Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Experience sharing and questions for NIS migration from Solaris 8 to Linux
Operating Systems Solaris Experience sharing and questions for NIS migration from Solaris 8 to Linux Post 302996983 by Scrutinizer on Thursday 4th of May 2017 11:27:41 PM
Old 05-05-2017
Just to add to the discussion
  • AFAIK, Solaris 8 only supports password.adjunct, not shadow in nis
  • password.adjunct is extremely weak security and only protects against users if they cannot become root on a client that can approach the NIS server
  • passwd.adjunct works with both Solaris 8 and Linux clients.
  • Solaris 8, when updated to the very latest levels supports TLS/LDAP as long as the LDAP server uses SHA1 certificates (TLS 1.0). This is not an easy feat, but it is possible
  • AFAIK NIS will only work with DES56
  • I do not think password aging is possible on Solaris in combination with NIS, since it does not support shadow over NIS.
  • Solaris 8, even with the latest patches remains of course an insecure and outdated platform.
  • On Linux "nis" does not need to be / cannot be specified in system-auth / password-auth in pam. This is handled by pam_unix.so, since authentication is client side.
Last edited by Scrutinizer; 05-05-2017 at 12:46 AM..
This User Gave Thanks to Scrutinizer For This Post:
bestard
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

linux redhat and solaris NIS+

Hello all, I am wondering if anyone had success with installing a redhat linux (PC box) on a Solaris NIS+ network. I have gotten information on how to do this but have been unsuccessful. The information that I have gotten is a little out dated and is not 100%. ... (0 Replies)
Discussion started by: larry
0 Replies

2. UNIX for Advanced & Expert Users

Linux NIS sever not binding with Solaris client

I am installing a NIS master server with a linux SLES 10 SP1. And it was pretty straight forward. (Simple since it GUI ) The server can bind to itself when issue with ypwhich command. But on solaris 10 box, I set up the defaultdomain (/etc/defaultdomain) and also issue ypinit -c to startup the... (3 Replies)
Discussion started by: ibroxy
3 Replies

3. HP-UX

Migration from HP-UX to Solaris/Linux

Hi eveyone Ours is an application hosted on HP-UX 11 and we are trying to migrate the server to different flavour of UNIX. We are actually looking at the option of migrating it to Sun Solaris or Linux. We are trying to evaulate the pros and cons of migrating our application to Solaris/Linux.... (6 Replies)
Discussion started by: turaga.krishna
6 Replies

4. Linux

Migration from solaris to linux

Hi, Currently I can able to access php script from solaris. I want to access from Linux I have done the following things: 1) I have copied all the scripts from solaris to linux. 2) I have installed php,mysql,apache. I tried with http://Hostname/username/test.php . This is not working .... (6 Replies)
Discussion started by: Mani_apr08
6 Replies

5. UNIX for Dummies Questions & Answers

Interview topics or questions for unix developers with 4.years experience

Hi , I am gonna attend interview this week end for unix developer ( 4.5 years exp) opening .. Can you help me out the topics or the questions which I can expect in the interview. This is may be silly but it is very important to me. Thanks in Advance (5 Replies)
Discussion started by: arukuku
5 Replies

6. UNIX for Dummies Questions & Answers

NIS to Active Directory Migration

Hello, This is my first ever post on Unix anything :). I really am a total newb when it comes to Unix. I am fairly well versed in the Windows world though. I have a project that I was pulled into which consists on migrating our Unix servers from authenticating with NIS, over to authenticating... (1 Reply)
Discussion started by: barcode2328
1 Replies

7. Shell Programming and Scripting

ksh script migration from Solaris to Linux.

We are migrating some scripts (ksh) from Solaris 10 to Linux 2.6.32. Can someone share list of changes i need to take care for this ? Have found few of them but i am looking for a exhaustive list. Thanks. (6 Replies)
Discussion started by: Shivdatta
6 Replies

8. Solaris

User authentication failed while log in Solaris 8 client on Linux NIS server.

Based on the NIS migration tests I did and another question I posted earlier on. https://www.unix.com/solaris/272021-solaris-8-md5-encryption-support.html I tried to downgrade NIS linux encryption to DES to support solaris connection. So I modified /etc/pam.d/system-auth as below, password... (0 Replies)
Discussion started by: bestard
0 Replies

LEARN ABOUT SUSE

yppasswdd

RPC.YPPASSWDD(8)					       NIS Reference Manual						  RPC.YPPASSWDD(8)

NAME

       rpc.yppasswdd - NIS password update daemon

SYNOPSIS

       rpc.yppasswdd [-D directory] -e chsh|chfn [--port number]

       rpc.yppasswdd [-s shadow] [-p passwd] -e chsh|chfn [--port number]

       rpc.yppasswdd -x program | -E program  -e chsh|chfn [--port number]

DESCRIPTION

       rpc.yppasswdd is the RPC server that lets users change their passwords in the presence of NIS (a.k.a. YP). It must be run on the NIS master
       server for that NIS domain.

