SUMMARY: NIS+ questions.

Sabrina Downard (sabrina@wwa.com)
Fri, 12 Dec 1997 17:25:27 -0600 (CST)

Sorry it took so long to post my summary back to the list.
We ran into some problems and ended up turning our NIS+ clients back
to using ordinary password-files until we can resolve a few issues. :(

Much thanks to everyone who wrote me back!

In brief:
1. Yes, it's entirely possible to have ordinary users (who have no
need to manipulate NIS+ tables) with no credentials. There are
various ways to do this, such as writing a custom passwd, or running
NIS+ at a lower security mode.

2. One of our replicates was misconfigured, and once we re-setup NIS+ on
it, the errors about "admin.wwa.com.wwa.com." not existing disappeared.
Lesson: always remember your trailing dot! :)

3. I didn't hear from anyone else trying to run NIS+ over a firewall
(root master behind a firewall, clients and replicates outside),
but for myself, I'd not recommend it. :) It complicates
troubleshooting, especially if you're not that familiar with NIS+.
The one item which tripped us up the most was the option to allow
RPC over TCP must be turned on (This is using CheckPoint FireWall-1).

4. Another information resource suggested was docs.sun.com.

My original question as posted to the list, followed by the responses
I received:

>From sabrina@wwa.com Fri Dec 12 17:09:58 1997
Date: Thu, 4 Dec 1997 15:29:10 -0600 (CST)
From: Sabrina Downard <sabrina@wwa.com>
To: sun-managers@ra.mcs.anl.gov
Subject: NIS+ questions.
Followup-To: Sabrina Downard <sabrina@wwa.com>

Hi there. I've checked the Solaris 2 FAQ, the NIS+ FAQ, and searched
around but I've still got a few questions I can't seem to find answers to.
If there are any experienced NIS+ gurus that want to lend a hand, I'd
greatly appreciate it. I'll summarize any responses I receive.

My number-one question is this: is a netname and credential *absolutely
necessary* for general users? We're an ISP, and with thousands of users
who use our shell machines daily, we'd like to avoid all the baggage that
credentials entail (chkey -p, keylogin, etc.). But at times, it seems
unavoidable, and that we must have credentials. Which leads into this:

Yesterday, we had a problem with one NIS+ client (Ultra 2, Solaris 2.6).
It was working perfectly all day long, and all day the day before, with
only about half the users having credentials. At 5PM, we rebooted it to
let a change to /etc/system (more pseudo ttys) take effect. When it came
back up, it flashed errors across the console such as this one:

Dec 3 18:41:10 tekka.wwa.com login: User xxxxx needs Secure RPC
credentials to login.

This happened to users which did and users which did not have credentials,
and refused their logins ("password incorrect"). However, other users
*were* able to log in, apparently without problems. In ten minutes or so,
the problem just disappeared (people could log in, and no more errors came
up on the console).

At 6PM, we rebooted the server again. The same "user needs secure RPC
credentials" errors came across the console when people tried to log in.
I expected the errors to disappear as mysteriously as they had after the
first reboot, but they didn't -- I ended up logging onto the root master
server (Ultra 1, Solaris 2.5.1) and using "nispopulate -C passwd" to
create credentials for everyone with a default password, and then it
stopped. But now we're back to the point where users are complaining
about the errors on login ("login password does not decrypt secret key for
unix.12345@wwa.com") and tech support is getting confused about the new
stuff.

So that's my major question: are credentials absolutely necessary to have
users in NIS+ (just so they can log in! We don't need them to perform any
special tasks within NIS+, such as manipulate any other tables.)? If so,
what is the easiest way to integrate them and educate your user base?
If they're not absolutely necessary.. how the heck can we make things work
without them??

Second question: One of my NIS+ clients is apparently trying to find
admin.wwa.com.wwa.com. rather than admin.wwa.com., and I don't know which
one (all 3 clients are Sol 2.6)! My root master keeps reporting this
error:

Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group() object "admin.wwa.com.wwa
.com." is not reachable.
Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group:: Not Found, no such name.
Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group:: Not Found, no such name.
Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group() object "admin.wwa.com.wwa
.com." is not reachable.

