Experience sharing and questions for NIS migration from Solaris 8 to Linux
I'd like to share some experiences and what I found for NIS migration from Solaris 8 NIS to Linux platform.
I'm not an expert for both platforms, it's just when I tested both systems and found something really tricky. That might takes a lot of time for you to find the root cause. So, I think I can share some experiences from what I've found to help you saving time if you have the same need as me. And still, I have some questions unsolved, maybe some experts can give me suggestions.
Original NIS server: Solaris 8
New NIS server: Red hat Linux 6.5
I have to say that my experiences are built on Solaris 8 migrating to RHEL, Solaris 8 is an outdated system, Solaris 9, 10 above should be more advanced than 8, so I am not sure if it can works for other versions.
1. Linux 6.5 supports SHA512 password encryption as default, however, Solaris only supports DES encryption. There is no doubt that you have to modify Linux NIS encryption to support DES, otherwise, you may face the issue to authenticate a NIS user when you login to a solaris client.
2. If you still have Solaris 8 clients, /var/yp/Makefile has to be modified as the following,
After that, restart your ypserv service and re-make your /var/yp/Makefile, it should works for a Solaris client to login a NIS user with no issues.
If you need a NIS slave server, it's recommended to build it under the same platform as NIS master has. A cross-platform method between two platforms may face the issue of ypfxrd synchronization since Solaris uses ndbm package instead of GNU dbm or Berkeley DB.
If you need password aging, that's the problem I am still working on it.
I found if you have Solaris clients in your domain, it is necessary to set "MERGE_PASSWD=true" to make NIS users can login from Solaris clients.
However, that won't generate a shadow map for NIS, and it's a MUST existence if you want password aging.
It seems like a conflict if you want both of them works. I still don't find a way out of this. Does someone has any workaround or solution for this issue??
I've been stuck on this task for couple weeks. If anyone is willing to share some experiences, I'll be appreciated.
Thanks.
Last edited by bestard; 04-28-2017 at 04:21 AM..
These 2 Users Gave Thanks to bestard For This Post:
Google for "passwd.adjunct".
This was Sun's solution to hide the pw crypts. But later they encouraged to replace NIS, first with NIS+ then with LDAP.
And please continue with sharing your results here
Google for "passwd.adjunct".
This was Sun's solution to hide the pw crypts. But later they encouraged to replace NIS, first with NIS+ then with LDAP.
And please continue with sharing your results here
Sorry for delay response since I did some works to test passwd.adjunct.
I know passwd.adjunct is the Sun's solution to hide password encryption.
It's just I'm not sure if it can satisfy what I need.
My goals are,
1. NIS users can login from both Linux and Solaris clients.
2. hide password encryption from ypcat
3. be able to change NIS user passwords from any host in our domain.
4. password aging can be provided to NIS users.
From what I've done, it seems like there is no perfect way to do them all neither using shadow nor passwd.adjunct.
When using shadow,
1. NIS users can login from both Linux and Solaris clients.
2. In order to satisfy #1, "MERGE_PASSWD" in the /var/yp/Makefile has to be set to "true" while it dissatisfies #4. And, this makes ypcat can get pw encrypts.
3. be able to change NIS user passwords from any host in our domain.
4. conflict with #2.
When using passwd.adjunct,
1. NIS users can login from both Linux and Solaris clients.
2. pw encypts can be hid from ypcat.
3. can use yppasswd to change a NIS user pwd. However, it fails to use a NIS user to login NIS master. I' ll describe it later.
4. password aging needs the shadow file instead of passwd.adjunct. I'm not sure if it's right. I failed to test this issue, maybe something I missed.
---------- Post updated at 07:34 PM ---------- Previous update was at 05:50 PM ----------
As for passwd.adjunct, I did some works trying to fit my needs.
To make passwd.adjunct works, there are something need to be done on both server/client.
on the client:
1. Edit /etc/default/nss config and set ADJUNCT_AS_SHADOW=TRUE.
on the server:
1. Create the file /var/yp/securenets
2. check /etc/ypserv.conf for the following settings,
3. change /etc/sysconfig/yppasswdd settings,
4. set my environment hash variable to DES encryption.
setenv YP_PASSWD_HASH des
5. copy /etc/shadow and /etc/passwd to /var/yp, modify /var/yp/passwd format as below,
username:##username:.....
6. change /var/yp/Makefile setting,
7. After finishing settings, restart ypserv and yppasswdd services.
After those,
1. a NIS user can login from both Linux/Solaris clients.
2. only root can get user password encryption.
3. You can change a NIS user password using yppasswd from any client and re-login. But, it fails to re-login from the NIS master server.
I do more tests and find when I login to the NIS master as a NIS user, it is authenticated to the /etc/shadow instead of /var/yp/passwd.adjunct, and if I use yppasswd to change the user password, it fails to change the NIS passwd.
Then I use passwd to do it again, it succeeds, but only to change /etc/shadow.
