Experience sharing and questions for NIS migration from Solaris 8 to Linux


 
Thread Tools Search this Thread
Operating Systems Solaris Experience sharing and questions for NIS migration from Solaris 8 to Linux
# 1  
Old 04-28-2017
Experience sharing and questions for NIS migration from Solaris 8 to Linux

I'd like to share some experiences and what I found for NIS migration from Solaris 8 NIS to Linux platform.
I'm not an expert for both platforms, it's just when I tested both systems and found something really tricky. That might takes a lot of time for you to find the root cause. So, I think I can share some experiences from what I've found to help you saving time if you have the same need as me. And still, I have some questions unsolved, maybe some experts can give me suggestions.

Original NIS server: Solaris 8
New NIS server: Red hat Linux 6.5

I have to say that my experiences are built on Solaris 8 migrating to RHEL, Solaris 8 is an outdated system, Solaris 9, 10 above should be more advanced than 8, so I am not sure if it can works for other versions.

To save words, there were two questions I posted earlier.
User authentication failed while log in Solaris 8 client on Linux NIS server.
Solaris 8 MD5 encryption support

1. Linux 6.5 supports SHA512 password encryption as default, however, Solaris only supports DES encryption. There is no doubt that you have to modify Linux NIS encryption to support DES, otherwise, you may face the issue to authenticate a NIS user when you login to a solaris client.

Code:
A. run the following command to change the default encryption.
# authconfig --passalgo=descrypt --update.

B. run the following command to check if the above setting works.
# authconfig --test
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is descrypt

C. check the following line of /etc/pam.d/system-auth,
change
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
to
password    sufficient    pam_unix.so shadow nullok try_first_pass use_authtok

2. If you still have Solaris 8 clients, /var/yp/Makefile has to be modified as the following,
Code:
A. MERGE_PASSWD=true  --> a shadow map won't be generated.

After that, restart your ypserv service and re-make your /var/yp/Makefile, it should works for a Solaris client to login a NIS user with no issues.

If you need a NIS slave server, it's recommended to build it under the same platform as NIS master has. A cross-platform method between two platforms may face the issue of ypfxrd synchronization since Solaris uses ndbm package instead of GNU dbm or Berkeley DB.

If you need password aging, that's the problem I am still working on it.

I found if you have Solaris clients in your domain, it is necessary to set "MERGE_PASSWD=true" to make NIS users can login from Solaris clients.
However, that won't generate a shadow map for NIS, and it's a MUST existence if you want password aging.

It seems like a conflict if you want both of them works. I still don't find a way out of this. Does someone has any workaround or solution for this issue??

I've been stuck on this task for couple weeks. If anyone is willing to share some experiences, I'll be appreciated.

Thanks.

Last edited by bestard; 04-28-2017 at 04:21 AM..
These 2 Users Gave Thanks to bestard For This Post:
# 2  
Old 04-29-2017
Google for "passwd.adjunct".
This was Sun's solution to hide the pw crypts. But later they encouraged to replace NIS, first with NIS+ then with LDAP.
And please continue with sharing your results here Smilie
# 3  
Old 05-03-2017
Quote:
Originally Posted by MadeInGermany
Google for "passwd.adjunct".
This was Sun's solution to hide the pw crypts. But later they encouraged to replace NIS, first with NIS+ then with LDAP.
And please continue with sharing your results here Smilie
Sorry for delay response since I did some works to test passwd.adjunct.
I know passwd.adjunct is the Sun's solution to hide password encryption.
It's just I'm not sure if it can satisfy what I need.

My goals are,
1. NIS users can login from both Linux and Solaris clients.
2. hide password encryption from ypcat
3. be able to change NIS user passwords from any host in our domain.
4. password aging can be provided to NIS users.

From what I've done, it seems like there is no perfect way to do them all neither using shadow nor passwd.adjunct.

When using shadow,
1. NIS users can login from both Linux and Solaris clients.
2. In order to satisfy #1, "MERGE_PASSWD" in the /var/yp/Makefile has to be set to "true" while it dissatisfies #4. And, this makes ypcat can get pw encrypts.
3. be able to change NIS user passwords from any host in our domain.
4. conflict with #2.

