Configuring client to use central authentication server (synchronize shadow)?

anon112 · 11-05-2021, 07:22 PM

Having to work within the confines of an outdated system, I need to configure a list of clients to use a central authentication server. The clients are using the latest release of CentOS. The server is using RHEL6 with NIS (openLDAP is not available from the repos on this install anymore).

I've configured CentOS to use the yp server and domain (via yp.conf and authselect) and can confirm that `yptest -u <username>` succeeds. I can `su` to <username>, but if I try to log in on the system as <username> it cannot authenticate the password; it would appear that information relating to the shadow file is not being sent across the network in addition to the passwd file (I can confirm that passwd is being sent).

Here's where things get tricky. The old system sent shadow over NIS. I'd like to avoid doing that, but the authentication server is a relic and trying to install openLDAP or any other protocol is not going to be easy (or authorized by the powers that be).

So here's my questions:
1) does the ypbind package bundled with CentOS 8 not work with extremely old versions of ypserv? Has shadow over ypbind been eliminated, or is there something I'm missing? I can confirm also that 'nis' is listed for all entries (including passwd and shadow) in /etc/nsswitch.conf.
2) would it be possible to synchronize the shadow file across clients in a portable and secure way?

shruggy · 11-06-2021, 11:28 AM

Have you tried compat as source for passwd, group and shadow in nsswitch.conf (and adding + as the last line of /etc/passwd, /etc/group and /etc/shadow)? See an example in the NIS HOWTO.

anon112 · 11-06-2021, 12:41 PM

This is why I wonder if they've changed something. The prior configuration files do not list compat anywhere; instead, specifying nis in the nsswitch.conf was sufficient. The client-side upgrade isn't major, going from CentOS 8.0 to 8.4.

Adding compat to nsswitch.conf does not appear to work; the result is that I can no longer `su` to the users in addition to passwords not working. If I add both nis and compat, I am still unable to log in. The following are the error outputs from the journalctl log:

With compat (identical to using just nis)

Quote:

unix_chkpwd[6343]: check pass; user unknown
unix_chkpwd[3646]: check pass; user unknown
unix_chkpwd[3646]: password check failed for user (nisuser)
su[3642]: pam_unix(su:auth): authentication failure; [...]

This may be an issue with pam, as the currently working 8.0 CentOS systems also don't list a shadow map under ypcat -x.

shruggy · 11-06-2021, 12:52 PM

Wait, you're editing /etc/nsswitch.conf per hand? On CentOS 8? Rather than authselect select nis?

anon112 · 11-06-2021, 12:56 PM

I am using authselect select nis. Since you asked me to use compat I created a backup file and tried modifying it manually to include compat since there's no option in authselect.

authselect list

Quote:

- minimal local users only for minimal installations
- nis Enable NIS for system authentication
- sssd Enable SSSD for system authentication (also for local users only)
- winbind Enable winbind for system authentication

shruggy · 11-06-2021, 01:22 PM

Well, authselect does more than just replace /etc/nsswitch.conf. Usually, you make your changes to /etc/authselect/user-nsswitch.conf, then invoke authselect like

Code:

authselect select nis with-custom-{passwd,group,shadow}

Then it will take specified categories from user-nsswitch.conf and merge them into the default nis profile.

anon112 · 11-06-2021, 01:34 PM

Changing user-nsswitch.conf does not appear change the end result, but I'll bear that in mind for the future.

I've also just logged in to the auth server and noticed the /var/messages is giving the following for each login attempt:

Quote:

ypserv[2789]: refused connect from 10.11.0.32:35505 to procedure ypproc_match (localauth,shadow.byname;-1)