MS Identity Management for Unix and FreeBSD

Brian Somers brian at
Thu Jun 14 08:41:07 BST 2007

On Tue, 12 Jun 2007 07:23:25 +0100 Ceri Davies <ceri at> wrote:
> On Tue, Jun 12, 2007 at 12:01:29AM +0100, Stephen Allen wrote:
> >  I'm trying to work with a FreeBSD box on a NIS domain, handled by MS 
> >  Identity Management for Unix.  On the MS server, I've populated the Unix 
> >  attributes for NIS domain, UID, login shell, home dir and GID.
> > 
> >  OK - ypwhich displays the name of the MS server as the NIS server.
> >  OK - ypcat passwd displays the user who's UNIX attributes I added.
> > 
> >  In the Identity Management tools on MS, I've set the password encryption 
> >  type to MD5.  Also verified that /etc/login.conf and /etc/auth.conf both 
> >  allude to MD5.  However, when I try to login, it fails with this error in 
> >  syslog:  PAM: authentication error for illegal user.
> > 
> >  If I examine the password file format in /etc/master.passwd, they appear to 
> >  be different (and the NIS password doesn't seem to have been set for 
> >  MyUser):
> > 
> >  [root at vh1a9f58 ~]$ ypcat passwd
> >  MyUser:ABCD!efgh12345$67890:10000:20::/disk1/test:/usr/local/bin/bash
> >  [root at vh1a9f58 ~]$ grep nobody /etc/master.passwd
> >  nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
> master.passwd isn't the standard passwd(5) format, but that doesn't
> matter here; all library routines use /etc/passwd which is compatible.

Well, not quite.  libc uses /etc/pwd.db and /etc/spwd.db
which are produced from master.passwd with pwd_mkdb (which
is called by other password update tools).

passwd is there for backwards compatibility but AFAIK is
not used by anything interesting.

> What's the format of the MD5 encrypted password in NIS?  It would
> probably be easier to use the standard crypt encryption across operating
> systems, as other hashes are generally not compatible.  This doesn't
> necessarily mean that you have to pass crypt()ed passwords on the wire
> though if Windows (and indeed, FreeBSD) supports passwd.adjunct maps.

The way it works here is:

$ ypcat master.passwd
ypcat: no such map master.passwd.byname. reason: YP server error
$ sudo ypmatch brian master.passwd
brian:$1$yadayadayada:15:15::0:0:Brian Somers,Vancouver,+1 604 315 1343:/home/brian:/bin/bash
$ fgrep passwd /etc/nsswitch.conf
passwd:         files nis

The default nsswitch.conf stuff probably works but I have my
own because that's specifically what I want.  The important
bit is that I have a "master.passwd" NIS map that is the
same format as the native master.passwd file.

The other important thing is that I have a passwd map too -
for use by non-root queries to ypbind:

$ ypmatch brian passwd
brian:+:15:15:Brian Somers,Vancouver,+1 604 315 1343:/home/brian:/bin/bash

Brian Somers                                          <brian at>
Don't _EVER_ lose your sense of humour !               <brian at>

More information about the Ukfreebsd mailing list