1) Consistently capitalise the entries in the table of NIS components.
2) A couple of grammatical nits. 3) Completely remove the outdated section on libscrypt and libdescrypt, and replace with an outline of login.conf, the passwd_format capability and auth.conf, along with an outline of why this is an issue with NIS. #3 provoked by: Mike Hogsett <hogsett@csl.sri.com> on -questions
This commit is contained in:
Ceri Davies
parent
6afc89ff94
commit
e965180cec
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=17374
1 changed files with 46 additions and 33 deletions
|
|
@ -2574,7 +2574,7 @@ ISDN BRI line</literallayout>
|
|||
<row>
|
||||
<entry>ypbind</entry>
|
||||
|
||||
<entry><quote>binds</quote> an NIS client to its NIS
|
||||
<entry><quote>Binds</quote> an NIS client to its NIS
|
||||
server. It will take the NIS domainname from the
|
||||
system, and using RPC, connect to the
|
||||
server. <command>ypbind</command> is the core of
|
||||
|
|
@ -2584,7 +2584,7 @@ ISDN BRI line</literallayout>
|
|||
</row>
|
||||
<row>
|
||||
<entry>ypserv</entry>
|
||||
<entry>Should only be running on NIS servers, is the NIS
|
||||
<entry>Should only be running on NIS servers; this is the NIS
|
||||
server process itself. If &man.ypserv.8; dies, then the
|
||||
server will no longer be able to respond to NIS requests
|
||||
(hopefully, there is a slave server to take over for
|
||||
|
|
@ -2599,7 +2599,7 @@ ISDN BRI line</literallayout>
|
|||
<row>
|
||||
<entry>rpc.yppasswdd</entry>
|
||||
<entry>Another process that should only be running on
|
||||
NIS master servers, is a daemon that will allow NIS
|
||||
NIS master servers; this is a daemon that will allow NIS
|
||||
clients to change their NIS passwords. If this daemon
|
||||
is not running, users will have to login to the NIS
|
||||
master server and change their passwords there.</entry>
|
||||
|
|
@ -3772,45 +3772,58 @@ nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</
|
|||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>libscrypt v.s. libdescrypt</title>
|
||||
<title>Password Formats</title>
|
||||
<indexterm>
|
||||
<primary>NIS</primary>
|
||||
<secondary>crypto library</secondary>
|
||||
<secondary>password formats</secondary>
|
||||
</indexterm>
|
||||
<para>One of the most common issues that people run into when trying
|
||||
to implement NIS is crypt library compatibility. If your NIS
|
||||
server is using the DES crypt libraries, it will only support
|
||||
clients that are using DES as well. To check which one your server
|
||||
and clients are using look at the symlinks in
|
||||
<filename>/usr/lib</filename>. If the machine is configured to
|
||||
use the DES libraries, it will look something like this:</para>
|
||||
to implement NIS is password format compatibility. If your NIS
|
||||
server is using DES encrypted passwords, it will only support
|
||||
clients that are also using DES. For example, if you have
|
||||
Solaris NIS clients in your network, then you will almost certainly
|
||||
need to use DES encrypted passwords.</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>ls -l /usr/lib/*crypt*</userinput>
|
||||
lrwxrwxrwx 1 root wheel 13 Jul 15 08:55 libcrypt.a@ -> libdescrypt.a
|
||||
lrwxrwxrwx 1 root wheel 14 Jul 15 08:55 libcrypt.so@ -> libdescrypt.so
|
||||
lrwxrwxrwx 1 root wheel 16 Jul 15 08:55 libcrypt.so.2@ -> libdescrypt.so.2
|
||||
lrwxrwxrwx 1 root wheel 15 Jul 15 08:55 libcrypt_p.a@ -> libdescrypt_p.a
|
||||
-r--r--r-- 1 root wheel 13018 Nov 8 14:27 libdescrypt.a
|
||||
lrwxr-xr-x 1 root wheel 16 Nov 8 14:27 libdescrypt.so@ -> libdescrypt.so.2
|
||||
-r--r--r-- 1 root wheel 12965 Nov 8 14:27 libdescrypt.so.2
|
||||
-r--r--r-- 1 root wheel 14750 Nov 8 14:27 libdescrypt_p.a</screen>
|
||||
<para>To check which format your servers
|
||||
and clients are using, look at <filename>/etc/login.conf</filename>.
