Solaris NIS server with SuSE NIS client

Hello all.

I'm trying to get a SuSE 9 Linux NIS client to connect to a Solaris 10
NIS server, with some difficulty.

I can get the client to bind.

[root@mp-03 ~]>> rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32768 status
100021 1 udp 32768 nlockmgr
100021 3 udp 32768 nlockmgr
100021 4 udp 32768 nlockmgr
100024 1 tcp 32768 status
100021 1 tcp 32768 nlockmgr
100021 3 tcp 32768 nlockmgr
100021 4 tcp 32768 nlockmgr
100007 2 udp 807 ypbind
100007 1 udp 807 ypbind
100007 2 tcp 810 ypbind
100007 1 tcp 810 ypbind

the command rpcinfo -u localhost ypbind returns the following values:
[root@mp-03 ~]>> rpcinfo -u localhost ypbind
program 100007 version 1 ready and waiting
program 100007 version 2 ready and waiting

I can perform a ypmatch
[root@mp-03 ~]>> ypmatch -k chris passwd
chris chris:moOfMUdmr9FoM:50000:50004:christian
charette:/export/home/chris:/bin/sh

So that's good. I've removed c2secure on the NIS master, and I now get
the passwords returned in the passwd.byname map. This isn't perfect,
as I'd rather have c2secure on the Solaris server on AND get the Linux
client to authenticate clients, but I'm trying to deal with issues one
at a time.

I have the following values set in various configuration files for
compatibility mode:

[root@mp-03 ~]>> tail -2 /etc/passwd
+:Allowed_group:::::
-:*:::::

[root@mp-03 ~]>> tail -1 /etc/shadow
+::::::::

[root@mp-03 ~]>> tail -1 /etc/group
+:::

/etc/nsswitch.conf has the following set:
passwd: compat
group: compat

My user is set in the netgroup. This setup works fine with the Solaris
clients.
[root@mp-03 ~]>> ypmatch -k Allowed_group netgroup
Allowed_group (,chris,mydomain) (,user1,mydomain) (,user2,mydomain)
(,bob,mydomain)


Here are my symptoms:

A) On Linux, when I attempt to do an su to a user (chris) from root, I
get the following errors:
[root@mp-03 ~]>> su - chris
[root@MP-03] # bash
[I have no name!@mp-03 ~]>> whoami
whoami: cannot find username for UID 50000
[I have no name!@mp-03 ~]>> id
uid=50000 gid=50004 groups=50004

Though I could su into my user, and it found the right UID for him, my
user doesn't seem too happy with things.

B) SSH works for local users. When I try to login using SSH on an NIS
account, my session fails. Here is the trace I get from syslog (I set
the syslog level to auth.debug + the sshd to log at debug level):
Jun 15 10:20:20 mp-03 sshd[19542]: debug1: Forked child 19736.
Jun 15 10:20:20 mp-03 sshd[19736]: Connection from 192.168.180.140 port
23041
Jun 15 10:20:20 mp-03 sshd[19736]: debug1: Client protocol version 2.0;
client software version Sun_SSH_1.1
Jun 15 10:20:20 mp-03 sshd[19736]: debug1: no match: Sun_SSH_1.1
Jun 15 10:20:20 mp-03 sshd[19736]: debug1: Enabling compatibility mode
for protocol 2.0
Jun 15 10:20:20 mp-03 sshd[19736]: debug1: Local version string
SSH-1.99-OpenSSH_3.8p1
Jun 15 10:20:21 mp-03 sshd[19736]: debug1: PAM: initializing for
"chris"
Jun 15 10:20:21 mp-03 sshd[19736]: debug1: PAM: setting PAM_RHOST to
"om-00"
Jun 15 10:20:21 mp-03 sshd[19736]: debug1: PAM: setting PAM_TTY to
"ssh"
Jun 15 10:20:21 mp-03 sshd[19736]: Failed none for chris from
192.168.180.140 port 23041 ssh2
Jun 15 10:20:24 mp-03 sshd[19736]: error: PAM: Authentication failure
Jun 15 10:20:24 mp-03 sshd[19736]: Failed keyboard-interactive/pam for
chris from 192.168.180.140 port 23041 ssh2
Jun 15 10:20:25 mp-03 sshd[19736]: error: PAM: Authentication failure
Jun 15 10:20:25 mp-03 sshd[19736]: Failed keyboard-interactive/pam for
chris from 192.168.180.140 port 23041 ssh2
Jun 15 10:20:25 mp-03 sshd[19736]: error: PAM: Authentication failure
Jun 15 10:20:25 mp-03 sshd[19736]: Failed keyboard-interactive/pam for
chris from 192.168.180.140 port 23041 ssh2
Jun 15 10:20:26 mp-03 sshd[19736]: error: Could not get shadow
information for chris
Jun 15 10:20:26 mp-03 sshd[19736]: Failed password for chris from
192.168.180.140 port 23041 ssh2
Jun 15 10:20:27 mp-03 last message repeated 2 times
Jun 15 10:20:27 mp-03 sshd[19736]: debug1: do_cleanup
Jun 15 10:20:27 mp-03 sshd[19736]: debug1: PAM: cleanup

