# nis and yppasswd

## burzmali

has anyone gotten this to work?

i have server set up as an NIS master that also exports home directories via NFS, and i have mail set up as NIS client that mounts it's /home on the server's exported NFS /home directory.  users can login via ssh or ftp and also get mail.  all that works fine.  however users cannot use yppasswd to change their passwd in the NIS database.  i have started rpc.yppasswdd on the server with and without the -m flag.  either way, when i type 'yppasswd as a logged in user on the client (mail) this is what i get:

```

burzmali@mail burzmali $ yppasswd 

Changing NIS account information for burzmali on server.burzmali.net.

Please enter old password:

Sorry.

burzmali@mail burzmali $ 

```

i entered the correct passwd for the old one.  what do i have to do to get this working?  any help is appreciated.  thank you.

----------

## kerframil

I have this problem too and I'm trying to deduce the cause. I noticed that I could successfully change the password of a user account if I elevated to root priveleges on the client. Is this the case for you also?

----------

## burzmali

yeah, that is what i get too.  any ideas on how to fix it?  i am pretty new to NIS.

----------

## kerframil

Yeah, I'm pretty new to it also - and a few incongruities are beginning to emerge. For example I removed my local user account on a workstation - well, I'm using NIS so I don't need the local account right? Wrong! Things still work, but I can't su to root anymore on the workstation because it thinks I'm not part of the wheel group. I have many things to learn about NIS it seems ...

I'm looking into this. A possible culprit could be /etc/nsswitch.conf - I still haven't found a guide to explicitly explains exactly how it works in depth and the manpage isn't as thorough as I'd like.

----------

## philthedrill

This thread is brief on nsswitch.conf:

https://forums.gentoo.org/viewtopic.php?t=27670

On my network, I have passwd in /etc/nsswitch.conf set to "compat".

Also, my rpc.yppasswdd is running with '-D /etc/yp/' (which is where the yp passwd and shadow files are located).

I was also experiencing some serious authentication issues for NIS users last month (most of my machines are Red Hat), where ssh would use one password, yppasswd would use another, and so forth.

It ended up that some machines didn't compile openssh with pam support, so I had to redo ssh with:

configure --with-pam

HTH.

--phil

----------

## burzmali

i tried what you suggested: start rpc.yppasswd with '-D /var/yp' and have passwd be 'compat' in /etc/nsswitch.conf.

the -D flag seems to have no effect and switching passwd to compat (on the client, right?) just caused me to not have a name on login:

```

burzmali@usal burzmali $ ssh mail

Last login: Tue Jan 21 10:03:02 2003 from usal.burzmali.net

/usr/bin/whoami: cannot find username for UID 1000

-bash: [: =: unary operator expected

I have no name!@mail burzmali $ logout

```

this is kind of a bummer.

----------

## philthedrill

 *Quote:*   

> i tried what you suggested: start rpc.yppasswd with '-D /var/yp' and have passwd be 'compat' in /etc/nsswitch.conf.
> 
> the -D flag seems to have no effect and switching passwd to compat (on the client, right?) just caused me to not have a name on login:

 

Yes, the client should be set to compat in /etc/nsswitch.conf.

Now, make sure you have '-D /etc/yp' (or wherever your passwd and shadow files are) instead of '-D /var/yp'.

/etc/yp should contain the passwd and shadow files.

/var/yp contains the maps.

--phil

----------

## zojas

I'm struggling with this too. first, I've written a /etc/init.d script. quite simple:

```
#!/sbin/runscript

depend() {

   need portmap net ypserv

}

start() {

   ebegin "Starting NIS Password Server"

   start-stop-daemon --start --quiet --exec /usr/sbin/rpc.yppasswdd -- -e chsh -e chfn

   eend $?

}

stop() {

   ebegin "Stopping NIS Password Server"

   start-stop-daemon --stop --quiet --exec /usr/sbin/rpc.yppasswdd

   eend $?

}

```

----------

## zojas

I have some Suse and RedHat clients. on my Suse client I've set passwd to compat in /etc/nsswitch.

I intend to use my regular /etc/passwd and /etc/shadow files. 

Right now I can run yppasswd successfully on the Suse client; I can enter the old password and it lets me put in a new password. the password is then updated in /etc/shadow on the gentoo NIS server. but the NIS client still sees the old password.

it's like the pwupdate script is not being run. I'm going to hack the script now so it outputs something to a file in /tmp so I can tell if it runs or not.

----------

## zojas

it seems that once i run yppasswd on the client, it does change the passwd on the server (in /etc/shadow) but then the yp system gets quite confused. the nis client sees neither the new or old password. running 'make' in /var/yp doesn't even fix it. 

if I then run 'passwd' on the server and then run 'make' in /var/yp then the client is ok again.

anyway, I'll shut up and instrument the pwupdate script like i said i was going to, that has to be the problem!

----------

## zojas

ok! At least I have some data now.

the pwupdate script creates some temporary files and if there are errors emails them to root. root was getting no email though. 

so I hacked the script so it saves the files in /tmp. here's the interesting output:

```
Updating shadow.byname... Ignored -> merged with passwd
```

this is the same output I get when I run 'make' in /var/yp. 

so it looks like it succeeded. My conclusion is that I don't have my shadow.byname map set up correctly. it seems to work, but the Makefile isn't rebuilding it correctly? 

all I did was use the stock Makefile in /var/yp and comment out some of the maps.

