I've got ypbin running.
I can do a "ypcat passwd" and see the user defined
The home directory and the shell both exist for that user
The /etc/nsswitch.conf file has "files nis" for passwd, shadow, and group.
But I get this in /var/log/secure:
May 4 15:14:38 tomh login: FAILED LOGIN 1 FROM tty3 FOR tom, Authentication failure
or if I try to ssh in, I get:
May 4 15:02:18 tomh sshd[13139]: fatal: Access denied for user tom by PAM account configuration [preauth]
What new mystery has been introduced to the configuration of ypbind and NIS?
On 05/04/2018 12:21 PM, Tom Horsley wrote:
I've got ypbin running.
I can do a "ypcat passwd" and see the user defined
The home directory and the shell both exist for that user
The /etc/nsswitch.conf file has "files nis" for passwd, shadow, and group.
But I get this in /var/log/secure:
May 4 15:14:38 tomh login: FAILED LOGIN 1 FROM tty3 FOR tom, Authentication failure
or if I try to ssh in, I get:
May 4 15:02:18 tomh sshd[13139]: fatal: Access denied for user tom by PAM account configuration [preauth]
What new mystery has been introduced to the configuration of ypbind and NIS?
Might I suggest using "compat" or "files sss" instead of "files nis" in your /etc/nsswitch.conf file for passwd, group and shadow? E.g.:
passwd: compat group: compat shadow: compat
-- or --
passwd: files sss group: files sss shadow: files sss
---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - "Swap memory error: You lose your mind" - ----------------------------------------------------------------------
On Fri, 4 May 2018 13:51:14 -0700 Rick Stevens wrote:
Might I suggest using "compat" or "files sss" instead of "files nis" in your /etc/nsswitch.conf file for passwd, group and shadow? E.g.:
Thanks for the suggestion, but I tried both, same results, no login for NIS users.
I enabled and started the sssd.service (which I've never had to do previously), but it didn't help. I notice there is no config file under /etc/sssd, don't know if it has to have one.
Why am I suspecting that all the ipv4 support was broken when they added ipv6 support for NIS in fedora 28? :-). Of maybe I now have to do some extra config to disable ipv6?
I can actually become an NIS user by logging in as root then doing an su -l nisuser, but I have a feeling that utterly bypasses all standard login paths.
On Fri, May 4, 2018 at 6:30 PM, Tom Horsley horsley1953@gmail.com wrote:
On Fri, 4 May 2018 13:51:14 -0700 Rick Stevens wrote:
Might I suggest using "compat" or "files sss" instead of "files nis" in your /etc/nsswitch.conf file for passwd, group and shadow? E.g.:
Thanks for the suggestion, but I tried both, same results, no login for NIS users.
I enabled and started the sssd.service (which I've never had to do previously), but it didn't help. I notice there is no config file under /etc/sssd, don't know if it has to have one.
Why am I suspecting that all the ipv4 support was broken when they added ipv6 support for NIS in fedora 28? :-). Of maybe I now have to do some extra config to disable ipv6?
I can actually become an NIS user by logging in as root then doing an su -l nisuser, but I have a feeling that utterly bypasses all standard login paths.
"Why am I suspecting that all the ipv4 support" reminded me that nis support was removed from glibc [1].
Do you have nss_nis installed?
[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=1e4d83f6fe38613e6f209ff09...
On Sat, May 5, 2018 at 8:50 AM, Tom Horsley horsley1953@gmail.com wrote:
On Sat, 5 May 2018 06:09:22 -0400 Tom H wrote:
Do you have nss_nis installed?
Yep: nss_nis-3.0-3.fc28.x86_64
OK.
I set up two F28 VMs, nis server and client, with selinux and iptables disabled. And I end up with the same problem :(
On the client:
- "rpcinfo nisserver", "yp_dump_binding", "yptest", "ypcat passwd", "ypmatch th passwd", "getent passwd th", "yppasswd" work when run as "th".
- "th" can't login, with the same authentification error that you get.
Could it be pam-related?
Could it be pam-related?
I suspect there are about 50 things that it could be related to. I submitted this bug which mentions some of them:
https://bugzilla.redhat.com/show_bug.cgi?id=1575297
I used nss_nis as the component, just because I had to have a component, not because I know that is the problem.
-
Rick Stevens -
Tom H -
Tom Horsley