Hi everyone,
I have a complicated problem, that keeps me working and reading docs for 3
days. The situation comes next. I am implementing a small network in our
lab, I have a NIS server running on FreeBSD. In my everyday machine (an
AMD64) I have installed Gentoo Stage 1. The NIS client configuration is
giving me headaches. I cannot login, I got the following message in
/var/log/pwdfail/current

Jun 17 17:04:23 [login(pam_unix)] authentication failure;
logname= uid=0 euid=0 tty=/dev/vc/3 ruser= rhost= user=david
Jun 17 17:04:25 [login] FAILED LOGIN 1 FROM /dev/vc/3 FOR david,
Authentication failure

login is reading in etc/pam.d/login, which comes next:

#%PAM-1.0

auth requisite /lib/security/pam_unix.so nullok
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so

account required /lib/security/pam_unix.so audit
account required /lib/security/pam_stack.so service=system-auth

password required /lib/security/pam_unix.so nis
password required /lib/security/pam_stack.so service=system-auth

session required /lib/security/pam_unix.so
session required /lib/security/pam_stack.so service=system-auth

I did some NIS tests on the Gentoo box and I could obtain the NIS maps:
# ypcat -k netgroup
net_adm (,netadm,ypnet.xxxx.cl)
devel (,david,ypnet.xxxx.cl) (,felipe,ypnet.xxxx.cl)
term_adm (,termadm,ypnet.xxxx.cl)

# ypcat -k netgroup.byuser
felipe.ypnet.xxxx.cl devel
david.ypnet.xxxx.cl devel
netadm.ypnet.xxxx.cl net_adm
termadm.ypnet.xxxx.cl term_adm

Even,
# ypcat passwd
david:*:1001:1001:User &:/home/david:/bin/sh

The /etc/passwd /etc/shadow and /etc/group have the corresponding netgroup
markers:
+@devel:::::: (in passwd and shadow)
+:*:: (in group)

In the FreeBSD NIS machine I got no login error messages, like password
failed or user unknown. I guess that the login process is not calling NIS,
I am only doing local authentication. Here I don't know maybe is a problem
with PAM (version 0.78-r2) or portmap (or both). Here are my current
configuration files:

--> /etc/yp.conf
ypserver bsdnis.xxxx.cl
domain ypnet.xxxx.cl broadcast

--> /etc/nsswitch.conf
passwd: compat nis
shadow: compat nis
group: compat nis
hosts: files dns
networks: files dns
services: db files nis
protocols: nis [NOTFOUND=return] db files
rpc: nis [NOTFOUND=return] db files
ethers: db files nis
netmasks: files
netgroup: nis files
bootparams: files
automount: files
aliases: files

As a test I started ypbind from command line with debug option enabled. I
got the following messages:

# ypbind -debug
parsing config file
Trying entry: ypserver bsdnis.xxxx.cl
parsed ypserver bsdnis.xxxx.cl
add_server() domain: ypnet.xxxx.cl, host: bsdnis.xxxx.cl, slot: 0
Trying entry: domain ypnet.xxxx.cl broadcast
parsed domain 'ypnet.xxxx.cl' broadcast
add_server() domain: ypnet.xxxx.cl, broadcast
[Welcome to ypbind-mt, version 1.17.2]

ping host 'bsdnis.xxxx.cl', domain 'ypnet.xxxx.cl'
Answer for domain 'ypnet.xxxx.cl' from server 'bsdnis.xxxx.cl'
Pinging all active server.
Pinging all active server.
......

Any comments will be appreciated.
Thanks

David

David Guzman <david_aaron@softhome.net> wrote:
> Hi everyone,
> I have a complicated problem, that keeps me working and reading docs
> for 3 days. The situation comes next. I am implementing a small
> network in our lab, I have a NIS server running on FreeBSD. In my
> everyday machine (an AMD64) I have installed Gentoo Stage 1. The NIS
> client configuration is giving me headaches. I cannot login, I got
> the following message in /var/log/pwdfail/current
>
> Jun 17 17:04:23 [login(pam_unix)] authentication failure;
> logname= uid=0 euid=0 tty=/dev/vc/3 ruser= rhost= user=david
> Jun 17 17:04:25 [login] FAILED LOGIN 1 FROM /dev/vc/3 FOR david,
> Authentication failure
>
[chop]
>
> Even,
> # ypcat passwd
> david:*:1001:1001:User &:/home/david:/bin/sh

There's your problem. You need to merge passwd and shadow on the yp
server.

