SUMMARY: rpc.yppasswdd woes...

From: George Emmett Hogan III (hogan@cujo.csl.sri.com)
Date: Mon Jun 01 1992 - 17:50:47 CDT


May thanks to all who responded to my plea for help, the answer to my
problem was simple, apply patch ID# 100564-01. I have applied the
patch and all seems right in Mudville. Johnathan Davis responded with
the quickest (before I even got my copy of my original post) and the
most complete response, so I have included it here.

Thanks again to all who replied (and to those whose responses I have
not yet received) :
        Jonathan C. Davis
        Paul Arens
        Dan Kegel
        Jeff Bacon
        David Boyd
        Ace Stewart
        Kevin W. Thomas
        Steve Riley
        Joost van Vroonhoven
        Fons Ullings
        Alain Brossard EPF
        Peter Young
        Ivan Auger

My original Post:

-- On May 29, 1992 at 10:49am, Emmett Hogan wrote:
-> Subject: rpc.yppasswdd woes...
-> Hi All,
->
-> I am having a terrible time getting rpc.yppasswdd running, actually I can
-> get it running, I just can't keep it running. Here's my configuration:
->
-> NIS Server NIS Client
-> ---------- ----------
-> Sun 4/380 SPARCstation IPC
-> SunOS 4.1.1 SunOS 4.1.2
->
-> I am also running Sun's C2 Security.
->
-> On the server I start up rpc.yppasswdd like so:
->
-> server# /usr/etc/rpc.yppasswdd /etc/passwd /etc/security/passwd.adjunct -m passwd DIR=/var/yp
->
-> It starts up just fine. I then go to change my password on the client like so:
->
-> client% passwd
-> Changing NIS password for hogan on server.
-> Old password:
-> New password:
-> Retype new password:
-> RPC: Timed out
->
-> passwd couldn't change entry (rpc call failed)
->
-> And if I look back on the server, the rpc.yppasswdd daemon has died.
-> If I run a trace on the daemon while I am changing my password, it
-> appears that the daemon dies with a SIGSEGV(11) after reading the
-> first entry in the passwd.adjunct file.
->
->
-> Has anyone else come accross this problem?
->
-> Any pointers (even a RTFM, if you can tell me which FM to R), would be greatly appreciated.
->
->
-> Thanks in advance,
->
-> -Emmett
-- End of excerpt from Emmett Hogan

The Solution....

