MS Identity Management for Unix and FreeBSD
brian at Awfulhak.org
Thu Jun 14 08:41:07 BST 2007
On Tue, 12 Jun 2007 07:23:25 +0100 Ceri Davies <ceri at submonkey.net> wrote:
> On Tue, Jun 12, 2007 at 12:01:29AM +0100, Stephen Allen wrote:
> > I'm trying to work with a FreeBSD box on a NIS domain, handled by MS
> > Identity Management for Unix. On the MS server, I've populated the Unix
> > attributes for NIS domain, UID, login shell, home dir and GID.
> > OK - ypwhich displays the name of the MS server as the NIS server.
> > OK - ypcat passwd displays the user who's UNIX attributes I added.
> > In the Identity Management tools on MS, I've set the password encryption
> > type to MD5. Also verified that /etc/login.conf and /etc/auth.conf both
> > allude to MD5. However, when I try to login, it fails with this error in
> > syslog: PAM: authentication error for illegal user.
> > If I examine the password file format in /etc/master.passwd, they appear to
> > be different (and the NIS password doesn't seem to have been set for
> > MyUser):
> > [root at vh1a9f58 ~]$ ypcat passwd
> > MyUser:ABCD!efgh12345$67890:10000:20::/disk1/test:/usr/local/bin/bash
> > [root at vh1a9f58 ~]$ grep nobody /etc/master.passwd
> > nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
> master.passwd isn't the standard passwd(5) format, but that doesn't
> matter here; all library routines use /etc/passwd which is compatible.
Well, not quite. libc uses /etc/pwd.db and /etc/spwd.db
which are produced from master.passwd with pwd_mkdb (which
is called by other password update tools).
passwd is there for backwards compatibility but AFAIK is
not used by anything interesting.
> What's the format of the MD5 encrypted password in NIS? It would
> probably be easier to use the standard crypt encryption across operating
> systems, as other hashes are generally not compatible. This doesn't
> necessarily mean that you have to pass crypt()ed passwords on the wire
> though if Windows (and indeed, FreeBSD) supports passwd.adjunct maps.
The way it works here is:
$ ypcat master.passwd
ypcat: no such map master.passwd.byname. reason: YP server error
$ sudo ypmatch brian master.passwd
brian:$1$yadayadayada:15:15::0:0:Brian Somers,Vancouver,+1 604 315 1343:/home/brian:/bin/bash
$ fgrep passwd /etc/nsswitch.conf
passwd: files nis
The default nsswitch.conf stuff probably works but I have my
own because that's specifically what I want. The important
bit is that I have a "master.passwd" NIS map that is the
same format as the native master.passwd file.
The other important thing is that I have a passwd map too -
for use by non-root queries to ypbind:
$ ypmatch brian passwd
brian:+:15:15:Brian Somers,Vancouver,+1 604 315 1343:/home/brian:/bin/bash
Brian Somers <brian at Awfulhak.org>
Don't _EVER_ lose your sense of humour ! <brian at FreeBSD.org>
More information about the Ukfreebsd