NIS is setup, but I can't add new user / change password

E

ethoms

I have managed to successfully set[]up an NIS server on FreeBSD 10 as per these instructions: http://www.freebsd.org/doc/handbook/network-nis.html. On another fresh install, I followed the client setup, also 10.0-RELEASE. I can log in to the NIS users I provisioned on the server from my client machine. However, the handbook states that I can add users using pw useradd or adduser. But it does not work, it only add users locally, not to the NIS maps. If I want the changes, I need to start again, using ypinit -m mydomain. Also, yppasswd only changes the passwords locally.

At first I just configure the server as a master server. Then I tried making a client also, pointing to itself. Still no joy.

Is it possible to add users without building the domain from scratch? Why doesn't the documented steps work for me?
 
I forgot to mention: I am using the following command to rebuild the maps (from /var/yp):

Code: 
# make conspec-group.com
`conspec-group.com' is up to date.
 
There seems to some "glue" missing since /var/yp/master.passwd does not get updated with either pw or adduser. I've been running NIS for a number of years and have been using a wrapper script that copies /etc/master.passwd to /var/yp/master.passwd sans system users. I've seen some users symlink /etc/master.passwd to /var/yp (possible security issues doing this). Either way, you will need to issue a make in /var/yp anytime the password file is updated.
 
OK, thanks @pboehmer, for shedding some light on this. So I just need to add the new entries to /var/yp/master.passwd, then run make my-domain? If so, that's not so bad, but shame the documents don't mention this. Has anyone had any luck with a FreeBSD server but Linux clients using NIS? I get wrong password messages when trying to log in, but ypcat passwd.byname works fine. I think it's a compatability issue with the way the different OSes handle shadow files.

I may end up avoiding NIS, in favour of either LDAP, or just using local account matching UIDs and then mount NFS home folders directories via /etc/fstab. The Linux variant is Slackware, so LDAP may be interesting to setup. A simple clean solutions for Linux client NIS would be nice though.
 
Last edited by a moderator:
Edit /var/yp/Makefile and set
Code: 
UNSECURE=TRUE
and re-issue make. I don't have any linux NIS clients, so not sure if this actually works or not, but the Makefile indicates this is what needs to be done.
 
@pboehhmer: Thanks, I got NIS authentication working in Slackware Linux clients by uncommenting that line. I never thought to check the Makefile for configuration options.

The NIS users' home directories are on FreeBSD 10 RELEASE, each in their own ZFS filesystem.

Only problem now is that I still can't get new users to be added to the NIS maps without rebuilding with ypinit. This means scripting is not possible without using expect, which I don't want to do. I tried adding the new entries from /etc/master.passwd to /var/yp/master.passwd and then make my-domain. It does not pick up the changes.

I used the below comand to ad the new entries:

Code: 
cat /etc/master.passwd | egrep "test.fastrack" >> /var/yp/master.passwd
cd /var/yp
make my-domain
 
Last edited by a moderator:
Additionally, the password can't be changed, it won't update the maps. I have yppasswdd running and use yppasswd to change the password.

I think I am missing some configuration. Either that or NIS is broken in 10-RELEASE. I've followed the handbook to set it up.
 
Aha! the yppasswd is for changing the password on the client machine. When I try that I get the following error:

Code: 
yppasswd: pam_chauthtok(): erro in service module
 
Aha again! I wasn't running yppasswdd on the client. After doing so, and re-issuing yppasswd client-side, I now get a different error:

Code: 
rpc.yppasswdd: can't get name of NIS master server fro domain my-domain

However ypwhich returns a single line, my server's IP address. What do I need to do to tell my NIS server it is the master?
 
The only thing running on your clients should be ypbind. rpc.yppasswdd is ran on the NIS server and ypbind on the client pushes the password change request to the server. On FreeBSD clients, passwd on clients will detect and utilize NIS for password changes (passwd()). The yppasswd command is for changing the NIS passwords when logged into the NIS server, since this changes /var/yp/master.passwd and not /etc/master.passwd. I cannot comment on the Linux passwd works in relation to NIS.
 
@pboehhmer: Thanks for clarifying these things. However, my testing for NIS takes place on a FreeBSD server and client first. Then I will move on to Slackware for the production clients. I don't have any problem with clients, thanks to your help.

I just can't get changes in /var/master.passwd to update when I issue make my-domain. I can only update maps by using ypinit -m my-domain. Is NIS borken on FreeBSD 10, I haven't tested it on earlier releases. I have no problem making a script that update /var/yp/master.passwd, but why isn't make picking up the changes?
 
Instead of issuing make my-domain, have you tried just make?

From what I read above in your setup, could you have an issue where user updates password from a NIS client machine and you overwrite that change when you update /var/yp/master.passwd on the NIS server? I believe this is the reason why some people just symlink /etc/master.passwd to /var/yp/master.passwd.
 
Thanks again! Using just plain make works!

Updating passwords was not an issue. I didn't do that during my tests. I was trying to update passwords as a separate diagnostics test, because the make my-domain was not working. I do not need to update the passwords from client, from server is fine. Infact, I do not want users to be able to change their passwords.

So, it looks like the handbook needs a bit of improvment on the NIS section. I never thought to try just make.

As for sym-linking the /etc/master.passwd, I think this is a big security no-no. Also, I want to have local only users on the server. If I were a NIS developer, I would have made a simple solution; just have a blacklist file. Sym-link the /etc/master.passwd and have a blacklist files called something like /etc/master.passwd.blacklist /var/yp/master.passwd.blacklist.
 
pboehmer said:
There seems to some "glue" missing since /var/yp/master.passwd does not get updated with either pw or adduser. […]
Click to expand...
The missing glue is setting nispasswd in /etc/pw.conf(5) (on the NIS master). This will make pw(8) edit two files. However, defining a nispasswd alone does not imply -Y, that is actually regenerating the NIS maps /usr/bin/make make ‑C /var/yp/.
 
You must log in or register to reply here.
Back
Top