I tried doing a few things such as "nisls admin.groups_dir.wwa.com" (which
does exist), "nisls admin.groups_dir.wwa.com.wwa.com." and "nisls
admin.wwa.com.groups_dir.wwa.com." (neither of the latter two exist), just
to see what genuinely was there and what wasn't, but it wasn't a help.
How can I tell which client is misconfigured, and how can I fix it? It
seems that only the root master server is complaining. Did I just drop a
dot somewhere, and NIS+ is appending the default domainname (like in DNS)?

Third question: Does anyone have any experience with running a firewall
between the root master and everybody else (replicas and clients)? That's
what we're trying to do, and I don't recommend the experience to anyone
else. Half of my problems I don't know if it's me, Solaris, the firewall,
or gremlins! We're using CheckPoint FireWall-1 between the root master
and the clients/replicates, and we seem to have the right holes poked
because things are (mostly) working.. but if anyone else has any
firewall-plus-NIS+ experience to share I'd sure love to hear about it.

Last question: I know about the NIS+ FAQ at
http://www.aball.de/~wpv/sun/NIS+_FAQ.html, and I have a copy of the
second edition of _All About Administering NIS+_ by Rick Ramsey,
but what other resources can you suggest for NIS+ administrators (online,
print, anything)?

Any help would be appreciated! I'm rapidly losing faith in what little
knowledge I do have of NIS+, and my coworkers are losing faith in NIS+
itself (and tech support is going to come after us with pickaxes if we
don't stop generating calls to their department!).

Thanks in advance! :)

--
Sabrina Downard				System Administrator
sabrina@wwa.com				WorldWide Access

>From pdg@uow.edu.au Fri Dec 12 17:08:30 1997 Date: Fri, 5 Dec 1997 11:16:28 +1100 From: Peter Gray <pdg@uow.edu.au> To: sabrina@wwa.com Subject: Re: NIS+ questions.

On Thu, Dec 04, 1997 at 03:29:10PM -0600, Sabrina Downard wrote: > Hi there. I've checked the Solaris 2 FAQ, the NIS+ FAQ, and searched > around but I've still got a few questions I can't seem to find answers to. > If there are any experienced NIS+ gurus that want to lend a hand, I'd > greatly appreciate it. I'll summarize any responses I receive. >

> My number-one question is this: is a netname and credential *absolutely > necessary* for general users? We're an ISP, and with thousands of users >

No, they are not. We have 7K users in our passwd map and not a single one has credentials. How does it work?

Well, the reason users need credentials is to enable them to read and update their own entry in the password map. If they don't have credentials they can not read nor update their own encrypted password. What breaks if you do this?

Obviously, passwd does since users can not change their password. So, I wrote a setuid passwd program. No problem there. The only other program on our system that needs to validate a users password is xlock. I run a slightly modified version of xlock-more that runs setuid, gets the users encrypted password first, then calls setuid(2) to run as the user after that. Login etc all run as root, so they don't have a problem.

With a large number of users not having credentials has saved us a huge amount of bother.

My passwd program is available on request.

> > Second question: One of my NIS+ clients is apparently trying to find > admin.wwa.com.wwa.com. rather than admin.wwa.com., and I don't know which > one (all 3 clients are Sol 2.6)! My root master keeps reporting this > error: > > Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group() object "admin.wwa.com.wwa > .com." is not reachable. > Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group:: Not Found, no such name. > Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group:: Not Found, no such name. > Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group() object "admin.wwa.com.wwa > .com." is not reachable. >

Sounds like you set up a machine using the wrong domain name. Re-initialise the clients and make sure they all have the NIS+ domain name set correctly. Note that the NIS+ domain name does not have to match the DNS domain name. /etc/defaultdomain should contain the correct NIS+ domain.

> > > Last question: I know about the NIS+ FAQ at > http://www.aball.de/~wpv/sun/NIS+_FAQ.html, and I have a copy of the > second edition of _All About Administering NIS+_ by Rick Ramsey, > but what other resources can you suggest for NIS+ administrators (online, > print, anything)? > > > Any help would be appreciated! I'm rapidly losing faith in what little > knowledge I do have of NIS+, and my coworkers are losing faith in NIS+ > itself (and tech support is going to come after us with pickaxes if we > don't stop generating calls to their department!). >

Learning NIS+ is an investment. It can and will save you time, but expect some problems at first. One other thing you might want to think about. We have a directory where all our NIS+ maps are kept as plain text files. We have a makefile to build the maps from the files. The exception is passwd since users change that map. This might make your life easier. We dump our passwd map every hour and keep 24 hours worth of backup files. We have scripts to do the dumps and also a reload if we need to. This means that if NIS+ gets destroyed somehow, we can always rebuild the system pretty quickly.