       When a yppasswd(1) client contacts the server, it sends the old user password along with the new one.  rpc.yppasswdd will search the
       system's passwd file for the specified user name, verify that the given (old) password matches, and update the entry. If the user specified
       does not exist, or if the password, UID or GID doesn't match the information in the password file, the update request is rejected, and an
       error returned to the client.

       If this version of the server is compiled with the CHECKROOT=1 option, the password given is also checked against the systems root
       password.

       After updating the passwd file and returning a success notification to the client, rpc.yppasswdd executes the pwupdate script that updates
       the NIS server's passwd.*  and shadow.byname maps. This script assumes all NIS maps are kept in directories named /var/yp/nisdomain that
       each contain a Makefile customized for that NIS domain. If no such Makefile is found, the scripts uses the generic one in /var/yp.

OPTIONS

       The following options are available:

       -D directory
	   The passwd and shadow files are located under the specified directory path.	rpc.yppasswdd will use this files, not /etc/passwd and
	   /etc/shadow.  This is useful if you do not want to give all users in the NIS database automatic access to your NIS server.

       -E program
	   Instead of rpc.yppasswdd editing the passwd & shadow files, the specified program will be run to do the editing. The following
	   environment variables will be set for the program: YP_PASSWD_OLD, YP_PASSWD_NEW, YP_USER, YP_GECOS, YP_SHELL. The program should return
	   an exit status of 0 if the change completes successfully, 1 if the change completes successfully but pwupdate should not be run, and
	   otherwise if the change fails.

       -p passwdfile
	   This options tells rpc.yppasswdd to use a different source file instead of /etc/passwd This is useful if you do not want to give all
	   users in the NIS database automatic access to your NIS server.

       -s shadowfile
	   This options tells rpc.yppasswdd to use a different source file instead of /etc/passwd. See below for a brief discussion of shadow
	   support.

       -e [chsh|chfn]
	   By default, rpc.yppasswdd will not allow users to change the shell or GECOS field of their passwd entry. Using the -e option, you can
	   enable either of these. Note that when enabling support for ypchsh(1), you have to list all shells users are allowed to select in
	   /etc/shells.

       -x program
	   When the -x option is used, rpc.yppasswdd will not attempt to modify any files itself, but will instead run the specified program,
	   passing to its stdin information about the requested operation(s). There is a defined protocol used to communicate with this external
	   program, which has total freedom in how it propagates the change request. See below for more details on this.

       -m
	   Will be ignored, for compatibility with Solaris only.

       --port number
	   rpc.yppasswdd will try to register itself to this port. This makes it possible to have a router filter packets to the NIS ports.

       -v --version
	   Prints the version number and if this package is compiled with the CHECKROOT option.

MISCELLANEOUS

   Shadow Passwords
       Using Shadow passwords alongside NIS does not make too much sense, because the supposedly inaccesible passwords now become readable through
       a simple invocation of ypcat(1).

       Shadow support in rpc.yppasswdd does not mean that it offers a very clever solution to this problem, it simply means that it can read and
       write password entries in the system's shadow file. You have to produce a shadow.byname NIS map to distribute password information to your
       NIS clients.  rpc.yppasswdd will search at first in the /etc/passwd file for the user and password. If it find's the user, but the password
       is "x" and a /etc/shadow file exists, it will update the password in the shadow map.

   Use of the -x option
       The program should expect to read a single line from stdin, which is formatted as follows:

       <username> o:<oldpass> p:<password> s:<shell> g:<gcos>


       where any of the three fields [p, s, g] may or may not be present.

       This program should write "OK
" to stdout if the operation succeeded. On any other result, rpc.yppasswdd will report failure to the
       client.

       Note that the program specified by the -x option is responsible for doing any NIS make and build, and for doing any necessary validation on
       the shell and gcos field information supplied. The password passed to the client will be in UNIX crypt() format.

   Logging
       rpc.yppasswdd logs all password update requests to syslogd(8)'s auth facility. The logging information includes the originating host's IP
       address and the user name and UID contained in the request. The user-supplied password itself is not logged.

   Security
       rpc.yppasswdd should be as secure or insecure as any program relying on simple password authentication. If you feel that this is not
       enough, you may want to protect rpc.yppasswdd from outside access by using the `securenets' feature of the new portmap(8) version 3. Better
       still, look at rpasswdd(8).

FILES

       /usr/sbin/rpc.yppasswdd

       /usr/lib/yp/pwupdate

       /etc/passwd

       /etc/shadow

SEE ALSO

       passwd(5), shadow(5), passwd(1), rpasswdd(8), yppasswd(1), ypchsh(1), ypchfn(1), ypserv(8), ypcat(1)

AUTHOR

       Olaf Kirch <okir@monad.swb.de> and Thorsten Kukuk <kukuk@linux-nis.org>

NIS Reference Manual						    09/26/2007							  RPC.YPPASSWDD(8)
All times are GMT -4. The time now is 09:51 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy