[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NIS with linux

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: NIS with linux
From: Ian Main <imain_(_at_)_netidea_(_dot_)_com>
Date: Fri, 11 Jun 1999 15:45:24 -0700
Reply-to: Ian Main <imain_(_at_)_netidea_(_dot_)_com>

On Fri, Jun 11, 1999 at 06:00:01PM -0400, Matthew C. Weigel wrote:
> On Fri, 11 Jun 1999, Ian Main wrote:
> 
> > If anyone is interested, I managed to do a "secure" NIS mapping on an OBSD
> > master that will work for both linux with shadow passwds and with
> > Open/Free BSD "secure" mode.  Requires a linux NIS slave server to
> > translate though.
> 
> I've been trying to find mention of 'secure' mode for OpenBSD for a little
> while, and although Theo mentioned it in a private email, I can't find
> documentation for it.  Is secure mode simply using the securenet file, or is
> it the secure mode that FreeBSD uses (i.e., refuse master.passwd.* lookups
> from ports > 1024)?

I'm fairly certain it works the way you described the FreeBSD mode.

To get it to work for linux clients I added a NIS mapping to create
shadow.byname that was compatible with the linux shadow file (as used with
debian anyway).

This goes under the passwd.time rule in your Makefile for yp on the OpenBSD
box (in your domain directory)

   $(CAT) $(>) | \
   $(AWK) 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \
   { printf "%s\t%s:%s:10000:0:99999:7:::\n", $$1, $$1, $$2 }' \
   - | $(MAKEDBM-S) - shadow.byname; \

   and a few lines later where it does the pushes add:

   $(YPPUSH) -d $(DOMAIN) shadow.byname; \

Note that the above just makes up values for passwd expiration.  This wasn't
a concern for me, so I didn't even bother looking into making it work.

so now we have a shadow.byname that the linux boxes can do shadow passwd
lookups on, but the OpenBSD passwd.byname format uses *'s in the usual
passwd field, and linux uses x's to indicate it should do a shadow lookup.
So I setup a NIS server on the linux client (which I would do anyway for
redundancy) with the following in /etc/ypserv.conf:

# Host                       : Map              : Security   : Passwd_mangle
#
*                       : passwd.byname         : none       : yes
*                       : passwd.byuid          : none       : yes
*                       : master.passwd.byname  : port
*                       : master.passwd.byuid   : port
*                       : shadow.byname         : port

This 'mangles' the passwd field in the passwd.byname, which puts an 'x'
there, so everything works fine now, and it uses port based security for
shadow/master.passwd NIS db's.

> Also, what if there is only one Linux machine in the network?

Just make the machine a NIS slave server and a NIS client (which is what I
did for both linux boxes actually).

> > I also noticed you can do MD5 passwds for both (at least with debian linux
> > anyway).
> 
> Which Unices, other than Linux and OpenBSD, do this?

No idea. :)

	Ian

"Simplicity is achieved by the elimination of special cases, such as the
discrimination between devices and files."

   - Brian Kernighan and John Mashey.

Prev by Date: NIS with linux
Next by Date: two quick questions
Previous by thread: NIS with linux
Next by thread: two quick questions
Index(es):
- Date
- Thread

Visit your host, monkey.org