS are both in the Handbook, and as I mentioned above I just changed the /var/yp/master.passwd that NIS was working off of to have 'krb5' in the password field. A quick bit of Google spelunking dug up some references but no HowTos. The RedHat Security Guide mentions it explicitly in the NIS section, for example. I'm very interested in this setup, with the added complication that the clients are Linux (and Windows using SAMBA), yet the server is FreeBSD (5.0). Normally NIS is a pain between different Unix implementations (due to the different passwd designs such as DES vs. MD5). When using Kerberos to handle the authentication, those problems go away. On the other handle, you get to learn how to install NIS and Kerberos on multiple operating systems :-) -T -- Some never participate. Life happens to them. They get by on little more than dumb persistence and resist with anger or violence all things that might lift them out of resentment-filled illusions of security. - Alma Mavis Taraza ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security
On Mon, Sep 08, 2003 at 11:59:04PM +0200, Antoine Jacoutot wrote: I'm building a new network for my company. Right on! I need centralized authentication and looked after LDAP to achieve this. It's a good thing you're designing this /now/ rather than trying to graft it on later. It's not as simple as it seems. Unfortunately, there are 2 points that make me wonder the good use of it: 1. nss_ldap and pam-ldap need FreeBSD-5.1 and are not for production use 2. I really don't feel confident with LDAP For many networks LDAP can be overkill. So, I was thinking about using NIS instead, with which I feel much more confident. I understand it is really not secure, so I was looking about more information on this: why is is unsecure, does it send password in clear text? No, but it sends them in an easily broken format. It's exactly the same situation as a DES /etc/passwd file in the days before master.passwd/shadow passwd files. This can be fixed by combining NIS with Kerberos. Another large problem is that clients used to broadcast for NIS servers and trust the first server to answer. this can be fixed by telling the clients to contact only specific servers for NIS information. ? Does anyone know a solution for securing NIS, using ssh or encrypted tunnels or anything... I am open to any new idea :) IPsec can fix the network sniffing problem, though Kerberos can do that as well and comes with many other advantages. I'm a bit biased, however: I use NIS with Kerberos and think it's the cats pajamas :-) -T -- To give your sheep or cow a large spacious meadow is the way to control him. Shunryu Suzuki ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security
--On Monday, September 08, 2003 4:10 PM -0600 Tillman Hodgson [EMAIL PROTECTED] wrote: On Mon, Sep 08, 2003 at 11:59:04PM +0200, Antoine Jacoutot wrote: I'm building a new network for my company. Right on! I need centralized authentication and looked after LDAP to achieve this. It's a good thing you're designing this /now/ rather than trying to graft it on later. It's not as simple as it seems. Unfortunately, there are 2 points that make me wonder the good use of it: 1. nss_ldap and pam-ldap need FreeBSD-5.1 and are not for production use 2. I really don't feel confident with LDAP For many networks LDAP can be overkill. So, I was thinking about using NIS instead, with which I feel much more confident. I understand it is really not secure, so I was looking about more information on this: why is is unsecure, does it send password in clear text? No, but it sends them in an easily broken format. It's exactly the same situation as a DES /etc/passwd file in the days before master.passwd/shadow passwd files. This can be fixed by combining NIS with Kerberos. Another large problem is that clients used to broadcast for NIS servers and trust the first server to answer. this can be fixed by telling the clients to contact only specific servers for NIS information. ? Does anyone know a solution for securing NIS, using ssh or encrypted tunnels or anything... I am open to any new idea :) IPsec can fix the network sniffing problem, though Kerberos can do that as well and comes with many other advantages. I'm a bit biased, however: I use NIS with Kerberos and think it's the cats pajamas :-) Hey Tilman, This sounds exactly like what we are looking for. Can you point us to any docs explaining how you do this?? Thanks - Bruce ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security
