Debian Bug report logs - #36584
nss' compat does not work with shadow nis

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jacques DESMARAIS <desm@CS.McGill.CA>

To: submit@bugs.debian.org

Subject: nss' compat does not work with shadow nis

Date: Fri, 23 Apr 1999 10:20:25 -0400

Package: libc6
Version: 2.0.7.19981211-6
Severity: important

Our setup is as follows:
- Machine C: . runs debian linux
             . package libc6 is at version 2.0.7.19981211-6
	     . package nis is at 3.3.1-1
	     . is setup as nis client

- Machine S: . runs Solaris 2.5 + NSkit-2.1
             . is the nis (not nis+) server.  Runs in C2 secure
	       mode, i.e. serves a passwd file with mangled
	       passwords, and a passwd.adjunct.byname file to
	       requests that come from a privileged port.
	       (mangled passwords are of the form: ##<login>)

On machine C, a ypcat passwd works for both privileged and non-priv.
users, whereas the ypcat passwd.adjunct.byname only works for priv.
users.  So I know that the server is behaving the way I want it to.

When nsswitch.conf on C is set to the following:
> passwd:         files nis
> group:          files nis
> shadow:         files nis
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis

...and when the '+' syntax is not used in either passwd, shadow or
group files, everything works fine.  All users from the NIS passwd
file are seen and can be authenticated.  Unfortunately, no
user-level or netgroup restrictions can be set.

However, when I use 'compat' for passwd, group and shadow like this:
> passwd:         compat                  
> group:          compat
> shadow:         compat
>                        
> (the rest is the same)

... eventhough I add '+mylogin::::::' and '+mylogin::::::::' at the
end of /etc/passwd and /etc/shadow respectfully, the uid <-> login
mapping still occurs, but authentication does not.  For example,
su'ing from mylogin to mylogin does not work, and neither does
telneting or rloging into the machine.

I suspect that there might be a problem with the libnss_compat
library.  It might not be pulling the shadow password correctly from
the Solaris server.  Also, since I have not seen anyone else
complain about this problem, maybe it is because others are using
debian linux systems as both server and client.

I don't know if this can help, but I have run tcpdump and noticed
that when 'files nis' is used, and I su from myself to myself, 5
packets are sent to the server; whereas when 'compat' is used, only
3 are sent.  (output of tcpdump has been stripped of irrelevant
information: <t> is timestamp, C is linux box, S is solaris nis
server)

Using 'files nis' and su'ing from myself to myself:
<t>.478458 C.809 > S.895: udp 84
<t>.488458 S.895 > C.809: udp 108 (DF)
<t>.488458 C.810 > S.895: udp 92
<t>.488458 S.895 > C.810: udp 116 (DF)
<t>.488458 C.811 > S.895: udp 84
<t>.488458 S.895 > C.811: udp 32 (DF)
<t>.488458 C.812 > S.895: udp 84
<t>.498458 S.895 > C.812: udp 108 (DF)
<t>.498458 C.814 > S.895: udp 92
<t>.498458 S.895 > C.814: udp 116 (DF)

Using 'compat' and su'ing from myself to myself:
<t>.898594 C.810 > S.895: udp 84
<t>.898594 S.895 > C.810: udp 108 (DF)
<t>.908594 C.811 > S.895: udp 84
<t>.908594 S.895 > C.811: udp 32 (DF)
<t>.908594 C.812 > S.895: udp 84
<t>.908594 S.895 > C.812: udp 108 (DF)

Thank you in advance for looking into this.

--
					-Jacques

Message #8 received at 36584-submitter@bugs.debian.org (full text, mbox, reply):

From: Joel Klecker <jk@espy.org>

To: 36584-submitter@bugs.debian.org

Subject: Please confirm this bug against potato.