|
||||
If the host is configured to use DES encrypted passwords, then the
|
||||
<literal>default</literal> class will contain an entry like this:</para>
|
||||
|
||||
<para>If the machine is configured to use the standard FreeBSD MD5
|
||||
crypt libraries they will look something like this:</para>
|
||||
<programlisting>default:\
|
||||
:passwd_format=des:\
|
||||
:copyright=/etc/COPYRIGHT:\
|
||||
[Further entries elided]</programlisting>
|
||||
|
||||
<screen>&prompt.user; <userinput>ls -l /usr/lib/*crypt*</userinput>
|
||||
lrwxrwxrwx 1 root wheel 13 Jul 15 08:55 libcrypt.a@ -> libscrypt.a
|
||||
lrwxrwxrwx 1 root wheel 14 Jul 15 08:55 libcrypt.so@ -> libscrypt.so
|
||||
lrwxrwxrwx 1 root wheel 16 Jul 15 08:55 libcrypt.so.2@ -> libscrypt.so.2
|
||||
lrwxrwxrwx 1 root wheel 15 Jul 15 08:55 libcrypt_p.a@ -> libscrypt_p.a
|
||||
-r--r--r-- 1 root wheel 6194 Nov 8 14:27 libscrypt.a
|
||||
lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 libscrypt.so@ -> libscrypt.so.2
|
||||
-r--r--r-- 1 root wheel 7579 Nov 8 14:27 libscrypt.so.2
|
||||
-r--r--r-- 1 root wheel 6684 Nov 8 14:27 libscrypt_p.a</screen>
|
||||
<para>Other possible values for the <literal>passwd_format</literal>
|
||||
capability include <literal>blf</literal> and <literal>md5</literal>
|
||||
(for Blowfish and MD5 encrypted passwords, respectively).</para>
|
||||
|
||||
<para>If you have trouble authenticating on an NIS client, this
|
||||
<para>If you have made changes to <filename>/etc/login.conf</filename>,
|
||||
you will also need to rebuild the login capability database, which is
|
||||
achieved by running the following command as <username>root</username>:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
|
||||
|
||||
<note><para>Note that the format of passwords already in
|
||||
<filename>/etc/master.passwd</filename> will not be updated until
|
||||
a user changes their password for the first time <emphasis>after</emphasis>
|
||||
the login capability database is rebuilt.</para></note>
|
||||
|
||||
<para>Next, in order to ensure that passwords are encrypted with the
|
||||
format that you have chosen, you should also check that the
|
||||
<literal>crypt_default</literal> in <filename>/etc/auth.conf</filename>
|
||||
gives precedence to your chosen password format. To do this, place
|
||||
the format that you have chosen first in the list. For example, when
|
||||
using DES encrypted passwords, the entry would be:</para>
|
||||
|
||||
<programlisting>crypt_default = des blf md5</programlisting>
|
||||
|
||||
<para>Having followed the above steps on each of the &os; based NIS
|
||||
servers and clients, you can be sure that they all agree on which
|
||||
password format is used within your network.
|
||||
If you have trouble authenticating on an NIS client, this
|
||||
is a pretty good place to start looking for possible problems.
|
||||
If you want to deploy an NIS server for a heterogenous
|
||||
Remember: if you want to deploy an NIS server for a heterogenous
|
||||
network, you will probably have to use DES on all systems
|
||||
because it is the lowest common standard.</para>
|
||||
</sect2>
|
||||
|
|
|
|||
Loading…
Reference in a new issue