When using passwd.adjunct,
1. NIS users can login from both Linux and Solaris clients.
2. pw encypts can be hid from ypcat.
3. can use yppasswd to change a NIS user pwd. However, it fails to use a NIS user to login NIS master. I' ll describe it later.
4. password aging needs the shadow file instead of passwd.adjunct. I'm not sure if it's right. I failed to test this issue, maybe something I missed.

---------- Post updated at 07:34 PM ---------- Previous update was at 05:50 PM ----------

As for passwd.adjunct, I did some works trying to fit my needs.
To make passwd.adjunct works, there are something need to be done on both server/client.

on the client:
1. Edit /etc/default/nss config and set ADJUNCT_AS_SHADOW=TRUE.

on the server:
1. Create the file /var/yp/securenets

2. check /etc/ypserv.conf for the following settings,
Code:
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port

3. change /etc/sysconfig/yppasswdd settings,
Code:
PASSWDFILE=/var/yp/passwd
SHADOWFILE=/var/yp/passwd.adjunct

4. set my environment hash variable to DES encryption.
setenv YP_PASSWD_HASH des

5. copy /etc/shadow and /etc/passwd to /var/yp, modify /var/yp/passwd format as below,
username:##username:.....

6. change /var/yp/Makefile setting,
Code:
NOPUSH=false
...
...
MERGE_PASSWD=false
...
...
YPSRCDIR = /etc
YPPWDDIR = /etc
YPPWDDIR_ADJ = /var/yp
YPBINDIR = /usr/lib64/yp
YPSBINDIR = /usr/sbin
YPDIR = /var/yp
YPMAPDIR = $(YPDIR)/$(DOMAIN)
...
GROUP       = $(YPPWDDIR)/group
PASSWD      = $(YPPWDDIR_ADJ)/passwd
SHADOW      = $(YPPWDDIR)/shadow
GSHADOW     = $(YPPWDDIR)/gshadow
ADJUNCT     = $(YPPWDDIR_ADJ)/passwd.adjunct
...
...
# If you don't want some of these maps built, feel free to comment
# them out from this list.

all:  passwd group hosts rpc services netid protocols mail \
        auto.master auto.direct passwd.adjunct

...
ethers:         ethers.byname ethers.byaddr
hosts:          hosts.byname hosts.byaddr
networks:       networks.byaddr networks.byname
protocols:      protocols.bynumber protocols.byname
rpc:            rpc.byname rpc.bynumber
services:       services.byname services.byservicename
passwd:         passwd.byname passwd.byuid
group:          group.byname group.bygid
shadow:         passwd.adjunct
passwd.adjunct: passwd.adjunct.byname
netid:          netid.byname
netgrp:         netgroup netgroup.byhost netgroup.byuser
...

7. After finishing settings, restart ypserv and yppasswdd services.

After those,
1. a NIS user can login from both Linux/Solaris clients.
2. only root can get user password encryption.

3. You can change a NIS user password using yppasswd from any client and re-login. But, it fails to re-login from the NIS master server.

I do more tests and find when I login to the NIS master as a NIS user, it is authenticated to the /etc/shadow instead of /var/yp/passwd.adjunct, and if I use yppasswd to change the user password, it fails to change the NIS passwd.
Then I use passwd to do it again, it succeeds, but only to change /etc/shadow.

I believe it results from the nsswitch.conf setting authentication only to files,
Code:
passwd:     files
shadow:     files
group:      files

So, when I login as a NIS user, it authenticates through /etc/passwd and /etc/shadow.
It's rational settings cause this is NIS master server, and there is no way to set "nis" in front of "files" which will cause the ypserv issue.

From what I tested, this is a gap between /etc/shadow and passwd.adjunct that I don't know how to fix it.

4. Because of #3, I have no chance to test password aging from NIS master. chage/chfn/chsh change /etc/shadow instead of /var/yp/passwd.adjunct.

I'm at my wit's end with this. Does anyone have any idea?