I'm not sure what kind of NIS server you're running on the BSD side, but
in Linux you would do this by editing /var/yp/Makefile and set
MERGE_PASSWD=true before running make target.

After doing this, ypcat passwd from the client should show something
like:

david:Ye0s19VL15D1z:1001:1001:User &:/home/david:/bin/sh

Yes, that defeats shadow security. No, there's no way around it while
still using NIS for authentication. NIS+ can do better, though, but
unless you have a Sun box as the server, chances are you won't have
NIS+.

> Here are my current configuration files:
>
> --> /etc/yp.conf
> ypserver bsdnis.xxxx.cl
> domain ypnet.xxxx.cl broadcast
>
> --> /etc/nsswitch.conf
> passwd: compat nis
> shadow: compat nis
> group: compat nis

Remove "nis" from these -- it doesn't make sense to have both.

> hosts: files dns
> networks: files dns
> services: db files nis
> protocols: nis [NOTFOUND=return] db files
> rpc: nis [NOTFOUND=return] db files
> ethers: db files nis

Remove the db entries unless you really have /var/db entries. Most
systems won't have them, and referencing services that aren't available
will slow things down.

> automount: files

Not sharing this through NIS? Then you either have to manually add an
auto.master/auto.home combination to the client, or use a local
directory (which you have to manually create first, and assign to the
UID of the NIS user).

Regards,
--
*Art

Hi,

Thanks for your post, I put my hands on the FreeBSD server again, the
problem was just what you wrote, I had to disable the shadowing stuff on
the BSD and make the maps UNSECURED in order to make it compatible to
non-BSD machines.

>> Even,
>> # ypcat passwd
>> david:*:1001:1001:User &:/home/david:/bin/sh
>
> There's your problem. You need to merge passwd and shadow on the yp
> server.
Now I got the password hash :-D

> david:Ye0s19VL15D1z:1001:1001:User &:/home/david:/bin/sh


> Remove "nis" from these -- it doesn't make sense to have both.
>
>> hosts: files dns
>> networks: files dns
>> services: db files nis
>> protocols: nis [NOTFOUND=return] db files
>> rpc: nis [NOTFOUND=return] db files
>> ethers: db files nis
>
> Remove the db entries unless you really have /var/db entries. Most
> systems won't have them, and referencing services that aren't available
> will slow things down.

I am happy with logging with NIS, but now I can't use internet, I got
always the 'host not found... check the name...' stuff. The same for
sending emails... then I think I messed up my nsswitch.conf file... Am I
right?? It is because I inserted nis in the other fields too (hosts,
networks, services)???

>> automount: files
>
> Not sharing this through NIS? Then you either have to manually add an
> auto.master/auto.home combination to the client, or use a local
> directory (which you have to manually create first, and assign to the
> UID of the NIS user).
I did it manually, adjusting it with the UIDs and GIDs

Thanks again... now to solve the host resolv problem


David

>
> Regards,

David Guzman <david_aaron@softhome.net> wrote:
>
> I am happy with logging with NIS, but now I can't use internet, I got
> always the 'host not found... check the name...' stuff. The same for
> sending emails... then I think I messed up my nsswitch.conf file...
> Am I right?? It is because I inserted nis in the other fields too
> (hosts, networks, services)???

Networks and services shouldn't matter much, but hosts need a fallback
mechanism. I suggest the following:

hosts: files dns nis

In other words, try /etc/hosts first, since it's fastest, then try dns,
and finally try nis. That way, anything you add to the shared hosts
file on the NIS server will get picked up, but only as a last resort.

Other than that, make sure that domainname returns your NIS domain and
dnsdomainname returns your dns domain. Also, make sure you have valid
entries in /etc/resolv.conf -- normally one line for "domain dom.ain"
and one to three lines with "nameserver 12.34.56.78". There should be
only one of "domain" or "search", and "search" should not be used unless
there's more than one entry. SuSE gets this wrong in the automated
setup (although it usually works ok despite of this).

Regards,
--
*Art