My nis+ server problem was solved by updating the credentials for the
server, and update the keys in all the NIS+ directories, because I as
part of the troubleshooting had changed the root-passwd of the server:
1) kill keyserv
2) shutdown and restart the nisd with -S 0.
3) nisaddcred des
4) run nisupdkeys on all your nis directories, eg.
nisupdkey org_dir.e.dmi.min.dk
nisupdkey groups_dir.e.dmi.min.dk
nisupdkey e.dmi.min.dk
5) shutdown NIS+ and restart it with -S 2.
6) start keyserv
On some clients it was necessary to do nisinit -c -H server
to update the NIS_COLD_START file.
I still don't know why the problem started in the first place --
before I changed the root-passwd. And I think I will run NIS in the
future instead of NIS+
Thanks a lot to
janderso%pgn138fs@motown.ge.com
jlu@mcs213k.cs.umr.edu
And especially thanks to
casper@fwi.uva.nl
Yours,
Ulla
Ulla> I run Solaris 2.2 on both server and clients. The server runs
Ulla> securitylevel 0 (started with rpc.nisd -r -S 0). Last friday all
Ulla> my nis+ clients started not being able to use any
Ulla> nis-commands. They got the following answer:
Ulla> NIS+ error: Unable to authenticate NIS+ server.
Ulla> I looked at the messages file at one client, and found the
Ulla> following:
Ulla> Apr 11 16:32:56 pratt syslog: authdes_refresh: unable to encrypt
Ulla> conversation key
Ulla> Apr 11 16:35:03 pratt syslog: authdes_refresh: unable to encrypt
Ulla> conversation key
Ulla> Apr 11 16:35:22 pratt syslog: authdes_refresh: unable to encrypt
Ulla> conversation key
Ulla> Apr 11 16:48:00 pratt syslog: authdes_seccreate: unable to gen
Ulla> conversation key
Ulla> Apr 11 16:55:23 pratt syslog: authdes_seccreate: unable to gen
Ulla> conversation key
Ulla> The situation is the same on the server!
Ulla> Then I was not able to log in as myself on any client. Only as
Ulla> root. Same situation on the server.
Ulla> On the server I tried to update the clients credentials with
Ulla> nisaddcred, with the following result:
Ulla> NIS+ error: Unable to authenticate NIS+ server
Ulla> Now just before I stopped working (giving up), I tried nisinit
Ulla> my client, rm /var/nis/* (I wanted to have the COLD_START_FILE
Ulla> opdated). I found out that I can read the nis-files, if the
Ulla> keyserv process is not running, but as soon as I start it, I get
Ulla> the error:
Ulla> NIS+ error: Unable to authenticate NIS+ server
Ulla> I can login, when the keyserv process is not running, but of
Ulla> cause gets the error
Ulla> Could not set unix.4019@e.dmi.min.dk's secret key May be the
Ulla> keyserv is down?
Ulla> It seems obvious to mee, that the problem is inconsistency
Ulla> between the cred.org_dir database and the keys used to authorize
Ulla> users. But I can't update the cred.org_dir file even when logged
Ulla> in as root on the server. I think I must run a nisinit -r, but
Ulla> what happens then to all my existing database files?
Ulla> I know this description is a little loose, but the situation has
Ulla> been changing slightly during the two days I have been working
Ulla> fulltime on it. And I do not have the clear overview of how the
Ulla> security is handles in NIS+.
Ulla> Thank you very much for your help.
Ulla> Yours,
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:58 CDT