[SUMMARY] : Solaris 9 & NIS

From: Luc I. Suryo <luc_at_suryo.com>
Date: Sat Sep 28 2002 - 14:47:00 EDT
Thanks to Ivan,

This seems to be a know bug with Sun, after modifying /etc/pam.conf as
described below all work fine.


SOLUTION/FIX:
-------------------------------------------------------------------------

>    We have definitely seen this with Solaris 9 clients and NIS running in
> secure mode.  Indeed the client never asks for the passwd.adjunct.byname
> map.  The bug from Sun says:
> <begin pasted bug>
> 4670947
> logins failing when NIS is backend for authentication
> 18 Sep 2002
> 
> Category: pam
> Subcategory: unix_scheme
> State: integrated
> Description: see Comments
> Work Around:
> russell.blaine@sun.com 2002-06-03
> 
> Replace these three lines in /etc/pam.conf:
> other   auth required           pam_authtok_get.so.1
> other   auth required           pam_dhkeys.so.1
> other   auth required           pam_unix_auth.so.1
> 
> with this line:
> other   auth required           pam_unix.so.1
> 
> russell.blaine@sun.com 2002-07-23
> 
> C2 security is preserved with this workaround.
> 
> <end pasted bug>
> 
>    Sun also sent me another copy of paswdutil.so.1 to place in /usr/lib
> (wonder if this is just from the latest release of Solaris 8) which also
> works, and they say the new passwdutil.so.1 also doesn't break C2
> security.
> 

PROBLEM:
-------------------------------------------------------------------------
> 
> > hello,
> >
> > Does someone has seen this problem? and know how to fix?
> >
> > Situation
> > 	master Solaris 8/Sparc, with shadow/secure support enabled
> > 	client Solaris 9/Sparc, problem
> > 	client Solaris 8/Sparc, work OK
> >
> > what does work
> > 	su - user   			OK this is a user in NIS
> > 	ypwhich     			OK shows the correct server
> > 	ypcat passwd.byname		OK data correct
> > 	ypcat passwd.adjunct.byname	OK data correct
> >
> > what does not work
> > 	any user can not login as the password is not accepted!
> > 	and a snoop shows that the client ask for passwd.byname
> > 	but i do never see the passwd.adjunct.byname..
> >
> > 	snoop with the other working client i do see passwd.byname
> > 	and then passwd.adjunct.byname
> >
> > note
> > 	the system was jumpstarted with the lastest version of JASS
> > 	so not sure if that is an issue...
> >

-- 
Kind regards,
Luc Suryo
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Sat Sep 28 14:51:10 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:55 EST