duncan@corp.telecom.co.nz (Duncan McEwan) (03/19/91)
I am attempting to setup the passwd.adjunct file support on SunOS 4.1 without the rest of the C2 security stuff. I have read articles by William LeFebvre in the August and November 1990 issues of "Sun Observer", which suggest that this is possible, but things aren't working properly. This may be because we are also running NIS, which I don't think William was. I have created /etc/security/passwd.adjunct with the following entry for myself: duncan:<my encrypted passwd>::::: My passwd entry looks like: duncan:##duncan:38:5:Duncan McEwan:/rhome/traminer/duncan:/bin/csh I have run the /var/yp/Makefile to update both the passwd and passwd.adjunct targets, and have started /usr/etc/pwdauthd on the appropriate machines. When I try logging on to the NIS master things work OK, but when I log on to another machine (which incidently is a NIS secondary server -- I *have* checked that the appropriate NIS maps are the same as on the master) I get the message No home directory specified in password file! Logging on with home=/ As an experiment, I tried creating myself a local password entry on the secondary machine. When I tried logging on then, I got the message pwdauth: bad passwd entry for duncan Login incorrect Does anyone out there have some idea as to what is going on here? A couple more questions have arisen during the course of my experimenting trying to get the above to work. Firstly, when I started experimenting, I just created a passwd.adjunct file with a single entry for myself. I was the only user with a password in the NIS passwd.byname map of the form '##username'. Shortly after, I started getting complaints from others saying they couldn't log on (they were getting the message "passwd: Sorry not in adjunct file" :-(. I had assumed that perhaps one of the reasons for having a users /etc/passwd file entry start with "##" was so you could selectively turn on use of the adjunct file for some people, but the above seems to indicate that this isn't true. Could someone confirm/deny this? Secondly, in William's August 1990 article, he mentions that NIS prevents non-root users looking at NIS maps that have mode 600 in /var/yp/<domainname> (obviously without some protection, sites running NIS wouldn't gain anything from adjunct files -- though given the inherent security problems with NIS, I'm not sure they gain anything anyway :-). I experimented with this by making other maps (for eg, networks.byname) mode 600 but was still able to ypcat them. When I try ypcat'ing passwd.adjunct.byname as a non-root user I certainly get an error ("no such map in servers domain"). Was William right when he described when NIS prevents access to the adjunct map (in which case I guess I did something wrong in my experiments) or does the protection work some other way? One final question -- how does the passwd.adjunct file stuff interact with password ageing (I know that password ageing is broken when using NIS in SunOS 4.1, but hopefully that will be fixed in 4.1.1, in which case we may want to try that out too). I will summarize any email replies I receive, to interested parties... Thanks in advance to anyone that can help. Duncan (duncan@corp.telecom.co.nz or, more frequently, duncan@comp.vuw.ac.nz)