On Mon, Sep 08, 2003 at 07:02:06PM -0500, Bruce Pea wrote: Does anyone know a solution for securing NIS, using ssh or encrypted tunnels or anything... I am open to any new idea :) IPsec can fix the network sniffing problem, though Kerberos can do that as well and comes with many other advantages. I'm a bit biased, however: I use NIS with Kerberos and think it's the cats pajamas :-) Hey Tilman, s/l/ll/ :-) This sounds exactly like what we are looking for. Can you point us to any docs explaining how you do this?? The rough instructions are fairly simple: * Set up Kerberos and ensure you have a working realm * Set up NIS, but set all the passwd fields to something that doesn't map to a real password (I like 'krb5', others like '*') That's about it. It works because authentication in a Kerberized world doesn't check the password field in the NIS maps anyway (or the /etc/master.passwd file for that matter). Your non-Kerberos app's will break for users that aren't local, but I consider the incentive to replace them a benefit :-) You can get fancy and make a nice little Makefile to do all kinds of maintenance tasks for you (I'm just about finished tying in Mailman into the central auth for the rospa.ca domain). You can try some of the neater features of NIS (netgroups, etc) or fiddle with the config of Kerberos (I like longer ticket lifetimes), but the basic get it working stuff isn't complicated. -T -- When a person is confused, he sees east as west. When he is enlightened, west itself is east. Ta-Hui ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security
In the last episode (Sep 08), Tillman Hodgson said: I'm a bit biased, however: I use NIS with Kerberos and think it's the cats pajamas :-) This sounds exactly like what we are looking for. Can you point us to any docs explaining how you do this?? The rough instructions are fairly simple: * Set up Kerberos and ensure you have a working realm * Set up NIS, but set all the passwd fields to something that doesn't map to a real password (I like 'krb5', others like '*') You can do something similar with LDAP, by using pam_ldap for authentication and NIS for the rest of the user info lookup. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nis security
On Mon, Sep 08, 2003 at 10:28:17PM -0500, Dan Nelson wrote: In the last episode (Sep 08), Tillman Hodgson said: I'm a bit biased, however: I use NIS with Kerberos and think it's the cats pajamas :-) This sounds exactly like what we are looking for. Can you point us to any docs explaining how you do this?? The rough instructions are fairly simple: * Set up Kerberos and ensure you have a working realm * Set up NIS, but set all the passwd fields to something that doesn't map to a real password (I like 'krb5', others like '*') You can do something similar with LDAP, by using pam_ldap for authentication and NIS for the rest of the user info lookup. That seems like a backwards use of LDAP to me - If I was going to use LDAP, I'd rather use Kerberos for authentication and LDAP to provide the user info lookup :-) (This is essentially what active directory is, and combined with Kerberos cross-realm authentication can make for some pretty neat single sign on solutions) -T -- Love is the highest achievement to which any human may aspire. It is an emotion that encompasses the full depth of heart, mind, and soul. - Zensunni Wisdom from the Wandering ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS stealing low-numbered ports?
Aaron, I am having similar trouble with 5.1. For me, rpc.lockd is eating up all my low (privileged) udp ports. You can tell the system to use a different range for low ports. Use the sysctl command and tweak the net.inet.ip.portrange.lowlast variable. By default, it sets the lower bound for privileged ports to 600. You might increase it past 631 to ensure that no process snatches it up. Of course, you would have fewer privileged ports, which might create problems on a busy machine running NIS (which is the situtation that brought this problem to my attention). Cheers, Eric Aaron Mandel wrote: I'm running 4.7, using both NIS and cups. There has now twice been a problem where printing via cups started failing because cups couldn't open UDP port 631 to talk to the cups server, and both times, when I looked, there was an sshd belonging to some random (logged-in) user claiming that port. I found a short thread in the list archives from a few months ago saying that this was normal behavior with NIS, but shouldn't it be taking higher-numbered ports? The range of ports it uses seems to be about 600-1024; if there's a way to configure those numbers, we haven't found it. Has anyone else had this problem and found a satisfactory solution? -- Eric van GyzenSr. Systems Programmer http://www.stat.duke.edu/~vangyzen/ ISDS, Duke University ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS groups -yp_mkdb: error data too long
