NIS Account issues/

Greetings,

We are transitioning our servers from Novell/Windows to a Linux based
network. I'm very happy for this as I have been campaigning for it since I
have arrived at my job.

We are going to have three servers, two production units and one for
testing.

Since we are going to be sharing users and groups amongst the machines, I
proposed an NIS system to only have to set up the information on the one
machine. The install thus far has gone surprisingly smooth IMHO.

Machine A has the NIS server software installed and running correctly.

Machine B and C are both running the NIS client software (ypbind) pretty
much successfully.

At the console of B and C, I can log in with accounts present on A. However
when I login I get the following message:

id: cannot find name for user ID 501
id: cannot find name for user ID 501
[I have no name!@users_correct_home_dir]

Additionally I cannot log in to the machines via ssh using a NIS account.
When I try to login I am immediately disconnect and it writes a a message
into /var/log/secure to the effect of:

sshd[1774] fata: login_get_lastlog: Cannot find account for uid 501.

Any recommendations? Obviously the basic stuff is working, as it sees the
account, checks my password, logs in with the right shell and takes me to
the right home directory. But something is not being set properly.

Next question...

I create my accounts on Machine A with the normal 'adduser' program, which
creates a home directory for me on that machine, but not on Machine B and C.
I know for large sites that have hundreds of NIS Clients there must be a
solution easier than manually creating accounts on all the machines or using
a default location that is the same for all accounts. Suggestions?

Thanks so much!

Matt Fuerst

Hi Skylar,

Thanks for responding...

> What does "ypcat passwd" report on the client machines? Also, have you
> added the NIS lines in /etc/passwd and /etc/group? For /etc/passwd, put
> this at the end of the file:
>
> +:::::::::
>
> (it's one ":" for every ":" that's in a normal line)
>
> and for /etc/group
>
> +:::
>
> This will allow any user or group to appear on the client machine.

Yes, ypcat password shows all the users correctly. I definetly should have
mentioned this in the original post. Sorry. The users are definetly working
correctly and getting to the machine via NIS, as while I am logged in as
root on a client machine I can do a: su nisusername and I get a login
prompt.

> NFS is probably the easiest way to go about doing it. Just export the home
> directories on any of the servers to all the other machines. Make sure
that
> only machines that need to mount the directory have access to the NFS
> server, and that your routers drop any spoofed packets.

Alright, I was fearing that was going to be the answer. I don't think we
want that solution for our site... but will consider it!

Thanks so much!

Matt Fuerst

Hi Ian,

Thanks for responding!

> > At the console of B and C, I can log in with accounts present on A.
However
> > when I login I get the following message:
> >
> > id: cannot find name for user ID 501
> > id: cannot find name for user ID 501
> > [I have no name!@users_correct_home_dir]
>
> Apparantly the passwd.byuid map is missing on the server. This is used
> to translate an ID to a name.

While on my NIS host, I go to my /var/yp/domain/ directory and I see a
passwd.byuid, so it's there and being built when I do a make in the /var/yp/
directory. So either the clients are not receiving that file for some
reason, or are not processing it correctly? Any ideas why that would be? I
at least have something to google on this morning to try to find an answer.
Thanks a lot for that!

Matt

Just as another follow up Ian (and group)

I can issue: ypcat passwd.byuid on my NIS clients and everything looks in
order. User names, UID, GID, homes, etc...

Does that help/hurt?

Matt

"Ian Northeast" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Matt Fuerst wrote:
> >
> > Greetings,
> >
> > We are transitioning our servers from Novell/Windows to a Linux based
> > network. I'm very happy for this as I have been campaigning for it since
I
> > have arrived at my job.
> >
> > We are going to have three servers, two production units and one for
> > testing.
> >
> > Since we are going to be sharing users and groups amongst the machines,
I
> > proposed an NIS system to only have to set up the information on the one
> > machine. The install thus far has gone surprisingly smooth IMHO.
> >
> > Machine A has the NIS server software installed and running correctly.
> >
> > Machine B and C are both running the NIS client software (ypbind) pretty
> > much successfully.
> >
> > At the console of B and C, I can log in with accounts present on A.
However
> > when I login I get the following message:
> >
> > id: cannot find name for user ID 501
> > id: cannot find name for user ID 501
> > [I have no name!@users_correct_home_dir]
>
> Apparantly the passwd.byuid map is missing on the server. This is used
> to translate an ID to a name.
>
> Regards, Ian

Matt Fuerst wrote:
>
> I create my accounts on Machine A with the normal 'adduser' program, which
> creates a home directory for me on that machine, but not on Machine B and
> C. I know for large sites that have hundreds of NIS Clients there must be
> a solution easier than manually creating accounts on all the machines or
> using a default location that is the same for all accounts. Suggestions?
>
> Thanks so much!
>
> Matt Fuerst
google vanillanis

Think this might be the concept you are looking for.
ppd

Matt Fuerst wrote:

> "Ian Northeast" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Matt Fuerst wrote:

> > > Machine A has the NIS server software installed and running correctly.
> > >
> > > Machine B and C are both running the NIS client software (ypbind) pretty
> > > much successfully.
> > >
> > > At the console of B and C, I can log in with accounts present on A.
> However
> > > when I login I get the following message:
> > >
> > > id: cannot find name for user ID 501
> > > id: cannot find name for user ID 501
> > > [I have no name!@users_correct_home_dir]
> >
> > Apparantly the passwd.byuid map is missing on the server. This is used
> > to translate an ID to a name.

