Hi!
An:
I thought I'd ask one more time to see if anyone has any information on making SuSE Linux work with a standard NIS server before I give up and go back to FreeBSD...
There are differences between these two making it a bit complicated to set up a NIS server recognized by both Linux and FreeBSD: 1. FreeBSD uses MD5 for passwords, SuSE uses (if not explicitly adviced) crypt. 2. NIS tables are different for both systems. 3. NIS on Linux does not know about "shadow" maps and doesn't accept "*" for passwords, making it look at another map. If you want to try it nevertheless, setup your FreeBSD NIS server now: - combine passwd and shadow - export the new map make shure passwords are seen on linux side by executing "ypcat passwd". Now switch linux to use MD5 for password entries. You should be off and running now!
-----Original Message----- From: Glen Campbell [mailto:glen@broadpool.com] Sent: Friday, July 26, 2002 11:10 AM To: suse-security@suse.com Subject: [suse-security] FreeBSD NIS Server + SuSE Linux Client
I hope this is the correct list for this question. Since it has to do with login and authentication, I thought "security" was the closest match I could find. I've been browsing the SuSE list archives for a week (along with everything else I could find on Google) with no success. I'm seriously losing my hair over this.
I have recently installed SuSE Linux 8.0 on two separate machines. My other machines at home are both running FreeBSD (4.6-STABLE). They are the NIS master and slave servers, respectively.
I have used YAST2 to initiate an "NIS Client" on the Linux boxes. Ypbind and ypwhich are both running successfully and returning proper information. I can "finger" all of the NIS users and I can ypcat passwd, master.passwd, etc. However, I cannot login with an NIS user. I have turned "debug" on in security/pam_unix2.conf, and here is the
Jul 26 09:44:25 horace sshd[1449]: pam_unix2: pam_sm_authenticate() called Jul 26 09:44:25 horace sshd[1449]: pam_unix2: username=[glen] Jul 26 09:44:25 horace sshd[1449]: pam_unix2: wrong password, return PAM_AUTH_ERR Jul 26 09:44:25 horace sshd[1449]: Failed password for glen from ::1 port 32772 ssh2
Looks like you forgot to switch Linux to use MD5 password hashes.
In this case, it's from sshd, but I get the same results from login and kdm as well.
Here's what "ypcat passwd" returns (just a sample):
stephen:*:1013:1001:Stephen XXXX:/home/stephen:/bin/tcsh tpecot:*:1016:1001:XXXX Pecot:/home/tpecot:/bin/tcsh
Here's what "ypcat master.passwd.byname" returns (again, a sample):
stephen:$1$z2wACRkf$camGYsMF6OTjTL41gNSCX0:1013:1001::0:0:Stephen XXXX:/home/stephen:/bin/tcsh tpecot:$1$P3lvmuTE$RRuEzWjhxwwmMOwv0DzvN.:1016:1001::0:0:XXXX Pecot:/home/tpecot:/bin/tcsh
"master.passwd" isn't supported by Linux! Combine your "/etc/passwd" and "/etc/shadow" maps! If compiled with "--shadow-passwd" (not realy shure about the option) NIS on Linux will support "shadow.byname" for passwords. As far as I know SuSE didn't compile this in.
(1) it has been suggested that the MD5 encryption used in the FreeBSD password file is causing the problem. However, I have been able to cut a password from the BSD password file into the Linux password file and it worked just fine (for a local user). I don't think that's the problem.
If this works, both systems work with cript or MD5, what should be OK!
(2) The BSD password file has "*" in the second field, which indicates the password is stored in master.passwd. SuSE Linux uses an "x" in the second field to indicate that the password is stored in /etc/shadow. Could this be the source of the conflict? If so, how do I configure SuSE to recognize the "*" instead of the "x"?
No. A password consisting of only one character is considered to be stored elsewhere --- normaly "/etc/shadow" on Linux. It is only a convention to use "*" or "x" for passwords stored somewhere else. You could use any other character except ":" and "@".
[...]
-- Thomas