In the last episode (Jul 31), Alvaro Rosales R. said: Hi guys I got this error when I make my NIS maps , I have a group in my group file that has 50 users and yp_mkdb complains about it with this error .yp_mkdb: data too long Any ideas? A line in your group file is over 1024 bytes. That doesn't seem right, though, since you should be able to put 110 8-character usernames (plus commas) in a group line without overflowing it. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS not working
see bottom.. --- Mike Galvez [EMAIL PROTECTED] wrote: On Wed, Mar 12, 2003 at 02:42:53AM -0800, W. J. Williams wrote: hi hope someone knows the answer to this riddle...I am trying to get NIS up and running. 1. one master, no slave...domain name is lab-nis-domain 2. Master rc.conf file contains enabling commands to start nis server as well as nis_yppasswdd. The build of the /var/yp/lab-nis-domain indicated built with no errors 3. client machine rc.confs contain domain name, nis_client_enable, rpcbind_enable. 4. when I run ypcat passwd from any client machine I get a list of avail passwords from the master domain... all looked good... 5. created a new user on master, ran make lab-nis-domain and it said domain already current...so I copied the updated master.passwd file to /var/yp and ran make again...still same message. How where did you create the new user on the master? The user should not exist in the client machine master.passwd. Try adding a test user with: pw useradd -Y -y /var/yp/master.passwd testuser Try logging into the master with the new user. Success? Try the client. HTH -Mike 6. as last resort I ran ypinit -m again to rebuild the entire domain..then ran ypcat passwd from client machine and was able to see the new account. 7. MY PROBLEM: I can't log into the client machine using the new account...I have added the +: string to master.passwd and +:*:: string to group file...but still no work. any ideas? Will To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Michael Galvez http://www.people.virginia.edu/~mrg8n University of VirginiaMessenger Mail: Carruthers Hall Teamwork is essential -- it allows you to blame someone else. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message *** ok, thx. tried that...no dice...after adding the user with pw...I had to do a passwd testuser and add a password. could not log client though. I am trying to open a ssh connection from master to clientany other ideas? = Will Williams To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NIS not working (now it is :-)
--- Mike Galvez [EMAIL PROTECTED] wrote: On Wed, Mar 12, 2003 at 12:19:01PM -0800, W. J. Williams wrote: see bottom.. Try adding a test user with: pw useradd -Y -y /var/yp/master.passwd testuser Try logging into the master with the new user. Success? Try the client. HTH -Mike *** ok, thx. tried that...no dice...after adding the user with pw...I had to do a passwd testuser and add a password. could not log client though. I am trying to open a ssh connection from master to clientany other ideas? Was that passwd or yppasswd? After the yppasswd, you will need to run make in /var/yp to propagate the change. ** Hi Mike, thx for helping...seems it works now..here's what I did/learned. I mirrored the rc.conf of all of my clients in my lab AND touched all master.passwd files with vipw instead of vi I can log into all of them now with the testuser account. Some more things I learned (correct me if I am wrong) 1. always use vipw if you have to mess with master.passwd 2. the order of what you call in rc.conf is important (I still don't know what f order that is supposed to be, but it seemed to make a difference. 3. after changing mapped files, you need to manually run make =/etc/XXX nisdomain to udpate the files. 4. per your email below...I made the account using your string, and then did a passwd testuser to add a password. should i have used yppassword? hope someone else is gaining from this as well... thx Will = Will Williams To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NIS not working (now it is :-)