Regards, pdg

>From unix.support@central.meralco.com.ph Fri Dec 12 17:08:36 1997 Date: Fri, 05 Dec 1997 09:03:53 -0800 From: Mariel Feder <unix.support@central.meralco.com.ph> To: sabrina@wwa.com Subject: Re: NIS+ questions.

Sabrina Downard wrote:

> Hi there. I've checked the Solaris 2 FAQ, the NIS+ FAQ, and searched > around but I've still got a few questions I can't seem to find answers to. > If there are any experienced NIS+ gurus that want to lend a hand, I'd > greatly appreciate it. I'll summarize any responses I receive. > > My number-one question is this: is a netname and credential *absolutely > necessary* for general users?

NO. THEY ARE NOT ABSOLUTELY NECESSARY.YOU CAN RUN NIS+ WITH A LOWER LEVEL OF SECURITY AND CREDENTIALS WILL NOT BE NECESARY.

> We're an ISP, and with thousands of users > who use our shell machines daily, we'd like to avoid all the baggage that > credentials entail (chkey -p, keylogin, etc.). But at times, it seems > unavoidable, and that we must have credentials. Which leads into this:

IF YOU HAVE YOUR NIS+ LOGIN, AND YOUR SECURE RPC THESAME. THERE IS NO NEED AT ALL TO RUN THESE COMMANDS. ONLY THE FIRST TIME THE USER LOGS IN AFTER NIS+ WAS INSTALLED HE HAS TO KEYLOGIN, AND RUN CHKEY TO MAKE BOTH THE SAME PASSWORD. AFTER THAT, THERE IS NO NEED TO USE THIS COMMAND.

> > > Yesterday, we had a problem with one NIS+ client (Ultra 2, Solaris 2.6). > It was working perfectly all day long, and all day the day before, with > only about half the users having credentials. At 5PM, we rebooted it to > let a change to /etc/system (more pseudo ttys) take effect. When it came > back up, it flashed errors across the console such as this one: > > Dec 3 18:41:10 tekka.wwa.com login: User xxxxx needs Secure RPC > credentials to login. > > This happened to users which did and users which did not have credentials, > and refused their logins ("password incorrect"). However, other users > *were* able to log in, apparently without problems. In ten minutes or so, > the problem just disappeared (people could log in, and no more errors came > up on the console). > > At 6PM, we rebooted the server again. The same "user needs secure RPC > credentials" errors came across the console when people tried to log in. > I expected the errors to disappear as mysteriously as they had after the > first reboot, but they didn't -- I ended up logging onto the root master > server (Ultra 1, Solaris 2.5.1) and using "nispopulate -C passwd" to > create credentials for everyone with a default password, and then it > stopped. But now we're back to the point where users are complaining > about the errors on login ("login password does not decrypt secret key for > unix.12345@wwa.com") and tech support is getting confused about the new > stuff. > > So that's my major question: are credentials absolutely necessary to have > users in NIS+ (just so they can log in! We don't need them to perform any > special tasks within NIS+, such as manipulate any other tables.)? If so, > what is the easiest way to integrate them and educate your user base? > If they're not absolutely necessary.. how the heck can we make things work > without them?? > > Second question: One of my NIS+ clients is apparently trying to find > admin.wwa.com.wwa.com. rather than admin.wwa.com., and I don't know which > one (all 3 clients are Sol 2.6)! My root master keeps reporting this > error: > > Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group() object "admin.wwa.com.wwa > .com." is not reachable. > Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group:: Not Found, no such name. > Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group:: Not Found, no such name. > Dec 3 00:04:14 xxxxx nisd[11133]: nislib:get_group() object "admin.wwa.com.wwa > .com." is not reachable. > > I tried doing a few things such as "nisls admin.groups_dir.wwa.com" (which > does exist), "nisls admin.groups_dir.wwa.com.wwa.com." and "nisls > admin.wwa.com.groups_dir.wwa.com." (neither of the latter two exist), just > to see what genuinely was there and what wasn't, but it wasn't a help. > How can I tell which client is misconfigured, and how can I fix it? It > seems that only the root master server is complaining. Did I just drop a > dot somewhere, and NIS+ is appending the default domainname (like in DNS)?