-- On May 29, 1992 at 1:47pm, Jonathan C. Davis wrote:
-> Subject: Re: rpc.yppasswdd woes...
-> ----------
-> X-Sun-Data-Type: text
-> X-Sun-Data-Description: text
-> X-Sun-Data-Name: text
-> X-Sun-Content-Lines: 11
->
-> Emmett-
->
-> I was having that very problem myself when I first went to 4.1.2. Patch
-> 100564-01 fixes it. You can get it from ftp.uu.net.
->
-> --
-> Jonathan C. Davis Manager, Network Support
-> Auburn University Alabama Cooperative Extension Service
-> jdavis@acenet.auburn.edu 205-844-9660
->
->
-> ----------
-> X-Sun-Data-Type: default
-> X-Sun-Data-Name: README.100564-01
-> X-Sun-Content-Lines: 164
->
-> Patch-ID# 100564-01
-> Keywords: C2 Jumbo rpc.yppasswdd rpc.pwdauthd
-> Synopsis: SunOS 4.1.2: C2 Jumbo patch
-> Date: 1/Apr/92
->
-> SunOS release: 4.1.2
->
-> Unbundled Product:
->
-> Unbundled Release:
->
-> Topic: C2 Jumbo patch
->
-> BugID's fixed for this patch: 1040334 1043667 1058378 1059261 1063796
->
-> Architectures for which this patch is available: sun4
->
-> Patches which may conflict with this patch: 100138, 100201, 100338
->
-> Obsoleted by:
->
-> Problem Description:
-> bug 1040334:
-> yppasswd will not allow user to change passwd from client, the daemon
-> dies on server
->
-> bug 1043667:
-> rpc.yppasswdd uses an incorrect lock file
->
-> bug 1058378:
-> rpc.pwdauthd logs cleartext passwords via auditd
->
-> bug 1059261:
-> NIS and C2 Security passwd.adjunct file can get overwritten by passwd
->
-> bug 1063796:
-> When running C2 with NIS, ypppasswd password changes from client system
-> would take 5 minutes of delay before taking effect.
->
-> Modified binaries:
-> /usr/etc/rpc.yppasswdd
-> /usr/etc/rpc.pwdauthd
->
-> Problem Description:
-> This is a port of the C2 Jumbo patch (100201-04) to SunOS 4.1.2.
-> It is required on all SunOS 4.1.2 machines wishing to run C2 security.
->
-> INSTALL:
->
-> NOTE: If you do not plan to run C2, but want the fix for rpc.yppasswdd
-> (bug ids 1040334 and 1043667), you can just install a new
-> rpc.yppasswdd as given below in the steps for all systems.
->
-> =============================================================================
->
-> Only on the MASTER NIS server
->
-> =============================================================================
-> * Add the following lines to the /etc/rc.local file on the NIS master, after
-> * the entry for ypbind startup. Note that the -m option has no arguments,
-> * thus ensuring both passwd and passwd.adjunct maps are built when a passwd
-> * change occurs.
->
-> #
-> # This starts yppasswd daemon and tells it to look for the passwd.adjunct file
-> #
-> if [ -f /usr/etc/rpc.yppasswdd -a -d /var/yp/`domainname` ]; then
-> rpc.yppasswdd /etc/passwd /etc/security/passwd.adjunct -m; echo rpc.yppasswdd
-> fi
->
-> * Now follow the step given for all systems.
->
-> =============================================================================
->
-> Only on NIS client machines not running C2 security with a
-> MASTER NIS server converted to running C2 security.
->
-> =============================================================================
-> * Normally all machines will be C2 converted within a NIS domain to
-> * achieve C2 classification. These steps are for cases where NIS
-> * clients have not been C2 converted, but the NIS MASTER has been converted.
-> *
-> * Machines with a NIS master using passwd shadowing (passwd.adjunct) need
-> * to run the rpc.pwdauthd to decrypt shadowed passwd's. This daemon will
-> * automatically be started by the default rc.local script if a passwd.adjunct
-> * file exists. Do the following to create this file with a "+" entry in it
-> * to use the NIS passwd.adjunct map.
->
-> # mkdir /etc/security
-> # chown root.staff /etc/security
-> # chmod 2711 /etc/security
-> # echo "+" > /etc/security/passwd.adjunct
-> # chown root.staff /etc/security/passwd.adjunct
-> # chmod 644 /etc/security/passwd.adjunct
->
-> * To prevent the auditd process from starting in /etc/rc.local,
-> * modify the /etc/rc.local script for the startup of auditd to:
->
-> echo -n 'starting local daemons:'
-> if [ -f /usr/etc/auditd -a -d /etc/security/audit ]; then
-> auditd; echo -n ' auditd'
-> fi
->
-> * Now follow the step given for all systems.
->
-> =============================================================================
->
-> Generically for all systems:
->
-> ===========================================================================
->
-> * The following pseudo-users must be added to /etc/passwd and *
-> * /etc/security/passwd.adjunct before changing any binaries *
-> * This is so the auditing of the rpc.pwdauthd and rpc.yppasswd can occur *
-> * These additions do not need to be done on NIS client machines since
-> * they will pick these changes up from the NIS master.
-> * *
-> * /etc/passwd additions: *
->
-> AUpwdauthd:##AUpwdauthd:10:10:::/bin/false
-> AUyppasswdd:##AUyppasswdd:11:10:::/bin/false *
->
-> */etc/security/passwd.adjunct additions: *
->
-> AUpwdauthd:*::::: *
-> AUyppasswdd:*::::: *
->
-> ===========================================================================
->
-> Now, complete the install by loading in the modified binaries.
-> Note that the dynamically linked binaries are incompatible with the
-> use of the US Encryption Kit. If you will be using the US
-> Encryption Kit, load the static versions (rpc.pwdauthd.static and
-> rpc.yppasswdd.static) of the provided binaries.
->
-> First save the FCS distribution versions as a precaution:
->
-> # cp /usr/etc/rpc.pwdauthd /usr/etc/rpc.pwdauthd.FCS
-> # cp /usr/etc/rpc.yppasswdd /usr/etc/rpc.yppasswdd.FCS
->
-> It is critical that the following steps be completed in single-user
-> mode, so that the rpc.pwdauthd and rpc.yppasswd daemons are both
-> disabled while the new versions are installed.
->
-> # shutdown now
->
-> The new version of the binaries can now be installed.
->
-> # cp rpc.pwdauthd /usr/etc/rpc.pwdauthd
-> # chown root.staff /usr/etc/rpc.pwdauthd
-> # chmod 755 /usr/etc/rpc.pwdauthd
->
-> # cp rpc.yppasswdd /usr/etc/rpc.yppasswdd
-> # chown root.staff /usr/etc/rpc.yppasswdd
-> # chmod 755 /usr/etc/rpc.yppasswdd
->
->
-> Double check permissions of the new files. If the permissions are set
-> incorrectly, login will not be able to occur except in single user mode
-> (boot -s).
->
-> Now you can either enter a ^D (control D) from single user
-> mode or reboot the machine. This finishes the installation.
->
-- End of excerpt from Jonathan C. Davis

 -Emmett



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:43 CDT