Last edited by bestard; 05-03-2017 at 08:42 AM..
# 4  
Old 05-03-2017
The best setting for NIS is
Code:
passwd:     files nis
shadow:     files
group:      files nis

It first looks for local users in /etc/passwd; if not found it consults NIS.
On the NIS master, if you want it to work like a NIS client, you should put the NIS source files outside of /etc/ e.g. create a directory /etc/yp-maps/ for them and adapt the Makefile.
# 5  
Old 05-04-2017
Quote:
Originally Posted by MadeInGermany
The best setting for NIS is
Code:
passwd:     files nis
shadow:     files
group:      files nis

It first looks for local users in /etc/passwd; if not found it consults NIS.
On the NIS master, if you want it to work like a NIS client, you should put the NIS source files outside of /etc/ e.g. create a directory /etc/yp-maps/ for them and adapt the Makefile.
Could you please be more clear? That confused me a little.
As I know, /etc/passwd and /etc/shadow is not recommended to move to other places since there are many built-in libraries and applications running as root bound to these files. Is there any way to change default system settings toward other source files?

However, I still manage to do some tests for this idea.
I left /etc/passwd and /etc/shadow to where they are and just separated NIS users info to other source files located in /etc/yp, i.e., /etc/yp/passwd and /etc/yp/shadow for NIS service.

Then I adapted the following files.
1. /etc/pam.d/system-auth and /etc/pam.d/password-auth
Code:
password    sufficient    pam_unix.so shadow nis nullok try_first_pass use_authtok

2. /etc/nsswitch.conf
Code:
passwd:     files nis
shadow:     files nis
group:      files nis

#hosts:     db files nisplus nis dns
hosts:      files dns nis

3. adapted /var/yp/Makefile, redirect shadow and passwd sources to /etc/yp, and then re-make.

4. restart ypserv/yppasswdd/ypbind services

After that, I can successfully queried a NIS user info from database as below
Code:
# ypmatch testuser passwd
testuser:##testuser:10124:4000:19-Aug-2002:/nas/testuser:/bin/tcsh
# ypmatch testuser passwd.adjunct.byname
testuser:7abi0uUn./pOk:17290::::::

Unfortunately, I still can't login as a NIS user on master server.
Code:
# ssh testuser@mastest
testuser@mastest's password: 
Permission denied, please try again.

I have no idea what went wrong....

for more information,
1. /etc/default/nss
Code:
ADJUNCT_AS_SHADOW=TRUE

2. /etc/sysconfig/yppasswdd
Code:
# The passwd and shadow files are located under the specified
# directory path. rpc.yppasswdd will use these files, not /etc/passwd
# and /etc/shadow.
#ETCDIR=/etc

# This options tells rpc.yppasswdd to use a different source file
# instead of /etc/passwd
# You can't mix usage of this with ETCDIR
#PASSWDFILE=/etc/passwd
PASSWDFILE=/var/yp/passwd

# This  options  tells rpc.yppasswdd to use a different source file
# instead of /etc/passwd.
# You can't mix usage of this with ETCDIR
#SHADOWFILE=/etc/shadow
SHADOWFILE=/var/yp/passwd.adjunct

# Additional arguments passed to yppasswd
YPPASSWDD_ARGS="--port 1012"

# 6  
Old 05-04-2017
Correct, the local users like root must stay in the /etc files.
nsswitch.conf is correct when
Code:
getent passwd

lists both local and NIS users.
The actual login authentication via PAM I do not have much experience with.
# 7  
Old 05-04-2017
--------
Information update.

I found something strange. I turned ypserv debug mode on, then It seemed ypserv recognized NIS domain and tried to find the user info, however, it did check passwd.adjunct.byname and then skipped and kept searching info from shadow.byname.

I tried to copy /var/yp/`domainname`/passwd.adjunct.byname to /var/yp/`domainname`/shadow.byname and re-login from NIS master again, and it worked.

I just don't know why is that? It supposed to authenticate a NIS user just like the client did.

