FreeBSD 6.x, NIS, local root password, and nsswitch.conf

David Adam zanchey at
Wed Nov 22 06:45:32 PST 2006

On Wed, 22 Nov 2006, Mark Hennessy wrote:
> David Adam [zanchey at] wrote:
> >On Tue, 21 Nov 2006, Mark Hennessy wrote:
> >> I have a new system that has FreeBSD 6.1 on it to replace a system with
> >> FreeBSD 4.11 being put out of service.
> >>
> >> I want to keep to using local root passwords only, but export other users'
> >> logins over NIS.  It acts presently as an NIS slave server.
> >>
> >> The NIS master server was upgraded a few months ago to FreeBSD 6.0 and
> >> then 6.1.
> >>
> >> All other machines are running FreeBSD 4.11.
> >>
> >> A weird thing started to happen with the new machine.  Only on this new
> >> machine, the local root password doesn't work and only the root password
> >> of the NIS master server will work to attain root.  Perhaps something
> >> needs to be changed somewhere to make the local root password work again?
> >>
> >> I tried changing group and passwd to include 'files', I also tried
> >> changing group_compat and passwd_compat to include 'files', but no
> >> positive change.
> >
> >Mark,
> >
> >Careful here.
> >
> >The line needs to read 'files nis', not 'nis files' - if you used the
> >latter, try switching it around so that the local /etc/passwd is checked
> >for root logins before NIS is consulted.
> >
> >As I understand the man page, you want to change the {group,passwd}_compat
> >lines, not the {group,passwd} lines themselves.
> >
> >> I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers.  They
> >> are served by NIS as clients and all of their local root passwords work
> >> fine.
> >
> >>From nsswitch.conf(5):
> >
> >"The nsswitch.conf file format first appeared in FreeBSD 5.0.  It was
> >imported from the NetBSD Project, where it appeared first in NetBSD 1.4."
> >
> >The NIS section of the handbook contains no mention of nsswitch.conf(5),
> >so I'm not actually sure that it's required for system authentication.
> >
> I'm a bit unsure about it myself.
> I tried exactly what you suggested, putting files on the compat line and
> before nis for both passwd and groups on the NIS slave server only, and no
> go.  Perhaps it is the master server that actually controls this? I don't
> know.  Any further advice would be greatly appreciated.

Just to clarify - you're running a single NIS master, and you're having
this problem on a new NIS client? Or is it a NIS slave server as well? I
don't think that this should affect things, but I just wanted to clear up
the nomenclature.

Hmm, odd. I don't know if you have to restart any services to pick up
changes in nsswitch.conf, but I doubt it.

However, re-reading the manpage reminded me that nsswitch doesn't actually
control authentication in many cases - PAM handles this, on Linux at any

Someone (quite possibly me) has kicked the cable out of my FreeBSD box, so
I can't check this at the moment, but you may well need to edit something
in /etc/pam.d. In particular, if you have NIS as sufficient, it'll take
precedence over pam_unix (i.e., files).


David Adam
zanchey at

More information about the freebsd-stable mailing list