Behan Webster wrote:
>
> Adriano Nagelschmidt Rodrigues wrote:
> >
> > Yes, apparently the clients don't bother to look up the shadow map (or maybe
> > there's a protocol error), the error messages are something like "user foo
> > doesn't have a password".
>
> It sure seems that way to me too.
>
> > What I did was install shadow in _all_ machines. In the server, I put the
> > NIS source password & group files in /var/etc (remember to turn off rx
> > permission for others in that dir and adjust /var/yp/Makefile).
>
> Ouch. But I thought there was a way to get nis to work _with_ shadow.
> I mean, the yp Makefile has support for distributing the shadow map.
> There's got to be a way to do it.
>
> > * 'finger' appears not to like getting an 'x' instead of the encrypted
> > password ('finger -m foo' works, 'finger foo' only works if you're root).
> >
> > * yppasswdd wasn't compiled with shadow support, so you can't use yppasswd
> > to
> > change a user's password from your root shell (unless you recompile).
>
> Perhaps these should be reported as bugs? My impression was that all
> Debian packages were to be compiled or patched to work with shadow
> passwords.
>
My guess is that the libc function getpwent isn't supporting yp
passwords correctly. I have a 1.3.1 machine which uses YP which is
coming from a *sun* server. I put the usual:
+::::::
as the last line of /etc/passwd. Now, the Sun also has shadow passwords,
and it's NIS (NIS+ actually) is set up to handle this. To get it to
work I had to build the maps *with* passwd info included, like thus
on the sun:
/usr/lib/nis/nisaddent -p -f /etc/passwd.net passwd
with the '-p' telling it to go ahead and include the password
field. I tried to use shadow in the maps, but no luck. NOTE: this
matters little anyway since NIS (as opposed to NIS+) will give up
*any* map to *anyone* who asks for it. Thus NIS exposes you to
the same problems as non-shadow passwords. Ooops, I didn't mention
it before but I *am* using shadow passwords on the debian box too.
I guess we'll just have to wait for the nis+ support coming with glibc.
Doh.
--
Jens B. Jorgensen
[EMAIL PROTECTED]
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] .
Trouble? e-mail to [EMAIL PROTECTED] .
