Bug 1401432

Summary: yppasswd crypt() failed errors when using passwd.adjunct
Product: Red Hat Enterprise Linux 7 Reporter: Petr Kubat <pkubat>
Component: yp-toolsAssignee: Petr Kubat <pkubat>
Status: CLOSED ERRATA QA Contact: Vaclav Danek <vdanek>
Severity: medium Docs Contact: Vladimír Slávik <vslavik>
Priority: unspecified    
Version: 7.4CC: asakure, databases-maint, extras-qa, gedetil, hhorak, mmuzila, ovasik, pkubat, todoleza
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: yp-tools-2.14-4.el7 Doc Type: Bug Fix
Doc Text:
*yppasswd* no longer crashes due to Network Information System security features used The *yppasswd* client tried to use a wrong string as salt when checking passwords because it did not recognize the following situations: * The NIS server was configured to use the `passwd.adjunct` map * The variable "MERGE_PASSWD=false" was set in the NIS server's file `/var/yp/Makefile` As a consequence, *yppasswd* failed with the following error message: "crypt() failed". The *yppasswd* client has been fixed to recognize these situations and now delegates the checks to the *yppasswdd* daemon running on the server.
 Story Points: ---
Clone Of: 1297955 Environment:
Last Closed: 2017-08-01 16:14:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1297955    
Bug Blocks: 1380359, 1393868    

Description Petr Kubat 2016-12-05 09:09:47 UTC 
+++ This bug was initially created as a clone of Bug #1297955 +++

Description of problem: 
When using passwd.adjunct map, yppasswd command fails with "crypt() failed" error, since it tries to use the "##user" string as salt. There's a patch, yp-tools-2.12-adjunct.patch, that attempts to fix this, but it gets it wrong.

Version-Release number of selected component (if applicable):
yp-tools-2.14-5 in Fedora 23, but also yp-tools-2.14-3.el7 in RHEL 7, and possibly other Fedora versions.

How reproducible:
Consistently fails when using passwd.adjunct.

Steps to Reproduce:
1. Set up passwd.adjunct map on NIS server
2. Run yppasswd command on NIS client (F23 or RHEL7)
3. Enter passwords when prompted

Actual results:
"crypt() failed" error in response to new passwords

Expected results:
Should accept password without checking against "##user" string, and generate correct salt before calling crypt()

Additional info:
yp-tools-2.12-adjunct-fix.patch (attached) fixes problem.  Use it instead of broken yp-tools-2.12-adjunct.patch file in src.rpm.

--- Additional comment from Gilbert E. Detillieux on 2016-11-24 11:01:11 EST ---

This bug still exists in RHEL7, and most likely in newer Fedora releases.

--- Additional comment from Petr Kubat on 2016-11-28 09:04:39 EST ---

Thanks for the report. I pushed the patch into rawhide and F25.

--- Additional comment from Gilbert E. Detillieux on 2016-12-02 14:21:03 EST ---

Any plans to make this update available for RHEL7?
Comment 26 errata-xmlrpc 2017-08-01 16:14:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1880