C) I try the same test using SSH keys (rather than password
authentication). Below is the output that I get. Notice that SSH
reports a key pair match, and fails at the pam_unix2 module:
Jun 15 10:22:55 mp-03 sshd[19542]: debug1: Forked child 20331.
Jun 15 10:22:55 mp-03 sshd[20331]: Connection from 192.168.180.140 port
23072
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: Client protocol version 2.0;
client software version Sun_SSH_1.1
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: no match: Sun_SSH_1.1
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: Enabling compatibility mode
for protocol 2.0
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: Local version string
SSH-1.99-OpenSSH_3.8p1
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: PAM: initializing for
"chris"
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: PAM: setting PAM_RHOST to
"om-00"
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: PAM: setting PAM_TTY to
"ssh"
Jun 15 10:22:55 mp-03 sshd[20331]: Failed none for chris from
192.168.180.140 port 23072 ssh2
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: temporarily_use_uid:
50000/50004 (e=0/0)
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: trying public key file
/export/home/chris/.ssh/authorized_keys
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: matching key found: file
/export/home/chris/.ssh/authorized_keys, line 2
Jun 15 10:22:55 mp-03 sshd[20331]: Found matching DSA key:
ed:4c:e6:02:4c:c9:61:3a:87:70:13:e7:1e:99:43:42
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: restore_uid: 0/0
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: temporarily_use_uid:
50000/50004 (e=0/0)
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: trying public key file
/export/home/chris/.ssh/authorized_keys
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: matching key found: file
/export/home/chris/.ssh/authorized_keys, line 2
Jun 15 10:22:55 mp-03 sshd[20331]: Found matching DSA key:
ed:4c:e6:02:4c:c9:61:3a:87:70:13:e7:1e:99:43:42
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: restore_uid: 0/0
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: ssh_dss_verify: signature
correct
Jun 15 10:22:55 mp-03 sshd[20331]: Accepted publickey for chris from
192.168.180.140 port 23072 ssh2
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: monitor_child_preauth: chris
has been authenticated by privileged process
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: PAM: reinitializing
credentials
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: permanently_set_uid:
50000/50004
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: Entering interactive session
for SSH2.
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: server_init_dispatch_20
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: server_input_channel_open:
ctype session rchan 0 win 65536 max 16384
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: input_session_request
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: channel 0: new
[server-session]
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_new: init
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_new: session 0
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_open: channel 0
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_open: session 0:
link with channel 0
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: server_input_channel_open:
confirm session
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: server_input_channel_req:
channel 0 request pty-req reply 0
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_by_channel: session
0 channel 0
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: session_input_channel_req:
session 0 req pty-req
Jun 15 10:22:55 mp-03 sshd[20333]: fatal: login_get_lastlog: Cannot
find account for uid 50000
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: do_cleanup
Jun 15 10:22:55 mp-03 sshd[20333]: debug1: PAM: cleanup
Jun 15 10:22:55 mp-03 sshd[20333]: pam_unix2: cannot get options
Jun 15 10:22:55 mp-03 PAM-env[20333]: Unable to open config file:
Permission denied
Jun 15 10:22:55 mp-03 sshd[20333]: pam_unix2: cannot get options
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: do_cleanup
Jun 15 10:22:55 mp-03 sshd[20331]: debug1: PAM: cleanup


The pam_unix2 seems to be at the heart of the problem (the 2nd listing
even authenticates public keys (bypassing passwords, but fails at
pam_unix2).

Any ideas? My Solaris clients work well... so what do I have to do to
get the two to talk to each other?

On Thu, 15 Jun 2006 10:23:08 -0700, christian.charette wrote:

> Hello all.
>
> I'm trying to get a SuSE 9 Linux NIS client to connect to a Solaris 10 NIS
> server, with some difficulty.
>
> I can get the client to bind.