----------

## zojas

first important find: you need to have an entry like this:

```
+::::::
```

in your /etc/passwd file on the client so it will look in NIS for the name of the account. (i have the 'compat' entries in nisswitch.conf as described above)

also, put 

```
+:::
```

in /etc/group.

also, there is a line in the stock Makefile which says

```

# Should we merge the passwd file with the shadow file ?

# MERGE_PASSWD=true|false

MERGE_PASSWD=true

```

I tried changing it to false and then a separate shadow map was generated, but clients didn't seem to have access to it. (with it set to false, 'ypcat passwd' would have an 'x' in the passwd field, but 'ypcat shadow' produced nothing. with it set to true, the encrypted password shows up in the output of 'ypcat passwd')

----------

## kerframil

I believe I have the answer. I've learned a few things since I made my last post here (much of which zojas has kindly taken the time to discuss).

Firstly I want to post a link to a great PDF which covers NIS in a nutshell:

http://davidcoulson.net/writing/pcp/184/masterclass-linuxexpert.pdf

Now for the issue of shadow maps. The problem seems to be that the Makefile doesn't actually create a shadow.byname map.

My steps to modify the Makefile are as follows:Modify the line beginning all: so that your NIS server exports whatever you want.Comment out this line:

```
GSHADOW     = $(YPPWDDIR)/gshadow
```

Password/group merge settings should be as follows:

```
MERGE_PASSWD=true

MERGE_GROUP=false
```

Here's the important part, find and comment the following lines:

```
# Don't build a shadow map!

shadow.byname:

         @echo "Updating $@... Ignored -> merged with passwd"

else
```

That deals with the inexplicable nature of the default Makefile where it refuses to create a shadow.byname map file. Re-make your NIS maps, and ensure that rpc.yppasswd is running:

```
rpc.yppasswd -e chsh -e chfn
```

zojas' method for adding this as a dependency is quite graceful and recommended!

Now you should find that it is possible to change your password on a client  :Smile: 

For any other information (such as how to configure your client files) consult the PDF linked to above.

EDIT: remember that the NIS server will not export groups or users with a GID/UID < 500, as they are considered to be for system services. You can change this in the Makefile with the MINUID and MINGID parameters.

EDIT #2: Spoke a little too soon. It seems to allow the password to be updated, but then you can't login using the new password on the client, until the shadow related lines are commented again, and the NIS maps regenerated. Apparently, uncommenting the lines in the fashion I mentioned causes the Makefile never to generate the passwd maps again. I think we're very close to an answer here, but the final piece of the puzzle remains frustratingly out of reach ...  :Sad: 

----------

## zojas

no luck for me. passwd or yppasswd either one on the client results in the password being changed on the server, but the client continues to see the old password. not even running 'make' by hand in /var/yp on the server fixes it (i verified that pwupdate still runs make at the time yppasswd is run). 

here's the output of 'make' by pwupdate:

```
../Makefile:309: warning: overriding commands for target `passwd.byname'

../Makefile:285: warning: ignoring old commands for target `passwd.byname'

../Makefile:317: warning: overriding commands for target `passwd.byuid'

../Makefile:294: warning: ignoring old commands for target `passwd.byuid'

Updating shadow.byname...

```

it apparently tries to update the map, but the client doesn't see it.

----------

## zojas

ok, a slight correction is in order. my nis server is gentoo, but my clients are redhat 8 and suse 8.1. it turns out this new setup works for redhat but not for suse! so next i'll be looking into config differences between the two clients.

thanks kerframil for the new info about creating the shadow map.

----------

## useofweapons

My fix is as follows...

Change Makefile on the server to

```
# Should we merge the passwd file with the shadow file ?

# MERGE_PASSWD=true|false

MERGE_PASSWD=false

                                                                                

# Should we merge the group file with the gshadow file ?

# MERGE_GROUP=true|false

MERGE_GROUP=false

```

on the client change /var/yp/nicknames to add

```
shadow   shadow.byname
```

also change /etc/init.d/ypserv to

```
#!/sbin/runscript

# Copyright 1999-2003 Gentoo Technologies, Inc.

# Distributed under the terms of the GNU General Public License, v2 or later

# $Header: /home/cvsroot/gentoo-x86/net-nds/ypserv/files/ypserv.rc6,v 1.3 2003/0

2/14 23:09:08 vapier Exp $

 

depend() {

        need net

}

 

start() {

        ebegin "Starting NIS Server"

        start-stop-daemon --start --quiet --exec /usr/sbin/ypserv

        eend $?

        ebegin "Starting NIS Password Server"

        start-stop-daemon --start --quiet --exec /usr/sbin/rpc.yppasswdd -- -s /

etc/shadow

        eend $?

        eend $?

}

 

stop() {

        ebegin "Stopping NIS Server"

        start-stop-daemon --stop --quiet --exec /usr/sbin/ypserv

        eend $?

        ebegin "Stopping NIS Password Server"

        start-stop-daemon --stop --quiet --exec /usr/sbin/rpc.yppasswdd

        eend $?

}

```

yppasswd now works on the client.

HTH

----------

## useofweapons

Also need to add 

```
+::::::::
```

 to the end of /etc/shadow on the client

HTH

----------

## useofweapons

OK, can confirm the exact steps required to get it all to work.  For the server, see my post above (changes to ypserv and /var/yp/Makefile)

For each client

/etc/passwd add 

```
+::::::
```

/etc/shadow add 

```
+::::::::
```

/etc/group add 

```
+:::
```

/var/yp/nicknames add 

```
shadow      shadow.byname
```

Make no changes to nsswitch.conf

Make sure the user does not exist in the clients /etc/passwd other yppasswd wont work.

It should all now work.  I can change password on one machine and log into another with the new password immediately.  :Very Happy: 

----------

## burzmali

thanks alot useofweapons, your steps worked perfectly for me!!!

way to go!

----------

