FreeBSD 6.x, NIS, local root password, and nsswitch.conf

[Greg Byshenk]

On Wed, Nov 22, 2006 at 10:49:01PM +0800, David Adam wrote:
> On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K?hn wrote:
> > On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy <mark at cloud9.net>

> > wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf:

> > MH> I'm a bit unsure about it myself.
> > MH> I tried exactly what you suggested, putting files on the compat line
> > MH> and before nis for both passwd and groups on the NIS slave server
> > MH> only, and no go.  Perhaps it is the master server that actually
> > MH> controls this? I don't know.  Any further advice would be greatly
> > MH> appreciated.

> > Sorry to disturb, but I don't understand why you distribute the server's
> > root pw via NIS at all. Is it really shown by "ypcat passwd" on the
> > client? If so, how about removing it from the list of exported accounts?
 
> That's a really good point. When you consider the inherent insecurity of
> NIS, having a root password in the maps is a pretty bad plan anyway.
 
> Given my vague handwaving at PAM, and the fact that the OP probably has
> NIS as sufficient above pam_unix, the obvious solution if my unverified
> assertions are correct is to remove the root password from the NIS maps.

I could be mistaken, but isn't the 'compat' entry to cover the case with
the old format passwd/group files, in which one used '+:...' or similar to
include NIS (or other authentication).  As such, 'compat' means "use the
file, plus whatever is added under 'compat'", further meaning that you 
can have only one entry under 'compat'.

So, if you want "old style" behavior, what you want is something like:

   passwd: compat
   passwd_compat: nis

Alternatively, you can use something like:

   passwd: files nis
   # passwd_compat: nis

or even:

   passwd: winbind nis files
   # passwd_compat: nis


[Corrections welcome if I have this wrong....]


-- 
greg byshenk  -  gbyshenk at byshenk.net  -  Leiden, NL