Configuring client to use central authentication server (synchronize shadow)?
Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Configuring client to use central authentication server (synchronize shadow)?
Having to work within the confines of an outdated system, I need to configure a list of clients to use a central authentication server. The clients are using the latest release of CentOS. The server is using RHEL6 with NIS (openLDAP is not available from the repos on this install anymore).
I've configured CentOS to use the yp server and domain (via yp.conf and authselect) and can confirm that `yptest -u <username>` succeeds. I can `su` to <username>, but if I try to log in on the system as <username> it cannot authenticate the password; it would appear that information relating to the shadow file is not being sent across the network in addition to the passwd file (I can confirm that passwd is being sent).
Here's where things get tricky. The old system sent shadow over NIS. I'd like to avoid doing that, but the authentication server is a relic and trying to install openLDAP or any other protocol is not going to be easy (or authorized by the powers that be).
So here's my questions:
1) does the ypbind package bundled with CentOS 8 not work with extremely old versions of ypserv? Has shadow over ypbind been eliminated, or is there something I'm missing? I can confirm also that 'nis' is listed for all entries (including passwd and shadow) in /etc/nsswitch.conf.
2) would it be possible to synchronize the shadow file across clients in a portable and secure way?
Have you tried compat as source for passwd, group and shadow in nsswitch.conf (and adding + as the last line of /etc/passwd, /etc/group and /etc/shadow)? See an example in the NIS HOWTO.
This is why I wonder if they've changed something. The prior configuration files do not list compat anywhere; instead, specifying nis in the nsswitch.conf was sufficient. The client-side upgrade isn't major, going from CentOS 8.0 to 8.4.
Adding compat to nsswitch.conf does not appear to work; the result is that I can no longer `su` to the users in addition to passwords not working. If I add both nis and compat, I am still unable to log in. The following are the error outputs from the journalctl log:
With compat (identical to using just nis)
Quote:
unix_chkpwd[6343]: check pass; user unknown
unix_chkpwd[3646]: check pass; user unknown
unix_chkpwd[3646]: password check failed for user (nisuser)
su[3642]: pam_unix(su:auth): authentication failure; [...]
This may be an issue with pam, as the currently working 8.0 CentOS systems also don't list a shadow map under ypcat -x.
I am using authselect select nis. Since you asked me to use compat I created a backup file and tried modifying it manually to include compat since there's no option in authselect.
authselect list
Quote:
- minimal local users only for minimal installations
- nis Enable NIS for system authentication
- sssd Enable SSSD for system authentication (also for local users only)
- winbind Enable winbind for system authentication
Well, authselect does more than just replace /etc/nsswitch.conf. Usually, you make your changes to /etc/authselect/user-nsswitch.conf, then invoke authselect like
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.