Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
RE: [suse-security] FreeBSD NIS Server + SuSE Linux Client
  • From: "Thomas Schweikle" <tschweikle@xxxxxxxxxx>
  • Date: Fri, 2 Aug 2002 21:07:44 +0200
  • Message-id: <OFD95458C1.40870255-ONC1256C09.00617C78-C1256C09.00639705@xxxxxxxxxxxxxx>

An: <suse-security@xxxxxxxx>
Kopie: (Blindkopie: Thomas Schweikle/FAG/FIDUCIA)
Thema: RE: [suse-security] FreeBSD NIS Server + SuSE Linux Client

> I thought I'd ask one more time to see if anyone has any
> information on making SuSE Linux work with a standard NIS
> server before I give up and go back to FreeBSD...

There are differences between these two making it a bit
complicated to set up a NIS server recognized by both
Linux and FreeBSD:
1. FreeBSD uses MD5 for passwords, SuSE uses (if not
explicitly adviced) crypt.
2. NIS tables are different for both systems.
3. NIS on Linux does not know about "shadow" maps and
doesn't accept "*" for passwords, making it look at
another map.

If you want to try it nevertheless, setup your FreeBSD NIS
server now:
- combine passwd and shadow
- export the new map

make shure passwords are seen on linux side by executing
"ypcat passwd".
Now switch linux to use MD5 for password entries.
You should be off and running now!

>> -----Original Message-----
>> From: Glen Campbell [mailto:glen@xxxxxxxxxxxxx]
>> Sent: Friday, July 26, 2002 11:10 AM
>> To: suse-security@xxxxxxxx
>> Subject: [suse-security] FreeBSD NIS Server + SuSE Linux Client
>> I hope this is the correct list for this question. Since it
>> has to do with login and authentication, I thought "security"
>> was the closest match I could find. I've been browsing the
>> SuSE list archives for a week (along with everything else I
>> could find on Google) with no success. I'm seriously losing
>> my hair over this.
>> I have recently installed SuSE Linux 8.0 on two separate
>> machines. My other machines at home are both running FreeBSD
>> (4.6-STABLE). They are the NIS master and slave servers, respectively.
>> I have used YAST2 to initiate an "NIS Client" on the Linux
>> boxes. Ypbind and ypwhich are both running successfully and
>> returning proper information. I can "finger" all of the NIS
>> users and I can ypcat passwd, master.passwd, etc. However, I
>> cannot login with an NIS user. I have turned "debug" on in
>> security/pam_unix2.conf, and here is the
>> Jul 26 09:44:25 horace sshd[1449]: pam_unix2:
>> pam_sm_authenticate() called Jul 26 09:44:25 horace
>> sshd[1449]: pam_unix2: username=[glen] Jul 26 09:44:25 horace
>> sshd[1449]: pam_unix2: wrong password, return PAM_AUTH_ERR
>> Jul 26 09:44:25 horace sshd[1449]: Failed password for glen
>> from ::1 port 32772 ssh2

Looks like you forgot to switch Linux to use MD5 password hashes.

>> In this case, it's from sshd, but I get the same results from
>> login and kdm as well.
>> Here's what "ypcat passwd" returns (just a sample):
>> stephen:*:1013:1001:Stephen XXXX:/home/stephen:/bin/tcsh
>> tpecot:*:1016:1001:XXXX Pecot:/home/tpecot:/bin/tcsh
>> Here's what "ypcat master.passwd.byname" returns (again, a sample):
>> stephen:$1$z2wACRkf$camGYsMF6OTjTL41gNSCX0:1013:1001::0:0:Stephen
>> XXXX:/home/stephen:/bin/tcsh
>> tpecot:$1$P3lvmuTE$RRuEzWjhxwwmMOwv0DzvN.:1016:1001::0:0:XXXX
>> Pecot:/home/tpecot:/bin/tcsh

"master.passwd" isn't supported by Linux! Combine your "/etc/passwd" and
"/etc/shadow" maps!

If compiled with "--shadow-passwd" (not realy shure about the option) NIS
on Linux will support "shadow.byname" for passwords. As far as I know SuSE
didn't compile this in.

>> (1) it has been suggested that the MD5 encryption used in the
>> FreeBSD password file is causing the problem. However, I have
>> been able to cut a password from the BSD password file into
>> the Linux password file and it worked just fine (for a local
>> user). I don't think that's the problem.

If this works, both systems work with cript or MD5, what should be OK!

>> (2) The BSD password file has "*" in the second field, which
>> indicates the password is stored in master.passwd. SuSE Linux
>> uses an "x" in the second field to indicate that the password
>> is stored in /etc/shadow. Could this be the source of the
>> conflict? If so, how do I configure SuSE to recognize the "*"
>> instead of the "x"?

No. A password consisting of only one character is considered to be stored
elsewhere --- normaly "/etc/shadow" on Linux. It is only a convention to
use "*" or "x" for passwords stored somewhere else. You could use any
other character except ":" and "@".

>> [...]


< Previous Next >
Follow Ups