On Wed, Mar 12, 2003 at 01:46:43PM -0800, W. J. Williams wrote: --- Mike Galvez [EMAIL PROTECTED] wrote: On Wed, Mar 12, 2003 at 12:19:01PM -0800, W. J. Williams wrote: see bottom.. Try adding a test user with: pw useradd -Y -y /var/yp/master.passwd testuser Try logging into the master with the new user. Success? Try the client. HTH -Mike *** ok, thx. tried that...no dice...after adding the user with pw...I had to do a passwd testuser and add a password. could not log client though. I am trying to open a ssh connection from master to clientany other ideas? Was that passwd or yppasswd? After the yppasswd, you will need to run make in /var/yp to propagate the change. ** Hi Mike, thx for helping...seems it works now..here's what I did/learned. I mirrored the rc.conf of all of my clients in my lab AND touched all master.passwd files with vipw instead of vi I can log into all of them now with the testuser account. Some more things I learned (correct me if I am wrong) 1. always use vipw if you have to mess with master.passwd True 2. the order of what you call in rc.conf is important (I still don't know what f order that is supposed to be, but it seemed to make a difference. 3. after changing mapped files, you need to manually run make =/etc/XXX nisdomain to udpate the files. 4. per your email below...I made the account using your string, and then did a passwd testuser to add a password. should i have used yppassword? From the yppasswd man page: If a user exists in the NIS password database but does not exist locally, passwd automatically switches into ``yppasswd'' mode. If the specified user does not exist in either the local password database of the NIS password maps, passwd returns an error. My reply with the pw useradd string should have been : pw useradd testuser -m -Y -y /var/yp/master.passwd omit -m if you don't want to build the users home folder. hope someone else is gaining from this as well... thx Will = Will Williams -- Michael Galvez http://www.people.virginia.edu/~mrg8n University of VirginiaMessenger Mail: Carruthers Hall Fresco's Discovery: If you knew what you were doing you'd probably be bored. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NIS not working
I setup nis recently, and I find no mistake in your procedure. But still, I list all my steps so that you may find some difference if there is any. As superuser: 1. Setup the server by enabling entries in rc.conf, set the domain to nis-domain. 2. Copied master.passwd from /etc to /var/yp and deleted all the sensitive entries. 3. started the rpc service and bind the nis daemon to that. 4. ran ypinit -m nis-domain and it built without any errors. 5. On the clients /etc/rc.conf enabled nis client settings and rpc settings. 6. started rpc and ypbind on the clients. 7. edited master.passwd using vipw and added the entry +: (cant remember the number of `:') and edited the /etc/group file added +:*:: at the end. 8. confirmed using ypcat passwd as a normal user and ypcat master.passwd as superuser. results positive. On the nis-server 9. To add a user, used pw useradd username and pw derives settings from, I think, /etc/pw.conf 10. cd /var/yp, deleted the passwd file. And ran make again. if pedantic delete passwd file and run ypinit -m nis-domain again and dont forget to say `y' for permission to delete the nis-domain directory. 11. and all is working... 12. tried to configure a non-freebsd system, debian gnu/linux to be particular to run as an nis client 13. done after asking a question on this mailing list and receiving very helpful replies...:) 14. configuring many other services...:) Regards, Neeraj W. J. Williams [EMAIL PROTECTED] 03/12/03 21:43 PM hi hope someone knows the answer to this riddle...I am trying to get NIS up and running. 1. one master, no slave...domain name is lab-nis-domain 2. Master rc.conf file contains enabling commands to start nis server as well as nis_yppasswdd. The build of the /var/yp/lab-nis-domain indicated built with no errors 3. client machine rc.confs contain domain name, nis_client_enable, rpcbind_enable. 4. when I run ypcat passwd from any client machine I get a list of avail passwords from the master domain... all looked good... 5. created a new user on master, ran make lab-nis-domain and it said domain already current...so I copied the updated master.passwd file to /var/yp and ran make again...still same message. 6. as last resort I ran ypinit -m again to rebuild the entire domain..then ran ypcat passwd from client machine and was able to see the new account. 7. MY PROBLEM: I can't log into the client machine using the new account...I have added the +: string to master.passwd and +:*:: string to group file...but still no work. any ideas? Will To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NIS Server with amd.home