This is ypserv debug log as below, I'm kind of week analyzing this log, maybe someone can help to find the key.
Code:
# ypserv -d
[ypserv (ypserv) 2.19]

Find securenet: 255.255.255.255 127.0.0.1
Find securenet: 255.255.248.0 172.26.80.0
ypserv.conf: dns: 0
ypserv.conf: files: 30
ypserv.conf: xfr_check_port: 1
ypserv.conf: 0.0.0.0/0.0.0.0:*:shadow.byname:2
ypserv.conf: 0.0.0.0/0.0.0.0:*:passwd.adjunct.byname:2
ypproc_domain_nonack("nistest") [From: 127.0.0.1:42028]
connect from 127.0.0.1
        -> OK.
ypproc_match(): [From: 127.0.0.1:923]
                domainname = "nistest"
                mapname = "passwd.byname"
                keydat = "testuser"
        ypdb_open("nistest", "passwd.byname")
                ->Returning OK!
Opening: nistest/passwd.byname (0) 577519b0
ypdb_close() called
connect from 127.0.0.1
        ypdb_open("nistest", "passwd.byname")
Found: nistest/passwd.byname (0)
ypdb_close() called
        -> Value = "testuser:##testuser:10124:4000:19-Aug-2002:/nas/testuser:/bin/tcsh"
ypproc_match(): [From: 127.0.0.1:924]
                domainname = "nistest"
                mapname = "passwd.byname"
                keydat = "testuser"
        ypdb_open("nistest", "passwd.byname")
Found: nistest/passwd.byname (0)
ypdb_close() called
connect from 127.0.0.1
        ypdb_open("nistest", "passwd.byname")
Found: nistest/passwd.byname (0)
ypdb_close() called
        -> Value = "testuser:##testuser:10124:4000:19-Aug-2002:/nas/testuser:/bin/tcsh"
ypproc_match(): [From: 127.0.0.1:925]
                domainname = "nistest"
                mapname = "shadow.byname"
                keydat = "testuser"
connect from 127.0.0.1
        ypdb_open("nistest", "shadow.byname")
gdbm_open: GDBM Error Code #3
        -> Error #-1
ypproc_match(): [From: 127.0.0.1:926]
                domainname = "nistest"
                mapname = "passwd.adjunct.byname"
                keydat = "testuser"
connect from 127.0.0.1
        ypdb_open("nistest", "passwd.adjunct.byname")
                ->Returning OK!
Opening: nistest/passwd.adjunct.byname (1) 577b9760
ypdb_close() called
        -> Value = "testuser:7abi0uUn./pOk:17290::::::"
ypproc_match(): [From: 127.0.0.1:927]
                domainname = "nistest"
                mapname = "passwd.byname"
                keydat = "testuser"
        ypdb_open("nistest", "passwd.byname")
Found: nistest/passwd.byname (1)
ypdb_close() called
connect from 127.0.0.1
        ypdb_open("nistest", "passwd.byname")
Found: nistest/passwd.byname (1)
ypdb_close() called
        -> Value = "testuser:##testuser:10124:4000:19-Aug-2002:/nas/testuser:/bin/tcsh"
ypproc_match(): [From: 127.0.0.1:928]
                domainname = "nistest"
                mapname = "shadow.byname"
                keydat = "testuser"
connect from 127.0.0.1
        ypdb_open("nistest", "shadow.byname")
gdbm_open: GDBM Error Code #3
        -> Error #-1
ypproc_match(): [From: 127.0.0.1:929]
                domainname = "nistest"
                mapname = "passwd.adjunct.byname"
                keydat = "testuser"
connect from 127.0.0.1
        ypdb_open("nistest", "passwd.adjunct.byname")
Found: nistest/passwd.adjunct.byname (0)
ypdb_close() called
        -> Value = "testuser:7abi0uUn./pOk:17290::::::"
ypproc_match(): [From: 127.0.0.1:930]
                domainname = "nistest"
                mapname = "passwd.byname"
                keydat = "testuser"
        ypdb_open("nistest", "passwd.byname")
Found: nistest/passwd.byname (1)
ypdb_close() called
connect from 127.0.0.1
        ypdb_open("nistest", "passwd.byname")
Found: nistest/passwd.byname (1)
ypdb_close() called
        -> Value = "testuser:##testuser:10124:4000:19-Aug-2002:/nas/testuser:/bin/tcsh"
ypproc_match(): [From: 127.0.0.1:931]
                domainname = "nistest"
                mapname = "passwd.byname"
                keydat = "testuser"
        ypdb_open("nistest", "passwd.byname")
Found: nistest/passwd.byname (1)
ypdb_close() called
connect from 127.0.0.1
        ypdb_open("nistest", "passwd.byname")
Found: nistest/passwd.byname (1)
ypdb_close() called
        -> Value = "testuser:##testuser:10124:4000:19-Aug-2002:/nas/testuser:/bin/tcsh"
ypproc_domain_nonack("nistest") [From: 172.26.80.151:59420]
connect from 172.26.80.151
        -> OK.

