HPE Community
Operating System - Tru64 Unix
1847604 Members
5424 Online
110265 Solutions
New Discussion

tru64 NIS Master and HP-UX 11.0 clients compatibility ?

 
Joan Cambras
Occasional Advisor

‎03-25-2004 01:27 AM

‎03-25-2004 01:27 AM

tru64 NIS Master and HP-UX 11.0 clients compatibility ?

Hi all,

We would like to install a NIS Master in a Tru64 server running enhanced security with some HP-UX 11.0 clients (trusted system).

The problem is that the tru64 NIS Master looks for and updates passwords in /var/yp/src/prpasswd while the HP-UX clients look for the passwd in /var/yp/passwd and so the whole thing doesn't work.

Is there any way to set up things so that server and clients work with the same passwd database?

Thanks in advance,
Joan Cambras
jcambras@cesca.es
0 Kudos
9 REPLIES 9
Ann Majeske
Honored Contributor

‎03-25-2004 03:25 AM

‎03-25-2004 03:25 AM

Re: tru64 NIS Master and HP-UX 11.0 clients compatibility ?

You can connect to a Tru64 NIS server running Enhanced Security from systems that are not running Enhanced Security if you have things set up right. The only client systems that this may not work with are ones running other product's versions of C2/Shadow password or whatever.

You can set up the Tru64 Enhanced Security NIS server to put the password in both the prpasswd and the passwd map by setting the u_newcrypt field to 3. Here's the definition of the crypt values (from the
/usr/include/prot.h file):
#define AUTH_CRYPT_BIGCRYPT 0 /* index to use bigcrypt*/
#define AUTH_CRYPT_CRYPT16 1 /* index to use crypt16 */
#define AUTH_CRYPT_OLDCRYPT 2 /* index to use old crypt */
#define AUTH_CRYPT_C1CRYPT 3 /* index to use /etc/passwd */

I haven't worked out the exact steps, but to get the Enhanced Security NIS server to serve the password in both the passwd and prpasswd map, you'd have to do something like:
- copy the current passwords from the prpasswd map to the passwd map and rebuild the passwd map (you might have a problem using the current passwords if you're not using the default crypt, so I'd test this with one or two passwords first). Or just require all your users to reset their passwords after you set u_newcrypt to 3.
- edit the default database on the NIS master server to set the u_newcrypt field to 3 (see the man pages for default and edauth).

I think that the Enhanced Security NIS master server will properly handle password change requests from the non-Enhanced Security NIS clients in this case, but you should check it.

Ann

0 Kudos
Joan Cambras
Occasional Advisor

‎03-25-2004 04:04 AM

‎03-25-2004 04:04 AM

Re: tru64 NIS Master and HP-UX 11.0 clients compatibility ?

Thanks Ann,

I've added the passwd to /var/yp/src/passwd
file.

I've rebuilt the map with make passwd.

Now if I do "ypcat passwd" from the client I see the paswwd entries with the passwd in them.

But I'm still unable to login. When I try to login to the user I get "Login incorrect"

Should I modify pam.conf for NIS to work?

0 Kudos
Ann Majeske
Honored Contributor

‎03-25-2004 04:52 AM

‎03-25-2004 04:52 AM

Re: tru64 NIS Master and HP-UX 11.0 clients compatibility ?

Hi Joan,

You may be having problems because of the previous encryption method. Try logging into the NIS master (the Tru64 system) as that user and changing the password. Then see if you can log into the NIS client.

Ann
0 Kudos
Joan Cambras
Occasional Advisor

‎03-25-2004 11:12 PM

‎03-25-2004 11:12 PM

Re: tru64 NIS Master and HP-UX 11.0 clients compatibility ?

Hi Ann,

I've added u_newcrypt#3 in the NIS master to a NIS test user "nistest".

I've logged to this user in the NIS master and changed its passwd via the passwd cmd.