> Just as another follow up Ian (and group)
>
> I can issue: ypcat passwd.byuid on my NIS clients and everything looks in
> order. User names, UID, GID, homes, etc...
>
> Does that help/hurt?

Please don't top post! You managed not to in your other response. It was
a pain rearranging this.

Unfortunately it hurts as it means my guess was incorrect. What happens
if you issue "ypmatch 501 passwd.byuid"?

Regards, Ian

Hi Ian,

> > > Apparantly the passwd.byuid map is missing on the server. This is used
> > > to translate an ID to a name.
>
> > Just as another follow up Ian (and group)
> >
> > I can issue: ypcat passwd.byuid on my NIS clients and everything looks
in
> > order. User names, UID, GID, homes, etc...
> >
>
> Unfortunately it hurts as it means my guess was incorrect. What happens
> if you issue "ypmatch 501 passwd.byuid"?

Sorry about the previous top post...

Output of ypmatch 501 passwd.byuid:

username:scrambledplaintextpassword:501:501::/home/username:/bin/bash

That all looks legit enough for me.

What's written in /var/log/secure after the failure:
date/timestamp sshd[4070]: Accepted password for username from 192.168.X.X
port 4631 ssh2
date/timestamp sshd[4070]: fatal: login_get_lastlog: Cannot find account for
uid 501

Am I repeating that from before? If so, sorry...

Ideas?

Matt

Matt Fuerst wrote:

> Output of ypmatch 501 passwd.byuid:
>
> username:scrambledplaintextpassword:501:501::/home/username:/bin/bash
>
> That all looks legit enough for me.
>
> What's written in /var/log/secure after the failure:
> date/timestamp sshd[4070]: Accepted password for username from 192.168.X.X
> port 4631 ssh2
> date/timestamp sshd[4070]: fatal: login_get_lastlog: Cannot find account for
> uid 501

Very odd. What is the exact Linux distro/version? What do you have in
/etc/nsswitch.conf for passwd, group and shadow? Are you by any chance
running nscd? This can screw up NIS in odd ways although I havn't seen
this particular one.

Regards, Ian

I hope Ian didn't get hit by a bus or anything, I was hoping I could keep
stumping him!

Matt

Matt Fuerst wrote:
>
> > Matt Fuerst wrote:
> >
> > > Output of ypmatch 501 passwd.byuid:
> > >
> > > username:scrambledplaintextpassword:501:501::/home/username:/bin/bash
> > >
> > > That all looks legit enough for me.
> > >
> > > What's written in /var/log/secure after the failure:
> > > date/timestamp sshd[4070]: Accepted password for username from
> 192.168.X.X
> > > port 4631 ssh2
> > > date/timestamp sshd[4070]: fatal: login_get_lastlog: Cannot find account
> for
> > > uid 501
> >
> > Very odd. What is the exact Linux distro/version? What do you have in
> > /etc/nsswitch.conf for passwd, group and shadow? Are you by any chance
> > running nscd? This can screw up NIS in odd ways although I havn't seen
> > this particular one.
> >
> > Regards, Ian
>
> Both server and clients are RedHat 9.0 stock installs.
>
> Important parts of /etc/nsswitch.conf (on client):
>
> passwd: files nis
> shadow: files nis
> group: files nis
> hosts: files nis

Looks fine.

> The rest of which is "stock". I just noted that the server actually is set
> to just use files. I don't imagine this being a problem with the clients?

No, there is no need for a NIS server to be a client itself, it can be
of course. Normally it doesn't make a lot of difference. If it is making
the maps from its own real passwd files etc. it will get the same data
either way.

> A: ps aux shows no nscd running, so I assume it's not active.
>
> While searching today I did note that someone said to issue: ypcat
> group.byuid, which does not work on the clients, nor does that file exist in
> /var/yp/domainname. I assumed this was antiquated as the post was from many
> moons ago.

No, just wrong. There has never been any such map in a standard NIS
setup (of course you can create any map you like The poster probably
meant group.bygid.

> /var/yp/domainname contains:
>
> group.bygid
> group.byname
> hosts.byaddr
> hosts.byname
> passwd.byname
> passwd.byuid
>
> Does that seem right?

Unfortunately yes, it does. I cannot at the moment see any reason why
your setup should not work.

Anyone know if anything is broken in NIS in RH9? I don't have it myself
but have used NIS in many different Linux distros including RH from 5.0
to 8.0 without ever seeing this sort of trouble.

Regards, Ian