Login or Register to Ask a Question and Join Our Community


Solaris

Experience sharing and questions for NIS migration from Solaris 8 to Linux

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris Experience sharing and questions for NIS migration from Solaris 8 to Linux
# 8  
Old 05-04-2017
It is quite some time that I dealt with Solaris 8 - and with NIS.
Never attempted to hide the NIS password crypts.
Solaris 10 supports longer crypts, if enabled. Standard in Solaris 11. But with NIS...?
# 9  
Old 05-04-2017
Quote:
Originally Posted by MadeInGermany
It is quite some time that I dealt with Solaris 8 - and with NIS.
Never attempted to hide the NIS password crypts.
Solaris 10 supports longer crypts, if enabled. Standard in Solaris 11. But with NIS...?

Just like I said, that's one of my target.
If things can't go perfect, It's only to compromise with that.
I know Solaris 9 above provides better solutions, it's just I have no choice.

Actually, I'm ok with not hiding password encrypts.
I set my heart on implementing password aging, using shadow would be easier for me, but those Solaris clients are killing me.

If passwd.adjunct can work with both platforms for this target, I'll stick with that. But it seems like a no go...Smilie
# 10  
Old 05-05-2017
Just to add to the discussion
  • AFAIK, Solaris 8 only supports password.adjunct, not shadow in nis
  • password.adjunct is extremely weak security and only protects against users if they cannot become root on a client that can approach the NIS server
  • passwd.adjunct works with both Solaris 8 and Linux clients.
  • Solaris 8, when updated to the very latest levels supports TLS/LDAP as long as the LDAP server uses SHA1 certificates (TLS 1.0). This is not an easy feat, but it is possible
  • AFAIK NIS will only work with DES56
  • I do not think password aging is possible on Solaris in combination with NIS, since it does not support shadow over NIS.
  • Solaris 8, even with the latest patches remains of course an insecure and outdated platform.
  • On Linux "nis" does not need to be / cannot be specified in system-auth / password-auth in pam. This is handled by pam_unix.so, since authentication is client side.
Last edited by Scrutinizer; 05-05-2017 at 12:46 AM..
This User Gave Thanks to Scrutinizer For This Post:
bestard
# 11  
Old 05-05-2017
Quote:
Originally Posted by Scrutinizer
Just to add to the discussion
  • AFAIK, Solaris 8 only supports password.adjunct, not shadow in nis
  • password.adjunct is extremely weak security and only protects against users if they cannot become root on a client that can approach the NIS server
  • passwd.adjunct works with both Solaris 8 and Linux clients.
  • Solaris 8, when updated to the very latest levels supports TLS/LDAP as long as the LDAP server uses SHA1 certificates (TLS 1.0). This is not an easy feat, but it is possible
  • AFAIK NIS will only work with DES56
  • I do not think password aging is possible on Solaris in combination with NIS, since it does not support shadow over NIS.
  • Solaris 8, even with the latest patches remains of course an insecure and outdated platform.
  • On Linux "nis" does not need to be / cannot be specified in system-auth / password-auth in pam. This is handled by pam_unix.so, since authentication is client side.
Nice sharing. Thank you for this. You pretty much help me concluding the whole thing.

I am less concerned with security things since there is no choice with those Solaris 8 clients which are out of maintenance. I'm just trying to find a perfect way to complete whole tasks, if not, I can live with that. I did far more than my boss wanted me to do. He should be glad from what I've done. Smilie

Based on your sharing, I might stick with using shadow for both platforms and it's compromised for pw hidden to ypcat and password aging though. But I can make a NIS user login to all hosts in the domain at least.

I might think about if it's possible to write a password aging checker for Solaris clients once I decide to enable NIS password aging at the next step.

Anyway, thank you all.
# 12  
Old 05-05-2017
The last chalenge is yppasswdd - it supports changing of NIS passwords on the NIS client.
It receives a pw crypt over RPC and modifies the pw crypt field of the passwd or passwd.adjunct or shadow file (the NIS source file). It can be configured to then run the /var/yp/Makefile.
Consult man yppasswdd.
This User Gave Thanks to MadeInGermany For This Post:
bestard
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Solaris

User authentication failed while log in Solaris 8 client on Linux NIS server.

Based on the NIS migration tests I did and another question I posted earlier on. https://www.unix.com/solaris/272021-solaris-8-md5-encryption-support.html I tried to downgrade NIS linux encryption to DES to support solaris connection. So I modified /etc/pam.d/system-auth as below, password... (0 Replies)
Discussion started by: bestard
0 Replies

2. Shell Programming and Scripting

ksh script migration from Solaris to Linux.

We are migrating some scripts (ksh) from Solaris 10 to Linux 2.6.32. Can someone share list of changes i need to take care for this ? Have found few of them but i am looking for a exhaustive list. Thanks. (6 Replies)
Discussion started by: Shivdatta
6 Replies

3. UNIX for Dummies Questions & Answers

NIS to Active Directory Migration

Hello, This is my first ever post on Unix anything :). I really am a total newb when it comes to Unix. I am fairly well versed in the Windows world though. I have a project that I was pulled into which consists on migrating our Unix servers from authenticating with NIS, over to authenticating... (1 Reply)
Discussion started by: barcode2328
1 Replies

4. UNIX for Dummies Questions & Answers

Interview topics or questions for unix developers with 4.years experience

Hi , I am gonna attend interview this week end for unix developer ( 4.5 years exp) opening .. Can you help me out the topics or the questions which I can expect in the interview. This is may be silly but it is very important to me. Thanks in Advance (5 Replies)
Discussion started by: arukuku
5 Replies

5. Linux

Migration from solaris to linux

Hi, Currently I can able to access php script from solaris. I want to access from Linux I have done the following things: 1) I have copied all the scripts from solaris to linux. 2) I have installed php,mysql,apache. I tried with http://Hostname/username/test.php . This is not working .... (6 Replies)
Discussion started by: Mani_apr08
6 Replies

6. HP-UX

Migration from HP-UX to Solaris/Linux

Hi eveyone Ours is an application hosted on HP-UX 11 and we are trying to migrate the server to different flavour of UNIX. We are actually looking at the option of migrating it to Sun Solaris or Linux. We are trying to evaulate the pros and cons of migrating our application to Solaris/Linux.... (6 Replies)
Discussion started by: turaga.krishna
6 Replies

7. UNIX for Advanced & Expert Users

Linux NIS sever not binding with Solaris client

I am installing a NIS master server with a linux SLES 10 SP1. And it was pretty straight forward. (Simple since it GUI ) The server can bind to itself when issue with ypwhich command. But on solaris 10 box, I set up the defaultdomain (/etc/defaultdomain) and also issue ypinit -c to startup the... (3 Replies)
Discussion started by: ibroxy
3 Replies

8. UNIX for Dummies Questions & Answers

linux redhat and solaris NIS+

Hello all, I am wondering if anyone had success with installing a redhat linux (PC box) on a Solaris NIS+ network. I have gotten information on how to do this but have been unsuccessful. The information that I have gotten is a little out dated and is not 100%. ... (0 Replies)
Discussion started by: larry
0 Replies
Login or Register to Ask a Question