I see that the passwd gets only changed in /var/yp/src/prpasswd and not in /var/yp/src/passwd.

I've manually copied its passwd to /var/yp/passwd and rebuilt the passwd NIS map.

But I'm still unable to log to this user in the client HP-UX. I get the following:

login: nistest
Password:
Login incorrect

Wait for login retry: ..

If I "su - nistest" to the user, then it works.

Any more ideas?
thanks !
0 Kudos
Ann Majeske
Honored Contributor

‎03-26-2004 06:16 AM

‎03-26-2004 06:16 AM

Re: tru64 NIS Master and HP-UX 11.0 clients compatibility ?

Hi Joan,

I think I know what the problem is, but I might be wrong. How did you add the u_newcrypt#3 to the account? If you just edited /var/yp/src/prpasswd then you have to make the maps for the change to be seen. A better way to edit the account is to use the edauth tool. It will do the appropriate make for you.

Ann
0 Kudos
Joan Cambras
Occasional Advisor

‎03-28-2004 07:12 PM

‎03-28-2004 07:12 PM

Re: tru64 NIS Master and HP-UX 11.0 clients compatibility ?

Ann,

I did "edauth testuser" and added the u_newcrypt field.

I fact, if you do am "edauth -g testuser" you get the following:

testuser:u_name=testuser:u_id#15251:u_pwd=bigxxxxxxxSPY:...:u_oldcrypt#3:u_newcrypt#3:u_lock@:chkent:

Regards,
Joan
0 Kudos
Ann Majeske
Honored Contributor

‎03-29-2004 03:31 AM

‎03-29-2004 03:31 AM

Re: tru64 NIS Master and HP-UX 11.0 clients compatibility ?

Hi Joan,

I'm running out of suggestions.

Check your /etc/svc.conf file and make sure you have the lines:
auth=local,yp
pwd=local,yp

Make sure the local /etc/passwd file doesn't contain an entry for testuser.

You could try adding another test user to see if the problem is specific to that user.

Ann
0 Kudos
Joan Cambras
Occasional Advisor

‎03-30-2004 12:23 AM

‎03-30-2004 12:23 AM

Re: tru64 NIS Master and HP-UX 11.0 clients compatibility ?

Ann,

nsswitch.conf is ok. It has:
passwd: files nis
group: files nis

As you pointed out in a previous it must be a problem with passwd encryption because I get the following error:

# ssh -l testuser machine
testuser@machines's password:
Permission denied, please try again.

And in syslog.log:
Mar 30 13:02:55 machine sshd[16545]: Failed password for testuser from xxx.xxx.xxx.xxx port 56488 ssh2

testuser in the NIS Master server (Tru64) has u_newcrypt 3.
The NIS client is an HP-UX 11.0 set up as a trusted system.

Best regards
Joan
0 Kudos
Ann Majeske
Honored Contributor

‎03-30-2004 05:01 AM

‎03-30-2004 05:01 AM

Re: tru64 NIS Master and HP-UX 11.0 clients compatibility ?

Hi Joan,

Are you still having the problem where the NIS master only updates the password in the prpasswd map instead of both the prpasswd and passwd map? If you are, then you still have two sets of problems, one on the Tru64 NIS master and the other on the HP-UX NIS clients.

I'm not sure that this will work at all with a Tru64 NIS master with Enhanced Security and a HP-UX client running as a trusted system. It might be best to ask for specifics about HP-UX trusted systems in the HP-UX forum, I'm not an HP-UX expert. I see several possibilities for problems on the HP-UX side. The first is that I don't know if HP-UX trusted systems use crypt to encrypt the password, or at least that crypt might not be the default encryption. The second is that I think that an HP-UX trusted system has additional fields in the passwd entry that Tru64 doesn't have. The third is that I don't know if HP-UX trusted systems work with NIS at all. Another potential issue is that Tru64 only uses NIS, HP-UX may use NIS+.

Ann
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.