Configuring client to use central authentication server (synchronize shadow)?
Having to work within the confines of an outdated system, I need to configure a list of clients to use a central authentication server. The clients are using the latest release of CentOS. The server is using RHEL6 with NIS (openLDAP is not available from the repos on this install anymore).
I've configured CentOS to use the yp server and domain (via yp.conf and authselect) and can confirm that `yptest -u <username>` succeeds. I can `su` to <username>, but if I try to log in on the system as <username> it cannot authenticate the password; it would appear that information relating to the shadow file is not being sent across the network in addition to the passwd file (I can confirm that passwd is being sent). Here's where things get tricky. The old system sent shadow over NIS. I'd like to avoid doing that, but the authentication server is a relic and trying to install openLDAP or any other protocol is not going to be easy (or authorized by the powers that be). So here's my questions: 1) does the ypbind package bundled with CentOS 8 not work with extremely old versions of ypserv? Has shadow over ypbind been eliminated, or is there something I'm missing? I can confirm also that 'nis' is listed for all entries (including passwd and shadow) in /etc/nsswitch.conf. 2) would it be possible to synchronize the shadow file across clients in a portable and secure way? |
Have you tried compat as source for passwd, group and shadow in nsswitch.conf (and adding + as the last line of /etc/passwd, /etc/group and /etc/shadow)? See an example in the NIS HOWTO.
|
This is why I wonder if they've changed something. The prior configuration files do not list compat anywhere; instead, specifying nis in the nsswitch.conf was sufficient. The client-side upgrade isn't major, going from CentOS 8.0 to 8.4.
Adding compat to nsswitch.conf does not appear to work; the result is that I can no longer `su` to the users in addition to passwords not working. If I add both nis and compat, I am still unable to log in. The following are the error outputs from the journalctl log: With compat (identical to using just nis) Quote:
|
Wait, you're editing /etc/nsswitch.conf per hand? On CentOS 8? Rather than authselect select nis?
|
I am using authselect select nis. Since you asked me to use compat I created a backup file and tried modifying it manually to include compat since there's no option in authselect.
authselect list Quote:
|
Well, authselect does more than just replace /etc/nsswitch.conf. Usually, you make your changes to /etc/authselect/user-nsswitch.conf, then invoke authselect like
Code:
authselect select nis with-custom-{passwd,group,shadow} |
Changing user-nsswitch.conf does not appear change the end result, but I'll bear that in mind for the future.
I've also just logged in to the auth server and noticed the /var/messages is giving the following for each login attempt: Quote:
|
All times are GMT -5. The time now is 07:01 PM. |