I HAD THESE PROBLEM, AND I FOUND OUT IT WAS A NIS OBJECTBELONGING TO THE WRONG GROUP. TRY THE COMMAND nis_ls TO GET YOUR NIS+ DIRECTORIES. FOR EACH DIRECTORY DO IT AGAIN, FOR INSTANCE nis_ls org_dir. FOR EACH OBJECT IN EACH DIRECTORY, CHECK THE OWNER AND GROUP WITH THE COMMAND niscat -o passwd.org_dir TO SEE IF ONE OF THEM IS RELATED WITH THE WRONG GROUP.

> > > Third question: Does anyone have any experience with running a firewall > between the root master and everybody else (replicas and clients)? That's > what we're trying to do, and I don't recommend the experience to anyone > else. Half of my problems I don't know if it's me, Solaris, the firewall, > or gremlins! We're using CheckPoint FireWall-1 between the root master > and the clients/replicates, and we seem to have the right holes poked > because things are (mostly) working.. but if anyone else has any > firewall-plus-NIS+ experience to share I'd sure love to hear about it. > > Last question: I know about the NIS+ FAQ at > http://www.aball.de/~wpv/sun/NIS+_FAQ.html, and I have a copy of the > second edition of _All About Administering NIS+_ by Rick Ramsey, > but what other resources can you suggest for NIS+ administrators (online, > print, anything)? > > Any help would be appreciated! I'm rapidly losing faith in what little > knowledge I do have of NIS+, and my coworkers are losing faith in NIS+ > itself (and tech support is going to come after us with pickaxes if we > don't stop generating calls to their department!). > > Thanks in advance! :) > > -- > Sabrina Downard System Administrator > sabrina@wwa.com WorldWide Access

--
------------------------------------------------------------------------

Mariel Feder - I.T. Consultant unix.support@meralco.com.ph

Phone: (63) (2) 632.8862 / 632.8977 Fax: (63) (2) 632.8868

Meralco Electric Company Distributed Information Technology Team Manila - Philipines

>From dave.miner@Sun.COM Fri Dec 12 17:08:40 1997 Date: Fri, 05 Dec 1997 10:09:24 -0500 From: Dave Miner <dave.miner@Sun.COM> To: sabrina@wwa.com Subject: Re: NIS+ questions.

You absolutely can run NIS+ with non-administrative users not having credentials. Doing so requires that you make sure all of the directory and table objects are readable by unauthenticated users by using "nischmod n+r object-name.domain.name." on each directory & table. Do so, and delete all the non-administrative credentials (and stop and restart the keyserv on the machines people login to; usually it's just as easy to reboot them, but in your case perhaps not) and you should be fine.

I've never heard of anyone running NIS+ across a firewall. I look forward to seeing your summary on that point.

Dave [Part 2, "Card for Dave Miner" Text/X-VCARD 14 lines] [Unable to print this part]

>From jdwyatt@math.clemson.edu Fri Dec 12 17:08:55 1997 Date: Mon, 8 Dec 1997 11:16:27 -0500 From: Josh Wyatt <jdwyatt@math.clemson.edu> To: sabrina@wwa.com Subject: NIS+ problems: nislib:get_group()....

Hi Sabrina, I am the Sysadmin for the Math Dept here at Clemson University. We run 40 2.5.1 clients, 11 of which are ultra-1's, the rest are Sparc 5's (a couple of 10's and 20's). We are running NIS+, and have experienced the very same console messages you have mentioned (concerning blah.blah.whatever not reachable). I think I have found a connection between these messages and certain queries to the NIS+ rootmaster; for example, try a "finger user@rootmaster.wwa.com" or whatever works for you, and watch the console messages on the root master... I continue to search for a resolution to these messages. I should mention that unlike your experience, no users seem to be experiencing difficulties... Then again, all of our users have credentials. As a rule we create credentials with our adduser script. I can send you a copy of it if you want. I think in NIS+, all users need credentials to do things like mount their home dirs and such. As a rule, anything not name- based (and more importantly, the stuff that /etc/nsswitch.conf defines) will come out of NIS+, and any request for such will need credentials (unless you are running NIS+ in a different security mode). Write back soon, Josh Wyatt

--
Sabrina Downard				System Administrator
sabrina@wwa.com				WorldWide Access