Date: Fri, 18 Feb 2000 15:23:46 -0800

Hi,

if you can upgrade to potato and try to reproduce the bug that'd be great.
For reference, here's what you wrote:

>Received: (at submit) by bugs.debian.org; 23 Apr 1999 14:20:55 +0000
>Received: (qmail 7362 invoked from network); 23 Apr 1999 14:20:48 -0000
>Received: from milquetoast.cs.mcgill.ca (132.206.2.5)
>  by master.debian.org with SMTP; 23 Apr 1999 14:20:48 -0000
>Received: (from desm@localhost)
>        by milquetoast.cs.mcgill.ca (8.8.8/8.8.8) id KAA10803
>        for submit@bugs.debian.org; Fri, 23 Apr 1999 10:20:25 -0400 (EDT)
>Date: Fri, 23 Apr 1999 10:20:25 -0400
>From: Jacques DESMARAIS <desm@CS.McGill.CA>
>To: submit@bugs.debian.org
>Subject: nss' compat does not work with shadow nis
>Message-ID: <19990423102025.B10129@CS.McGill.CA>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>X-Mailer: Mutt 0.94.15i
>
>Package: libc6
>Version: 2.0.7.19981211-6
>Severity: important
>
>Our setup is as follows:
>- Machine C: . runs debian linux
>             . package libc6 is at version 2.0.7.19981211-6
>             . package nis is at 3.3.1-1
>             . is setup as nis client
>
>- Machine S: . runs Solaris 2.5 + NSkit-2.1
>             . is the nis (not nis+) server.  Runs in C2 secure
>               mode, i.e. serves a passwd file with mangled
>               passwords, and a passwd.adjunct.byname file to
>               requests that come from a privileged port.
>               (mangled passwords are of the form: ##<login>)
>
>On machine C, a ypcat passwd works for both privileged and non-priv.
>users, whereas the ypcat passwd.adjunct.byname only works for priv.
>users.  So I know that the server is behaving the way I want it to.
>
>When nsswitch.conf on C is set to the following:
>> passwd:         files nis
>> group:          files nis
>> shadow:         files nis
>>
>> hosts:          files dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>
>...and when the '+' syntax is not used in either passwd, shadow or
>group files, everything works fine.  All users from the NIS passwd
>file are seen and can be authenticated.  Unfortunately, no
>user-level or netgroup restrictions can be set.
>
>However, when I use 'compat' for passwd, group and shadow like this:
>> passwd:         compat
>> group:          compat
>> shadow:         compat
>>
>> (the rest is the same)
>
>... eventhough I add '+mylogin::::::' and '+mylogin::::::::' at the
>end of /etc/passwd and /etc/shadow respectfully, the uid <-> login
>mapping still occurs, but authentication does not.  For example,
>su'ing from mylogin to mylogin does not work, and neither does
>telneting or rloging into the machine.
>
>I suspect that there might be a problem with the libnss_compat
>library.  It might not be pulling the shadow password correctly from
>the Solaris server.  Also, since I have not seen anyone else
>complain about this problem, maybe it is because others are using
>debian linux systems as both server and client.
>
>I don't know if this can help, but I have run tcpdump and noticed
>that when 'files nis' is used, and I su from myself to myself, 5
>packets are sent to the server; whereas when 'compat' is used, only
>3 are sent.  (output of tcpdump has been stripped of irrelevant
>information: <t> is timestamp, C is linux box, S is solaris nis
>server)
>
>Using 'files nis' and su'ing from myself to myself:
><t>.478458 C.809 > S.895: udp 84
><t>.488458 S.895 > C.809: udp 108 (DF)
><t>.488458 C.810 > S.895: udp 92
><t>.488458 S.895 > C.810: udp 116 (DF)
><t>.488458 C.811 > S.895: udp 84
><t>.488458 S.895 > C.811: udp 32 (DF)
><t>.488458 C.812 > S.895: udp 84
><t>.498458 S.895 > C.812: udp 108 (DF)
><t>.498458 C.814 > S.895: udp 92
><t>.498458 S.895 > C.814: udp 116 (DF)
>
>Using 'compat' and su'ing from myself to myself:
><t>.898594 C.810 > S.895: udp 84
><t>.898594 S.895 > C.810: udp 108 (DF)
><t>.908594 C.811 > S.895: udp 84
><t>.908594 S.895 > C.811: udp 32 (DF)
><t>.908594 C.812 > S.895: udp 84
><t>.908594 S.895 > C.812: udp 108 (DF)
>
>Thank you in advance for looking into this.
>
>--
>                                        -Jacques
-- 
Joel Klecker (aka Espy)                    Debian GNU/Linux Developer
<URL:mailto:jk@espy.org>                 <URL:mailto:espy@debian.org>
<URL:http://web.espy.org/>               <URL:http://www.debian.org/>

Send a report that this bug log contains spam.