The /var/yp/Makefile that ships with Red Hat 6.0 expects shadowed passwd and group files on the YP server. An application called /usr/lib/yp/yphelper, called from /var/yp/Makefile, is supposed to merge the information from /etc/passwd and /etc/shadow to make the passwd maps, and /etc/group and /etc/gshadow to make the group maps. However, yphelper doesn't seem to be doing its job; it produces passwd maps with x's for all passwords, preventing logins on YP client machines. (Similar behavior happens when merging /etc/group and /etc/gshadow, but this is less critical.) A workaround is to set MERGE_PASSWD and MERGE_GROUP to false in /var/yp/Makefile, and to unshadow the passwd and group files. This produces valid passwd and group maps, at the expense of doing away with /etc/shadow and /etc/gshadow on the YP server. This happens whether the system is configured for traditional crypted passwords or MD5 passwords.
This bug has SEVERE security problems. If you export a password entry containing 'x' as the password then on all computers using this ypserver that user can log in without any password at all! I've fixed this bug by recompiling the yphelper source file in the ypserv RPM. I've placed the fixed source code file and compiled executable onto the local anon ftp server at: ftp://ettin.pa.msu.edu:/pub/ypserv-bug-fix I don't know exactly how you need to package it for an "official" RPM update so if RedHat can either let me know or just make it themselves from the source code. The fix is just adding a test for 'x' as a password entry. Hope this helps, Roger
This is fixed in ypserv-1.3.6.92 (RPM currently in rawhide.)
This appears to be fixed in ypserv-1.3.6.92. Please reopen if I'm wrong.