NIS server configuration problem, refused client operation

Hi,

I have some problem setting up a NIS client. The client is a fresh
Debian Sarge, but the same behavior is show on Ubuntu.

The NIS server is a SuSE 8.1.

The problem is that, users cannot access the NIS server database from
Debian. Find below the discussion with the Debian NIS package
maintainer. He said it should be a config problem, I've tried
everything, but it still does not work.

You have any idea, what should I set up and how?

Thanks,
Zoltan

-------- Original Message --------
Subject: Re: Bug#280575: nis looks working, but for all non-roots the
nis infos are non-viewable
Date: Thu, 11 Nov 2004 10:09:48 +0000
From: Miquel van Smoorenburg <(E-Mail Removed)>
To: Petres, Zoltan <(E-Mail Removed)>
CC: Mark Brown <(E-Mail Removed)>, (E-Mail Removed)
References: <(E-Mail Removed)>
<(E-Mail Removed)>
<(E-Mail Removed)>

On 2004.11.11 08:19, Petres, Zoltan wrote:

>
>
> Mark Brown wrote:
> >>It seems that there is a problem between non-root users, nis and pam.
> > > It is difficult to tell what is going on based on the information
> > provided. At a guess, your NIS server may be refusing to talk to
> > clients that have not bound to a privileged port.
> > > Running "strace id <user>" and capturing the output may provide some
> > clues, as might looking at the logs produced on the NIS server (or at
> > least some information about what software the server is running and how
> > it is configured). You can find the server your client is using with
> > the 'ypwhich' command.
> Please, find enclosed. The root is generated by root, it gives at the end the infos, the nonroot is generated by a local non-NIS user.
>
> > I rather suspect there is a local configuration issue here - if this
> > were generally broken I would expect many more users to have noticed
> > the problem. The admins of the NIS servers are likely to be able to
> > offer some more specific advice.
>
> With other, mostly SuSE Linux it is working well. I tried by Ubuntu too, and it shows the same behaviors. Here is an intereseting snapshot from the ypserv -d output:
>
> If I run by root:
>
> connect from 157.82.158.161
> -> OK.
> ypproc_match(): [From: 157.82.158.161:822]
> domainname = "hasimo"
> mapname = "passwd.byname"
> keydat = "petres"
> connect from 157.82.158.161
> ypdb_open("hasimo", "passwd.byname")
> ->Returning OK!
> Opening: hasimo/passwd.byname (0) 8055fa0
> ypdb_close() called
> -> Value = "petres:Yp2p4e/l4puJ2:243:20:Petres Zoltan:/ahome/petres:/usr/local/bin/bash"
> ypproc_match(): [From: 157.82.158.161:823]
> domainname = "hasimo"
> mapname = "passwd.byuid"
> keydat = "243"
> connect from 157.82.158.161
> ypdb_open("hasimo", "passwd.byuid")
> ->Returning OK!
> Opening: hasimo/passwd.byuid (1) 8055d50
> ypdb_close() called
> -> Value = "petres:Yp2p4e/l4puJ2:243:20:Petres Zoltan:/ahome/petres:/usr/local/bin/bash"
>
>
> If I run by non-root:
>
> connect from 157.82.158.161
> -> Ignored (not a valid source host)
> ypproc_match(): [From: 157.82.158.161:32790]
> domainname = "hasimo"
> mapname = "passwd.byname"
> keydat = "petres"


This means that your server is misconfigured. Check
/etc/ypserv.conf and /etc/ypserv.securenets (if it's
debian - on other distributions, those files and the
syntax will probably differ!) Esp. check carefully for typos.

> The interesting is that, in root case it uses <1024 port, and in non-root case, higher. Why?


Because that's the way it should be. Ports < 1024 are priviliged and
can only be used by root. NIS (actually, the NIS routines in glibc)
uses ports < 1024 as source ports for requests from the root user.
That way, the server can decide (if you configure it that way) to,
for example, only serve the shadow NIS map to the root user and not
to ordinary users.

Your server is probably (mis-)configured to block all requests
from non-priviliged ports. It might even be a firewall issue.

Mike.


Petres Zoltan