HPE Community
Operating System - Linux
1759494 Members
2652 Online
108883 Solutions
New Discussion

Re: Disabling a local user account in favor of an NIS account with the same name

 
Andrew Kaplan
Super Advisor

‎10-07-2011 08:25 AM

‎10-07-2011 08:25 AM

Disabling a local user account in favor of an NIS account with the same name

Hi there --

 

We are running an NIS master server on a Red Hat Enterprise Linux ES release 4 system. Prior to the server coming on line, all clients, Red Hat Fedora, within the domain had a local user account, test, that was employed for accessing an application on each workstation.

 

When the NIS server came on line, all users were assigned individual domain user accounts and passwords to access the application. A domain user account similarly named test with a completely different password was set up for emergeny use. This latter account had a stronger password that was not readily available to the users.

 

When logging into any of the workstations, the password that was affiliated with the local test account enabled test to access the application, while the password for the domain account did not result in a successful login. A check of several of the client systems indicated the presence of the test account in the /etc/passwd file, and when compared with that file on the NIS server, there was a discrepancy in the user id.

 

The /etc/nsswitch.conf file on all clients has passwd, group, and shadow references files and then nis for authentication. To get the domain password to work with the test account there were two approaches that I had in mind:

 

1. Go to the /etc/passwd file on all workstations, and comment out the line that includes the test account.

2. Go to the /etc/nsswitch.conf file on all workstations, and change the order of authentication to nis and then files.

 

I would think the first approach would be better due to this occurring with only one user account, but if someone can recommend a more effective solution, please let me know.

 

Thanks.

A Journey In The Quest Of Knowledge
0 Kudos
Reply
3 REPLIES 3
Dennis Handly
Acclaimed Contributor

‎10-07-2011 12:59 PM

‎10-07-2011 12:59 PM

Re: Disabling a local user account in favor of an NIS account with the same name

>1. Go to the /etc/passwd file on all workstations and comment out the line that includes the test account.

 

On HP-UX you can't comment out passwd entries.  You can move them below the NIS entry.

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎10-08-2011 04:24 AM

‎10-08-2011 04:24 AM

Re: Disabling a local user account in favor of an NIS account with the same name

Commenting out /etc/passwd entries is not recommended in Linux either.

 

Comments are not part of standard /etc/passwd syntax - run "man 5 passwd" and notice it does not describe any way to comment out entries.

 

Although Linux has standard libc functions for looking up /etc/passwd entries, some scripts or programs might read /etc/passwd directly instead of using the standard lookup functions and might be confused by the commented entries.

 

This is one of the places in Linux/Unix systems where historical reasons get in the way of general principles.

MK
0 Kudos
Reply
Rajesh K Chaurasia
Valued Contributor

‎10-10-2011 02:16 AM

‎10-10-2011 02:16 AM

Re: Disabling a local user account in favor of an NIS account with the same name

As others has already indicated that commenting out entries from /etc/passwd file may not work, I would suggest tuning /etc/nsswitch file to move nis lookup ahead of passwd and group files.

 

Alternatively, You could change the default login shell of local user to /bin/lfalse or /sbin/nologin. Are there any issues with this approach? Without changing /etc/nsswitch file, commands like id would still fetch entries from local /etc/passwd file even if default login shell is disabled.

 

Regards

-Rajesh

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.