|
|
Sponsored Content
Operating Systems
Solaris
Experience sharing and questions for NIS migration from Solaris 8 to Linux
Post 302996832 by bestard on Wednesday 3rd of May 2017 07:34:32 AM
05-03-2017
Quote:
I know passwd.adjunct is the Sun's solution to hide password encryption.
It's just I'm not sure if it can satisfy what I need.
My goals are,
1. NIS users can login from both Linux and Solaris clients.
2. hide password encryption from ypcat
3. be able to change NIS user passwords from any host in our domain.
4. password aging can be provided to NIS users.
From what I've done, it seems like there is no perfect way to do them all neither using shadow nor passwd.adjunct.
When using shadow,
1. NIS users can login from both Linux and Solaris clients.
2. In order to satisfy #1, "MERGE_PASSWD" in the /var/yp/Makefile has to be set to "true" while it dissatisfies #4. And, this makes ypcat can get pw encrypts.
3. be able to change NIS user passwords from any host in our domain.
4. conflict with #2.
When using passwd.adjunct,
1. NIS users can login from both Linux and Solaris clients.
2. pw encypts can be hid from ypcat.
3. can use yppasswd to change a NIS user pwd. However, it fails to use a NIS user to login NIS master. I' ll describe it later.
4. password aging needs the shadow file instead of passwd.adjunct. I'm not sure if it's right. I failed to test this issue, maybe something I missed.
---------- Post updated at 07:34 PM ---------- Previous update was at 05:50 PM ----------
As for passwd.adjunct, I did some works trying to fit my needs.
To make passwd.adjunct works, there are something need to be done on both server/client.
on the client:
1. Edit /etc/default/nss config and set ADJUNCT_AS_SHADOW=TRUE.
on the server:
1. Create the file /var/yp/securenets
2. check /etc/ypserv.conf for the following settings,
Code:
* : * : shadow.byname : port * : * : passwd.adjunct.byname : port
Code:
PASSWDFILE=/var/yp/passwd SHADOWFILE=/var/yp/passwd.adjunct
setenv YP_PASSWD_HASH des
5. copy /etc/shadow and /etc/passwd to /var/yp, modify /var/yp/passwd format as below,
username:##username:.....
6. change /var/yp/Makefile setting,
Code:
NOPUSH=false ... ... MERGE_PASSWD=false ... ... YPSRCDIR = /etc YPPWDDIR = /etc YPPWDDIR_ADJ = /var/yp YPBINDIR = /usr/lib64/yp YPSBINDIR = /usr/sbin YPDIR = /var/yp YPMAPDIR = $(YPDIR)/$(DOMAIN) ... GROUP = $(YPPWDDIR)/group PASSWD = $(YPPWDDIR_ADJ)/passwd SHADOW = $(YPPWDDIR)/shadow GSHADOW = $(YPPWDDIR)/gshadow ADJUNCT = $(YPPWDDIR_ADJ)/passwd.adjunct ... ... # If you don't want some of these maps built, feel free to comment # them out from this list. all: passwd group hosts rpc services netid protocols mail \ auto.master auto.direct passwd.adjunct ... ethers: ethers.byname ethers.byaddr hosts: hosts.byname hosts.byaddr networks: networks.byaddr networks.byname protocols: protocols.bynumber protocols.byname rpc: rpc.byname rpc.bynumber services: services.byname services.byservicename passwd: passwd.byname passwd.byuid group: group.byname group.bygid shadow: passwd.adjunct passwd.adjunct: passwd.adjunct.byname netid: netid.byname netgrp: netgroup netgroup.byhost netgroup.byuser ...
After those,
1. a NIS user can login from both Linux/Solaris clients.
2. only root can get user password encryption.
3. You can change a NIS user password using yppasswd from any client and re-login. But, it fails to re-login from the NIS master server.
I do more tests and find when I login to the NIS master as a NIS user, it is authenticated to the /etc/shadow instead of /var/yp/passwd.adjunct, and if I use yppasswd to change the user password, it fails to change the NIS passwd.
Then I use passwd to do it again, it succeeds, but only to change /etc/shadow.
I believe it results from the nsswitch.conf setting authentication only to files,
Code:
passwd: files shadow: files group: files
It's rational settings cause this is NIS master server, and there is no way to set "nis" in front of "files" which will cause the ypserv issue.
From what I tested, this is a gap between /etc/shadow and passwd.adjunct that I don't know how to fix it.
4. Because of #3, I have no chance to test password aging from NIS master. chage/chfn/chsh change /etc/shadow instead of /var/yp/passwd.adjunct.
I'm at my wit's end with this. Does anyone have any idea?
Last edited by bestard; 05-03-2017 at 08:42 AM..
|
|
8 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hello all,
I am wondering if anyone had success with installing a redhat linux (PC box) on a Solaris NIS+ network. I have gotten information on how to do this but have been unsuccessful. The information that I have gotten is a little out dated and is not 100%. ... (0 Replies)
Discussion started by: larry
0 Replies
2. UNIX for Advanced & Expert Users
I am installing a NIS master server with a linux SLES 10 SP1. And it was pretty straight forward. (Simple since it GUI ) The server can bind to itself when issue with ypwhich command.
But on solaris 10 box, I set up the defaultdomain (/etc/defaultdomain) and also issue ypinit -c to startup the... (3 Replies)
Discussion started by: ibroxy
3 Replies
3. HP-UX
Hi eveyone
Ours is an application hosted on HP-UX 11 and we are trying to migrate the server to different flavour of UNIX. We are actually looking at the option of migrating it to Sun Solaris or Linux.
We are trying to evaulate the pros and cons of migrating our application to Solaris/Linux.... (6 Replies)
Discussion started by: turaga.krishna
6 Replies
4. Linux
Hi,
Currently I can able to access php script from solaris. I want to access from Linux
I have done the following things:
1) I have copied all the scripts from solaris to linux.
2) I have installed php,mysql,apache.
I tried with http://Hostname/username/test.php . This is not working .... (6 Replies)
Discussion started by: Mani_apr08
6 Replies
5. UNIX for Dummies Questions & Answers
Hi ,
I am gonna attend interview this week end for unix developer ( 4.5 years exp) opening .. Can you help me out the topics or the questions which I can expect in the interview. This is may be silly but it is very important to me. Thanks in Advance (5 Replies)
Discussion started by: arukuku
5 Replies
6. UNIX for Dummies Questions & Answers
Hello,
This is my first ever post on Unix anything :). I really am a total newb when it comes to Unix. I am fairly well versed in the Windows world though.
I have a project that I was pulled into which consists on migrating our Unix servers from authenticating with NIS, over to authenticating... (1 Reply)
Discussion started by: barcode2328
1 Replies
7. Shell Programming and Scripting
We are migrating some scripts (ksh) from Solaris 10 to Linux 2.6.32.
Can someone share list of changes i need to take care for this ?
Have found few of them but i am looking for a exhaustive list.
Thanks. (6 Replies)
Discussion started by: Shivdatta
6 Replies
8. Solaris
Based on the NIS migration tests I did and another question I posted earlier on.
https://www.unix.com/solaris/272021-solaris-8-md5-encryption-support.html
I tried to downgrade NIS linux encryption to DES to support solaris connection.
So I modified /etc/pam.d/system-auth as below,
password... (0 Replies)
Discussion started by: bestard
0 Replies