FreeBSD 6.x, NIS, local root password, and nsswitch.conf

Mark Hennessy mark at
Wed Nov 22 07:50:26 PST 2006

David Adam [zanchey at] wrote:
>On Wed, 22 Nov 2006, Mark Hennessy wrote:
>> David Adam [zanchey at] wrote:
>> >On Tue, 21 Nov 2006, Mark Hennessy wrote:
>> >> I have a new system that has FreeBSD 6.1 on it to replace a system 
>> >> FreeBSD 4.11 being put out of service.
>> >>
>> >> I want to keep to using local root passwords only, but export other 
>> >> logins over NIS.  It acts presently as an NIS slave server.
>> >>
>> >> The NIS master server was upgraded a few months ago to FreeBSD 6.0 
>> >> then 6.1.
>> >>
>> >> All other machines are running FreeBSD 4.11.
>> >>
>> >> A weird thing started to happen with the new machine.  Only on this 
>> >> machine, the local root password doesn't work and only the root 
>> >> of the NIS master server will work to attain root.  Perhaps 
>> >> needs to be changed somewhere to make the local root password work 
>> >>
>> >> I tried changing group and passwd to include 'files', I also tried
>> >> changing group_compat and passwd_compat to include 'files', but no
>> >> positive change.
>> >
>> >Mark,
>> >
>> >Careful here.
>> >
>> >The line needs to read 'files nis', not 'nis files' - if you used the
>> >latter, try switching it around so that the local /etc/passwd is 
>> >for root logins before NIS is consulted.
>> >
>> >As I understand the man page, you want to change the 
>> >lines, not the {group,passwd} lines themselves.
>> >
>> >> I couldn't find nsswitch.conf on any of the FreeBSD 4.11 servers. 
>> >> are served by NIS as clients and all of their local root passwords 
>> >> fine.
>> >
>> >>From nsswitch.conf(5):
>> >
>> >"The nsswitch.conf file format first appeared in FreeBSD 5.0.  It was
>> >imported from the NetBSD Project, where it appeared first in NetBSD 
>> >
>> >The NIS section of the handbook contains no mention of 
>> >so I'm not actually sure that it's required for system authentication.
>> >
>> I'm a bit unsure about it myself.
>> I tried exactly what you suggested, putting files on the compat line 
>> before nis for both passwd and groups on the NIS slave server only, and 
>> go.  Perhaps it is the master server that actually controls this? I 
>> know.  Any further advice would be greatly appreciated.
>Just to clarify - you're running a single NIS master, and you're having
>this problem on a new NIS client? Or is it a NIS slave server as well? I
>don't think that this should affect things, but I just wanted to clear up
>the nomenclature.
>Hmm, odd. I don't know if you have to restart any services to pick up
>changes in nsswitch.conf, but I doubt it.
>However, re-reading the manpage reminded me that nsswitch doesn't actually
>control authentication in many cases - PAM handles this, on Linux at any
>Someone (quite possibly me) has kicked the cable out of my FreeBSD box, so
>I can't check this at the moment, but you may well need to edit something
>in /etc/pam.d. In particular, if you have NIS as sufficient, it'll take
>precedence over pam_unix (i.e., files).
>David Adam
>zanchey at

The machine in question having the problem with its root password being 
clobbered by NIS is an NIS Slave Server running FreeBSD 6.1, the other 
machines that aren't having this problem are clients running FreeBSD 4.11, 
and the NIS Master Server is running FreeBSD 6.1.

The pam config for login and su don't appear to be pointing specifically 
to NIS for anything, just system.

Mark P. Hennessy

More information about the freebsd-stable mailing list