This User Gave Thanks to bestard For This Post:
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Solaris

User authentication failed while log in Solaris 8 client on Linux NIS server.

Based on the NIS migration tests I did and another question I posted earlier on. https://www.unix.com/solaris/272021-solaris-8-md5-encryption-support.html I tried to downgrade NIS linux encryption to DES to support solaris connection. So I modified /etc/pam.d/system-auth as below, password... (0 Replies)
Discussion started by: bestard
0 Replies

2. Shell Programming and Scripting

ksh script migration from Solaris to Linux.

We are migrating some scripts (ksh) from Solaris 10 to Linux 2.6.32. Can someone share list of changes i need to take care for this ? Have found few of them but i am looking for a exhaustive list. Thanks. (6 Replies)
Discussion started by: Shivdatta
6 Replies

3. UNIX for Dummies Questions & Answers

NIS to Active Directory Migration

Hello, This is my first ever post on Unix anything :). I really am a total newb when it comes to Unix. I am fairly well versed in the Windows world though. I have a project that I was pulled into which consists on migrating our Unix servers from authenticating with NIS, over to authenticating... (1 Reply)
Discussion started by: barcode2328
1 Replies

4. UNIX for Dummies Questions & Answers

Interview topics or questions for unix developers with 4.years experience

Hi , I am gonna attend interview this week end for unix developer ( 4.5 years exp) opening .. Can you help me out the topics or the questions which I can expect in the interview. This is may be silly but it is very important to me. Thanks in Advance (5 Replies)
Discussion started by: arukuku
5 Replies

5. Linux

Migration from solaris to linux

Hi, Currently I can able to access php script from solaris. I want to access from Linux I have done the following things: 1) I have copied all the scripts from solaris to linux. 2) I have installed php,mysql,apache. I tried with http://Hostname/username/test.php . This is not working .... (6 Replies)
Discussion started by: Mani_apr08
6 Replies

6. HP-UX

Migration from HP-UX to Solaris/Linux

Hi eveyone Ours is an application hosted on HP-UX 11 and we are trying to migrate the server to different flavour of UNIX. We are actually looking at the option of migrating it to Sun Solaris or Linux. We are trying to evaulate the pros and cons of migrating our application to Solaris/Linux.... (6 Replies)
Discussion started by: turaga.krishna
6 Replies

7. UNIX for Advanced & Expert Users

Linux NIS sever not binding with Solaris client

I am installing a NIS master server with a linux SLES 10 SP1. And it was pretty straight forward. (Simple since it GUI ) The server can bind to itself when issue with ypwhich command. But on solaris 10 box, I set up the defaultdomain (/etc/defaultdomain) and also issue ypinit -c to startup the... (3 Replies)
Discussion started by: ibroxy
3 Replies

8. UNIX for Dummies Questions & Answers

linux redhat and solaris NIS+

Hello all, I am wondering if anyone had success with installing a redhat linux (PC box) on a Solaris NIS+ network. I have gotten information on how to do this but have been unsuccessful. The information that I have gotten is a little out dated and is not 100%. ... (0 Replies)
Discussion started by: larry
0 Replies
Login or Register to Ask a Question