On Fri, 12 Dec 2014, Goswin von Brederlow wrote:
The normal thing I've seen is to have people log onto the master server
(or make some similar arrangement) and make the change there.
I think you can have a setup where nis exports the /etc/passwd of one
master server or something. But at least that isn't the setup we use.
Trying to change the password on the server just gives:
# passwd test
passwd: Authentication token manipulation error
passwd: password unchanged
And normal users aren't allowed to login on the server in any case.
yppasswd is the only way to change a users password here.
Correct. Our users can only change theor password on the server where I
applied the given patch.
Root can only change the password (or create users) by modifying
/etc/pam.d/ to remove nis while creating the user.
3) I first noticed this failing on Ubuntu recently while the nis
upstream version is indeed been around for ages. It used to work
previously with near identical version. So unless you changed
yppasswd.c in one of the debian revisions this probably is triggered
by a change in the crypt() implementation that is more recent, one
that validates the salt properly.
There's definitely not been any substantial change in nis for some
considerable time, the last non-packaging change I'm seeing in the
changelog is about five years old and is in wheezy.
But that's the thing. yppasswd works fine in wheezy and precise but
segfaults in jessie and trusty.
As I posted in the original report, there was a change to crypt() which
now exposes a long standing bug in nis.
It's not clear to me that this is something that has been newly
introduced (as opposed to something people have always dealt with when
using NIS, the version mentioned is the one in wheezy) - using shadow
files with NIS is obviously a bit of a corner case given how meaningless
NIS makes the extra security they add. If it's something that's just
broken in this version and people would see regress on upgrades that's a
bit different.
Since shadow passwords are the default, the "corner case" affects every
user of nis, unless they disable shadow. I assume disabling shadow would
fix it.
5) There has been a trivial 1 line patch for the bug for the whole
time.
Right, it's unfortunate that I didn't see that on the original filing
(looking at the mail it appears it got hidden as a signature by the
mail client I used to read the original submission, the mail is sadly a
bit malformed which doesn't help).
Can you define "malformed"? I used "reportbug" to report the bug, and it
looks fine to me.
--
Jon Daley
http://jon.limedaley.com
~~
Who begins too much accomplishes little.
-- German proverb
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