Hey, Hi. I'm getting ready to setup a NIS server for a LAN, and I'd really like to use FreeBSD again. However, the last time I did this with FreeBSD (4.6, so not that long ago), I couldn't get the server to build a map for the home dirs. I tried an awk script in the Makefile that I saw online, but that didn't help. It seemed like it just wouldn't build the map. The only way I could get it to work was to create an amd.home with all of the users in it and put it on all of the client machines... This was too ugly. Indeed. Can anyone help? Perhaps. This may or may not help, but here is the Makefile from /var/yp on our NIS primary. You'll likely need to scroll down and extract our amd.home rules from it and integrate that into yours. After that is the rc.conf entries for amd Good luck. - Mike # # Makefile for the NIS databases # # $FreeBSD: src/usr.sbin/ypserv/Makefile.yp,v 1.28.2.3 2001/05/18 18:28:02 gshapiro Exp $ # # This Makefile should only be run on the NIS master server of a domain. # All updated maps will be pushed to all NIS slave servers listed in the # /var/yp/ypservers file. Please make sure that the hostnames of all # NIS servers in your domain are listed in /var/yp/ypservers. # # This Makefile can be modified to support more NIS maps if desired. # # If this machine is an NIS master, comment out this next line so # that changes to the NIS maps can be propagated to the slave servers. # (By default we assume that we are only serving a small domain with # only one server.) # #NOPUSH = False # If you want to use a FreeBSD NIS server to serve non-FreeBSD clients # (i.e. clients who expect the password field in the passwd maps to be # valid) then uncomment this line. This will cause $YPDIR/passwd to # be generated with valid password fields. This is insecure: FreeBSD # normally only serves the master.passwd maps (which have real encrypted # passwords in them) to the superuser on other FreeBSD machines, but # non-FreeBSD clients (e.g. SunOS, Solaris (without NIS+), IRIX, HP-UX, # etc...) will only work properly in 'unsecure' mode. # UNSECURE = True # The following line encodes the YP_INTERDOMAIN key into the hosts.byname # and hosts.byaddr maps so that ypserv(8) will do DNS lookups to resolve # hosts not in the current domain. Commenting this line out will disable # the DNS lookups. B=-b # Normally, the master.passwd.* maps are guarded against access from # non-privileged users. By commenting out the following line, the YP_SECURE # key will be removed from these maps, allowing anyone to access them. S=-s # These are commands which this Makefile needs to properly rebuild the # NIS databases. Don't change these unless you have a good reason. Also # be sure not to place an @ in front of /usr/bin/awk: it isn't necessary # and it'll break everything in sight. # AWK = /usr/bin/awk RM = @/bin/rm -f MV = @/bin/mv -f RMV = /bin/mv -f RCAT = /bin/cat CAT = @$(RCAT) UPDATE_DOMAIN = csl.sri.com MKDB = /usr/sbin/yp_mkdb DBLOAD = $(MKDB) -m `hostname` MKNETID = /usr/libexec/mknetid NEWALIASES = /usr/bin/newaliases YPPUSH = /usr/sbin/yppush .if !defined(UPDATE_DOMAIN) DOMAIN = `/bin/domainname` .else DOMAIN = $(UPDATE_DOMAIN) .endif REVNETGROUP = /usr/libexec/revnetgroup TMP = `echo $@.` # It is advisable to create a separate directory to contain the # source files used to generate your NIS maps. If you intend to # support multiple domains, something like /src/dir/$DOMAIN # would work well. YPSRCDIR = /usr/local/nis/$(UPDATE_DOMAIN) .if !defined(YP_DIR) YPDIR = /var/yp .else YPDIR = $(YP_DIR) .endif YPMAPDIR = $(YPDIR)/$(DOMAIN) # These are the files from which the NIS databases are built. You may edit # these to taste in the event that you wish to keep your NIS source files # seperate from your NIS server's actual configuration files. Note that the # NIS passwd and master.passwd files are stored in /var/yp: the server's # real password database is not used by default. However, you may use # the real /etc/passwd and /etc/master.passwd files by: # # # - invoking yppasswdd with `-t /etc/master.passwd' (yppasswdd will do a # 'pwd_mkdb' as needed if /etc/master.passwd is thus specified). # - Specifying the location of the master.passwd file using the # MASTER_PASSWD variable, i.e.: # # # make MASTER_PASSWD=/path/to/some/other/master.passwd # # - (optionally): editing this Makefile to change the default location. # # To add a user, edit $(YPDIR)/master.passwd and type 'make'. The raw # passwd file will be generated from the master.passwd file automagically. # ETHERS= $(YPSRCDIR)/ethers # ethernet addresses (for rarpd) BOOTPARAMS= $(YPSRCDIR)/bootparams # for booting Sun boxes (bootparamd) HOSTS = $(YPSRCDIR)/hosts NETWORKS = $(YPSRCDIR)/networks PROTOCOLS = $(YPSRCDIR)/protocols RPC = $(YPSRCDIR)/rpc SERVICES = $(YPSRCDIR)/services GROUP = $(YPSRCDIR)/group ALIASES = $(YPSRCDIR)/mail/aliases NETGROUP = $(YPSRCDIR)/netgroup PASSWD=
Re: nis/yp
On Tue, Nov 26, 2002 at 02:48:17PM +0100, Kasper wrote: When i add a user on my nis/yp server i need to update the nis database. How do i do this? Run 'make' in /var/yp Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NIS/YP
On Wed, Nov 20, 2002 at 02:45:32PM +0100, Kasper wrote: Hello, when i add a new user to my nis master i copy out the userline from /etc/master.passwd and copy it to That's what pw(8)'s -V flag is for --- you can edit your /var/yp/master.password directly. /var/yp/master.passwd. How do i update the userlist so i can log in with the new created user on my nis clients? cd /var/yp make (The ypinit(8) program should have set up everything in /var/yp so that will work.) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NIS gods angry
In the last episode (Nov 07), Tim Kellers said: I'm using NFS to mount /usr/home from the server on the client machine. All the accounts on the server have their home directories in /usr/home ypcat passwd returns the passwd list, ypwhich returns the master server name, chpass (usernameon server) returns the correct user's master.passwd entry. I've placed the correct punctuation at the bottom of the edited master.passwd file and in the /etc/group file. But None of my NIS server users can login on the client machine. For example: su -l zooba su: unknown login: zooba And zooba is a valid login name/account on the NIS master. Definitely sounds like a problem with the + line in the passwd file. Run vipw, and verify that +: is at the bottom. If it still doesn't work, try truss'ing id -u zoomba and verify that it's reading the NIS files and doing network calls. -- Dan Nelson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NIS gods angry
Definitely sounds like a problem with the + line in the passwd file. Run vipw, and verify that +: is at the bottom. If it still doesn't work, try truss'ing id -u zoomba and verify that it's reading the NIS files and doing network calls. Don't forget to add +::: to /etc/group also. - Mike Hogsett To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NIS gods angry
Thanks for the replies, guys, it's (freakin' finally) working. Thank the NIS Gods. I don't know if it was the extra blank line before the +: in /etc/master.passwd was the culprit It is likely. or the weird characters in /var/yp/ypservers. I did some reading to try and find out if /var/yp/ypservers was supposed to be garbled/encrypted but I could find out anything useful. Hopefully, I haven't borked some security by entering plain On my NIS master : buzby# pwd /var/yp/NISDOMMAIN buzby# file ypservers ypservers: Berkeley DB 1.85 (Hash, version 2, native byte-order) buzby# Good luck, - Mike To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: NIS/YP -NFS -DISKLESS problem, weird
In message [EMAIL PROTECTED], Hartmann, O. writes: I can see the X-Terminals and other diskless systems booting but when mounting / via NFS from the boot host, they get stuck. It seems that they can not mount the NFS file system, but that is not the problem. I exported then the root tree of the diskless systems to another system and I saw that they can mount it without any problem. But now the weird thing comes into play: I can travers via cd and ls __all__ directories and can list all dir entries execept those of etc! Hi, Could you collect a tcpdump trace of the client as it becomes stuck? Something like tcpdump -nepX -s 1600 host your_client_ip and udp port 2049 run from the server should do the trick. I just need to see a few retransmits of the failing request. Ian To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