I believe it results from the nsswitch.conf setting authentication only to files,
So, when I login as a NIS user, it authenticates through /etc/passwd and /etc/shadow.
It's rational settings cause this is NIS master server, and there is no way to set "nis" in front of "files" which will cause the ypserv issue.
From what I tested, this is a gap between /etc/shadow and passwd.adjunct that I don't know how to fix it.
4. Because of #3, I have no chance to test password aging from NIS master. chage/chfn/chsh change /etc/shadow instead of /var/yp/passwd.adjunct.
I'm at my wit's end with this. Does anyone have any idea?
The best setting for NIS is
It first looks for local users in /etc/passwd; if not found it consults NIS.
On the NIS master, if you want it to work like a NIS client, you should put the NIS source files outside of /etc/ e.g. create a directory /etc/yp-maps/ for them and adapt the Makefile.
The best setting for NIS is
It first looks for local users in /etc/passwd; if not found it consults NIS.
On the NIS master, if you want it to work like a NIS client, you should put the NIS source files outside of /etc/ e.g. create a directory /etc/yp-maps/ for them and adapt the Makefile.
Could you please be more clear? That confused me a little.
As I know, /etc/passwd and /etc/shadow is not recommended to move to other places since there are many built-in libraries and applications running as root bound to these files. Is there any way to change default system settings toward other source files?
However, I still manage to do some tests for this idea.
I left /etc/passwd and /etc/shadow to where they are and just separated NIS users info to other source files located in /etc/yp, i.e., /etc/yp/passwd and /etc/yp/shadow for NIS service.
Then I adapted the following files.
1. /etc/pam.d/system-auth and /etc/pam.d/password-auth
2. /etc/nsswitch.conf
3. adapted /var/yp/Makefile, redirect shadow and passwd sources to /etc/yp, and then re-make.
4. restart ypserv/yppasswdd/ypbind services
After that, I can successfully queried a NIS user info from database as below
Unfortunately, I still can't login as a NIS user on master server.
I have no idea what went wrong....
for more information,
1. /etc/default/nss
2. /etc/sysconfig/yppasswdd
Correct, the local users like root must stay in the /etc files.
nsswitch.conf is correct when
lists both local and NIS users.
The actual login authentication via PAM I do not have much experience with.
I found something strange. I turned ypserv debug mode on, then It seemed ypserv recognized NIS domain and tried to find the user info, however, it did check passwd.adjunct.byname and then skipped and kept searching info from shadow.byname.
I tried to copy /var/yp/`domainname`/passwd.adjunct.byname to /var/yp/`domainname`/shadow.byname and re-login from NIS master again, and it worked.
I just don't know why is that? It supposed to authenticate a NIS user just like the client did.
This is ypserv debug log as below, I'm kind of week analyzing this log, maybe someone can help to find the key.
Based on the NIS migration tests I did and another question I posted earlier on.
https://www.unix.com/solaris/272021-solaris-8-md5-encryption-support.html
I tried to downgrade NIS linux encryption to DES to support solaris connection.
So I modified /etc/pam.d/system-auth as below,
password... (0 Replies)
We are migrating some scripts (ksh) from Solaris 10 to Linux 2.6.32.
Can someone share list of changes i need to take care for this ?
Have found few of them but i am looking for a exhaustive list.
Thanks. (6 Replies)
Hello,
This is my first ever post on Unix anything :). I really am a total newb when it comes to Unix. I am fairly well versed in the Windows world though.
I have a project that I was pulled into which consists on migrating our Unix servers from authenticating with NIS, over to authenticating... (1 Reply)
Hi ,
I am gonna attend interview this week end for unix developer ( 4.5 years exp) opening .. Can you help me out the topics or the questions which I can expect in the interview. This is may be silly but it is very important to me. Thanks in Advance (5 Replies)
Hi,
Currently I can able to access php script from solaris. I want to access from Linux
I have done the following things:
1) I have copied all the scripts from solaris to linux.
2) I have installed php,mysql,apache.
I tried with http://Hostname/username/test.php . This is not working .... (6 Replies)
Hi eveyone
Ours is an application hosted on HP-UX 11 and we are trying to migrate the server to different flavour of UNIX. We are actually looking at the option of migrating it to Sun Solaris or Linux.
We are trying to evaulate the pros and cons of migrating our application to Solaris/Linux.... (6 Replies)
I am installing a NIS master server with a linux SLES 10 SP1. And it was pretty straight forward. (Simple since it GUI ) The server can bind to itself when issue with ypwhich command.
But on solaris 10 box, I set up the defaultdomain (/etc/defaultdomain) and also issue ypinit -c to startup the... (3 Replies)
Hello all,
I am wondering if anyone had success with installing a redhat linux (PC box) on a Solaris NIS+ network. I have gotten information on how to do this but have been unsuccessful. The information that I have gotten is a little out dated and is not 100%. ... (0 Replies)