From e965180cecc4a18ddc08aef6a1a3bb5997e4f556 Mon Sep 17 00:00:00 2001 From: Ceri Davies Date: Thu, 19 Jun 2003 20:15:59 +0000 Subject: [PATCH] 1) Consistently capitalise the entries in the table of NIS components. 2) A couple of grammatical nits. 3) Completely remove the outdated section on libscrypt and libdescrypt, and replace with an outline of login.conf, the passwd_format capability and auth.conf, along with an outline of why this is an issue with NIS. #3 provoked by: Mike Hogsett on -questions --- .../handbook/advanced-networking/chapter.sgml | 79 +++++++++++-------- 1 file changed, 46 insertions(+), 33 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml index 0ecce0ace9..3e2dda0949 100644 --- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml @@ -2574,7 +2574,7 @@ ISDN BRI line ypbind - binds an NIS client to its NIS + Binds an NIS client to its NIS server. It will take the NIS domainname from the system, and using RPC, connect to the server. ypbind is the core of @@ -2584,7 +2584,7 @@ ISDN BRI line ypserv - Should only be running on NIS servers, is the NIS + Should only be running on NIS servers; this is the NIS server process itself. If &man.ypserv.8; dies, then the server will no longer be able to respond to NIS requests (hopefully, there is a slave server to take over for @@ -2599,7 +2599,7 @@ ISDN BRI line rpc.yppasswdd Another process that should only be running on - NIS master servers, is a daemon that will allow NIS + NIS master servers; this is a daemon that will allow NIS clients to change their NIS passwords. If this daemon is not running, users will have to login to the NIS master server and change their passwords there. @@ -3772,45 +3772,58 @@ nis_client_flags="-S NIS domain,server - libscrypt v.s. libdescrypt + Password Formats NIS - crypto library + password formats One of the most common issues that people run into when trying - to implement NIS is crypt library compatibility. If your NIS - server is using the DES crypt libraries, it will only support - clients that are using DES as well. To check which one your server - and clients are using look at the symlinks in - /usr/lib. If the machine is configured to - use the DES libraries, it will look something like this: + to implement NIS is password format compatibility. If your NIS + server is using DES encrypted passwords, it will only support + clients that are also using DES. For example, if you have + Solaris NIS clients in your network, then you will almost certainly + need to use DES encrypted passwords. - &prompt.user; ls -l /usr/lib/*crypt* -lrwxrwxrwx 1 root wheel 13 Jul 15 08:55 libcrypt.a@ -> libdescrypt.a -lrwxrwxrwx 1 root wheel 14 Jul 15 08:55 libcrypt.so@ -> libdescrypt.so -lrwxrwxrwx 1 root wheel 16 Jul 15 08:55 libcrypt.so.2@ -> libdescrypt.so.2 -lrwxrwxrwx 1 root wheel 15 Jul 15 08:55 libcrypt_p.a@ -> libdescrypt_p.a --r--r--r-- 1 root wheel 13018 Nov 8 14:27 libdescrypt.a -lrwxr-xr-x 1 root wheel 16 Nov 8 14:27 libdescrypt.so@ -> libdescrypt.so.2 --r--r--r-- 1 root wheel 12965 Nov 8 14:27 libdescrypt.so.2 --r--r--r-- 1 root wheel 14750 Nov 8 14:27 libdescrypt_p.a + To check which format your servers + and clients are using, look at /etc/login.conf. + If the host is configured to use DES encrypted passwords, then the + default class will contain an entry like this: - If the machine is configured to use the standard FreeBSD MD5 - crypt libraries they will look something like this: + default:\ + :passwd_format=des:\ + :copyright=/etc/COPYRIGHT:\ + [Further entries elided] - &prompt.user; ls -l /usr/lib/*crypt* -lrwxrwxrwx 1 root wheel 13 Jul 15 08:55 libcrypt.a@ -> libscrypt.a -lrwxrwxrwx 1 root wheel 14 Jul 15 08:55 libcrypt.so@ -> libscrypt.so -lrwxrwxrwx 1 root wheel 16 Jul 15 08:55 libcrypt.so.2@ -> libscrypt.so.2 -lrwxrwxrwx 1 root wheel 15 Jul 15 08:55 libcrypt_p.a@ -> libscrypt_p.a --r--r--r-- 1 root wheel 6194 Nov 8 14:27 libscrypt.a -lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 libscrypt.so@ -> libscrypt.so.2 --r--r--r-- 1 root wheel 7579 Nov 8 14:27 libscrypt.so.2 --r--r--r-- 1 root wheel 6684 Nov 8 14:27 libscrypt_p.a + Other possible values for the passwd_format + capability include blf and md5 + (for Blowfish and MD5 encrypted passwords, respectively). - If you have trouble authenticating on an NIS client, this + If you have made changes to /etc/login.conf, + you will also need to rebuild the login capability database, which is + achieved by running the following command as root: + + &prompt.root; cap_mkdb /etc/login.conf + + Note that the format of passwords already in + /etc/master.passwd will not be updated until + a user changes their password for the first time after + the login capability database is rebuilt. + + Next, in order to ensure that passwords are encrypted with the + format that you have chosen, you should also check that the + crypt_default in /etc/auth.conf + gives precedence to your chosen password format. To do this, place + the format that you have chosen first in the list. For example, when + using DES encrypted passwords, the entry would be: + + crypt_default = des blf md5 + + Having followed the above steps on each of the &os; based NIS + servers and clients, you can be sure that they all agree on which + password format is used within your network. + If you have trouble authenticating on an NIS client, this is a pretty good place to start looking for possible problems. - If you want to deploy an NIS server for a heterogenous + Remember: if you want to deploy an NIS server for a heterogenous network, you will probably have to use DES on all systems because it is the lowest common standard.