=================================================================== Using RedHat RHEL4u3 on vmwares, with own NIS domain of "rh". Tests of NIS, for use at ETS (KTH). =================================================================== Changes for a shadow-style password/shadow NIS map. This is pointful if on is to restrict NIS access to trusted servers that are accessed as non-root users by not-so-trusted users: then, the encrypted passwords can't even be read by those users (unprivileged port) but usual passwd details like uid/gid can. /etc/ypserv.conf: * : * : shadow.byname : port (i.e. port-based security for shadow) /var/yp/Makefile: need to put as "false" the options of merging shadow data into the passwd or group files, then to include shadow in the list of db files to be generated; then run "make" and try! =================================================================== Trial of where passwd changes get made. One server, running ypserv, yppasswdd and in latter tests ypbind. Two clients, running ypbind (one would have been enough!). Wanted to see for various cases of password-changing which combination of the NISdb and the server's local files get updated. Conclusions: on clients, for non-local (NIS-only) users, passwd and yppasswd do the same, and the updates to yppasswdd on the server do get applied to the server's local files too: very handy. on the server the passwd command always changes just the local files, though the yppasswd (requires ypbind on server) does NIS and thus local files too if server's local and NIS are not synchronised (same passwd) the yppasswd will fail!! Tests: no ypbind on nis server start with server passwd file, update nis to this, password is "pass3" (/etc/shadow) user3:$1$0I5tGaKH$WlHRcTtrAnaLElN7VT25m.:13352:0:99999:7::: (ypcat passwd) user3:$1$0I5tGaKH$WlHRcTtrAnaLElN7VT25m.:35000:35000::/home/user3:/bin/bash now use yppasswd on client to change to oUuEYK client sees (ypcat passwd): user3:$1$3lc4eIhn$kYST8t3f9kQVj4Uxjg7G51:35000:35000::/home/user3:/bin/bash server sees: user3:$1$3lc4eIhn$kYST8t3f9kQVj4Uxjg7G51:13352:0:99999:7::: user3:$1$3lc4eIhn$kYST8t3f9kQVj4Uxjg7G51:35000:35000::/home/user3:/bin/bash now ditto with passwd to p.prA5s user3:$1$/ORzJN7v$Kl/GVpEc7wPr0O51aW4H70:13352:0:99999:7::: user3:$1$/ORzJN7v$Kl/GVpEc7wPr0O51aW4H70:35000:35000::/home/user3:/bin/bash now on server, passwd (to 9kQVj4): user3:$1$5BMQSEDr$qQpXzfpLifG39R1EV6nPL1:13353:0:99999:7::: user3:$1$/ORzJN7v$Kl/GVpEc7wPr0O51aW4H70:35000:35000::/home/user3:/bin/bash correct by update file->nis user3:$1$5BMQSEDr$qQpXzfpLifG39R1EV6nPL1:13353:0:99999:7::: user3:$1$5BMQSEDr$qQpXzfpLifG39R1EV6nPL1:35000:35000::/home/user3:/bin/bash ypbind running: order: nis, files passwd (to fG39R1) user3:$1$xisVuMYQ$Ovc5J5C6X7HTRuiH.FLUX1:13353:0:99999:7::: user3:$1$5BMQSEDr$qQpXzfpLifG39R1EV6nPL1:35000:35000::/home/user3:/bin/bash (try doing su - user3 on server: NEEDS fG39R1, i.e. USES FILE) correct by update file->nis user3:$1$xisVuMYQ$Ovc5J5C6X7HTRuiH.FLUX1:13353:0:99999:7::: user3:$1$xisVuMYQ$Ovc5J5C6X7HTRuiH.FLUX1:35000:35000::/home/user3:/bin/bash yppasswd (to 9kQVj4) user3:$1$R3522oQM$t0wuejGtYjVGAq4RyqCBx/:13353:0:99999:7::: user3:$1$R3522oQM$t0wuejGtYjVGAq4RyqCBx/:35000:35000::/home/user3:/bin/bash ypbind running: order: files, nis passwd to fG39R1 user3:$1$LIjkh8wS$3u835fQOVmMUuwPku6iho.:13353:0:99999:7::: user3:$1$R3522oQM$t0wuejGtYjVGAq4RyqCBx/:35000:35000::/home/user3:/bin/bash (try doing su - user3 on server: NEEDS 9kQVj4, i.e. USES NIS) yppasswd to p.prA5s or to fG39R1 "Error while changing the NIS password. The NIS password has not been changed on rhel4-a.ntmm.org" Logs say: "update user3 (uid=35000) from host 10.0.0.47 rejected rpc.yppasswdd[2526]: Invalid password. rhel4-a su(pam_unix)[4352]: session closed for user user3" this happened even when the nsswitch.conf was back to "files nis" tried 'sync' of file and nis: user3:$1$LIjkh8wS$3u835fQOVmMUuwPku6iho.:13353:0:99999:7::: user3:$1$LIjkh8wS$3u835fQOVmMUuwPku6iho.:35000:35000::/home/user3:/bin/bash yppasswd to p.prA5s (still "files nis", just to check) user3:$1$JHufpJma$5XDjUdyGRjeRrZYc1U1bq.:13353:0:99999:7::: user3:$1$JHufpJma$5XDjUdyGRjeRrZYc1U1bq.:35000:35000::/home/user3:/bin/bash then yppasswd to fG39R1 ("nis files") user3:$1$KeMFFAmN$TuZORb7jhVt.n3FzYYCxh/:13353:0:99999:7::: user3:$1$KeMFFAmN$TuZORb7jhVt.n3FzYYCxh/:35000:35000::/home/user3:/bin/bash