....

> I have the following values set in various configuration files for
> compatibility mode:
>
> [root@mp-03 ~]>> tail -2 /etc/passwd
> +:Allowed_group:::::
> -:*:::::
>
> [root@mp-03 ~]>> tail -1 /etc/shadow
> +::::::::
>
> [root@mp-03 ~]>> tail -1 /etc/group
> +:::
>
> /etc/nsswitch.conf has the following set: passwd: compat
> group: compat

....

> Here are my symptoms:
>
> A) On Linux, when I attempt to do an su to a user (chris) from root, I
> get the following errors:
> [root@mp-03 ~]>> su - chris
> [root@MP-03] # bash
> [I have no name!@mp-03 ~]>> whoami
> whoami: cannot find username for UID 50000 [I have no name!@mp-03 ~]>> id
> uid=50000 gid=50004 groups=50004

Try taking those "NIS separator" lines out of the passwd etc. files and
changing from "compat" to "files nis" in nsswitch.conf.

Also make sure that you can access the passwd.byuid map as its absence
will cause the symptom above.

My NIS server is Solaris 9 not 10 but I wouldn't have thought that would
make a lot of difference.

Regards, Ian

Ian Northeast wrote:
>
> Try taking those "NIS separator" lines out of the passwd etc. files and
> changing from "compat" to "files nis" in nsswitch.conf.
>
> Also make sure that you can access the passwd.byuid map as its absence
> will cause the symptom above.
>
> My NIS server is Solaris 9 not 10 but I wouldn't have thought that would
> make a lot of difference.
>
> Regards, Ian

So get rid of compatibility mode? Goes against my requirements....

Tried it just for fun. Removed the "=" and "-" lines in /etc/passwd,
/etc/group, /etc/shadow, and changed nsswitch to use this instead.
passwd: files nis
shadow: files nis
group: files nis


btw, I do see the map passwd.byuid:

[root@mp-03 ~]>> ypmatch -k 50000 passwd.byuid
50000 chris:moOfMUdmr9FoM:50000:50004:christian
charette:/export/home/chris:/bin/sh

But the SSH into the box still didn't work. The login log gave me this
instead:

Jun 15 14:20:11 mp-03 sshd[13579]: Illegal user chris from
::ffff:192.168.180.140
Jun 15 14:20:11 mp-03 sshd[13579]: Failed none for illegal user chris
from ::ffff:192.168.180.140 port 26604 ssh2
Jun 15 14:20:13 mp-03 sshd[13579]: error: PAM: User not known to the
underlying authentication module
Jun 15 14:20:13 mp-03 sshd[13579]: Failed keyboard-interactive/pam for
illegal user chris from ::ffff:192.168.180.140 port 26604 ssh2
Jun 15 14:20:13 mp-03 sshd[13579]: error: PAM: User not known to the
underlying authentication module
Jun 15 14:20:13 mp-03 sshd[13579]: Failed keyboard-interactive/pam for
illegal user chris from ::ffff:192.168.180.140 port 26604 ssh2
Jun 15 14:20:13 mp-03 sshd[13579]: error: PAM: User not known to the
underlying authentication module
Jun 15 14:20:13 mp-03 sshd[13579]: Failed keyboard-interactive/pam for
illegal user chris from ::ffff:192.168.180.140 port 26604 ssh2
Jun 15 14:20:21 mp-03 sshd[13579]: error: Could not get shadow
information for NOUSER
Jun 15 14:20:21 mp-03 sshd[13579]: Failed password for illegal user
chris from ::ffff:192.168.180.140 port 26604 ssh2


Once again, seems to be pointing to a problem inside the PAM modules.

I'm not sure if I'm farthur along with this.

ttyl

Christian

On Thu, 15 Jun 2006 11:27:51 -0700, christian.charette wrote:

