LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   NIS: NIS running but users not able to log in with NIS credentials (http://www.linuxquestions.org/questions/linux-server-73/nis-nis-running-but-users-not-able-to-log-in-with-nis-credentials-591792/)

outerspace 10-14-2007 06:34 PM

NIS: NIS running but users not able to log in with NIS credentials
 
(Fedora Core 7 machines)

Ok, so I've got a network set up with the following:

A1 - NIS master server
A2 - NIS slave server

C1,C2,... - Various NIS client machines

This issue is that NIS clients cannot authenticate against the NIS database. In other words, logging in to a client box over ssh is unsuccessful, with the following in /var/log/secure (some data replaced by brackets <>):
Quote:

<TIME> localhost sshd[17625]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh rus= rhost=<IP_1> user=<USER_1>
<TIME> localhost sshd[17625]: Failed password for <USER_1> from <IP_1> port 1345 ssh2
So, it's a standard auth failure message, nothing special here.
However, `ypcat passwd |grep USER_1` returns a different password hash than `ypmatch USER_1 passwd`.

ypcat passwd |grep USER_1:
Quote:

USER_1:<PASSWORD HASH A>:503:504::/home/USER_1:/bin/bash
ypmatch USER_1 passwd:
Quote:

USER_1:<PASSWORD HASH B>:503:504::/home/USER_1:/bin/bash
Running yppasswd to change the password (or changing the local user's password on A1 (NIS master) and running `cd /var/yp && make`) changes the password hash for ypcat but ypmatch remains the same.

I think this might be a clue to something, but I can't find anything on the internet specifically about this condition, so I'm asking here. Any tips? If there's more information you need just ask. Thanks.

cjcox 10-15-2007 11:11 AM

Although, it doesn't seem possible that this is a soln, try killing off your nscd on your client nis box and see if that helps.

Micro420 10-15-2007 10:16 PM

Did you make sure to run ypinit -m to sync the database to the clients? Did you make sure /etc/nsswitch is in the right order?

outerspace 10-17-2007 08:51 AM

Thanks for the replies.

cj: NSCD is not running. AFAIK it wasn't a requirement for NIS, just an improvement/optimization. Is it req now?

Quote:

Originally Posted by Micro420 (Post 2925593)
Did you make sure to run ypinit -m to sync the database to the clients? Did you make sure /etc/nsswitch is in the right order?

nsswitch.conf is in the right order. [nisplus nis files]. Also tried with 'compat'

`ypinit -m`, from all pages I can find on the topic, is deprecated (which is surprising to me, I recall using it). `cd /var/yp && make` is preferred. At any rate, my Fedora Core 7 boxes don't even have the `ypinit` command (although the man page for it still exists).

Either way, the output of `ypcat passwd` *is* updated when the NIS db is rebuilt. If I change the user's password via yppasswd *or* update the user's password in the NIS master server's /etc/passwd file (and then run /var/yp && make) the password hash that `ypcat passwd` outputs IS the correct password hash.

But the password hash output by `ypmatch` stays the old password hash, and in fact is not getting updated at all. I believe (based on no evidence) that when I'm trying to log into a box via SSH, the old hash is being used instead of the new one, and I'm trying to figure out what to do next if this is the case.

Any other thoughts?


All times are GMT -5. The time now is 06:39 PM.