> Ian Northeast wrote:
>>
>> Try taking those "NIS separator" lines out of the passwd etc. files and
>> changing from "compat" to "files nis" in nsswitch.conf.
>>
>> Also make sure that you can access the passwd.byuid map as its absence
>> will cause the symptom above.
>>
>> My NIS server is Solaris 9 not 10 but I wouldn't have thought that would
>> make a lot of difference.
>>
>> Regards, Ian
>
> So get rid of compatibility mode? Goes against my requirements....
>
> Tried it just for fun. Removed the "=" and "-" lines in /etc/passwd,
> /etc/group, /etc/shadow, and changed nsswitch to use this instead. passwd:
> files nis
> shadow: files nis
> group: files nis
>
>
> btw, I do see the map passwd.byuid:
>
> [root@mp-03 ~]>> ypmatch -k 50000 passwd.byuid 50000
> chris:moOfMUdmr9FoM:50000:50004:christian
> charette:/export/home/chris:/bin/sh
>
> But the SSH into the box still didn't work. The login log gave me this
> instead:
>
> Jun 15 14:20:11 mp-03 sshd[13579]: Illegal user chris from
> ::ffff:192.168.180.140
> Jun 15 14:20:11 mp-03 sshd[13579]: Failed none for illegal user chris from
> ::ffff:192.168.180.140 port 26604 ssh2 Jun 15 14:20:13 mp-03 sshd[13579]:
> error: PAM: User not known to the underlying authentication module
> Jun 15 14:20:13 mp-03 sshd[13579]: Failed keyboard-interactive/pam for
> illegal user chris from ::ffff:192.168.180.140 port 26604 ssh2 Jun 15
> 14:20:13 mp-03 sshd[13579]: error: PAM: User not known to the underlying
> authentication module
> Jun 15 14:20:13 mp-03 sshd[13579]: Failed keyboard-interactive/pam for
> illegal user chris from ::ffff:192.168.180.140 port 26604 ssh2 Jun 15
> 14:20:13 mp-03 sshd[13579]: error: PAM: User not known to the underlying
> authentication module
> Jun 15 14:20:13 mp-03 sshd[13579]: Failed keyboard-interactive/pam for
> illegal user chris from ::ffff:192.168.180.140 port 26604 ssh2 Jun 15
> 14:20:21 mp-03 sshd[13579]: error: Could not get shadow information for
> NOUSER
> Jun 15 14:20:21 mp-03 sshd[13579]: Failed password for illegal user chris
> from ::ffff:192.168.180.140 port 26604 ssh2
>
>
> Once again, seems to be pointing to a problem inside the PAM modules.
>
> I'm not sure if I'm farthur along with this.

Getting beyond me I think I'm afraid. This has always "just worked" for me.

What happens when you su to the user from root and from non root with
password, and run "id"?

Regards, Ian

Ian Northeast wrote:
>
> Getting beyond me I think I'm afraid. This has always "just worked" for me.
>
> What happens when you su to the user from root and from non root with
> password, and run "id"?
>
> Regards, Ian


The first scenario I had up there already. The second doesn't work
either.
User "chris" is on NIS. User "bob" is local.

[root@mp-03 /var/log]>> su - chris
[root@MP-03] # id
uid=50000 gid=50004 groups=50004
[root@MP-03] # exit
logout

The log file created in /var/adm/loginlog is as follows:

Jun 16 10:38:02 mp-03 su: (to chris) root on /dev/ttyS0
Jun 16 10:38:02 mp-03 su: pam_unix2: session started for user chris,
service su
Jun 16 10:38:28 mp-03 su: pam_unix2: cannot get options

Note that the last line is only done when I do an exit from the "chris"
shell.

[root@mp-03 /var/log]>> su - bob
bob@mp-03:~> su - chris
Password:
su: incorrect password
bob@mp-03:~>

The log file created in /var/adm/loginlog is as follows:

Jun 16 10:40:41 mp-03 su: (to bob) root on /dev/ttyS0
Jun 16 10:40:41 mp-03 su: pam_unix2: session started for user bob,
service su
Jun 16 10:40:49 mp-03 su: FAILED SU (to chris) root on /dev/ttyS0
Jun 16 10:40:55 mp-03 su: pam_unix2: cannot get options

The same thing here, in that the error message (cannot get options) is
sent out when I exit from the "bob" shell.

Found it.

After much headache and pain, I was able to track it down.

Two problems existed in my configuration:

1) I was missing a package to get it all to work. It seems that NSCD
is required for the system to utilize NIS in Linux -- something that
does not seem obvious in the package discriptions or the howto guide.
Since we were using a minimized system to deliver our software packages
on, it did not include this.

Hint: The same author listed for nscd is the guy who maintained the
pam_unix2 modules and the NIS howto guide (Thorsten Kukuk). Likely an
undocumented dependancy between his libraries.

2) Netgroups were not properly defined in /etc/passwd. The line:

+:Allowed_group:::::

should have read:

+@Allowed_group

This was clearly my mistake.


Hope it helps someone out there.

Chris