Bug 64234 - cant log in as NIS users
cant log in as NIS users
Status: CLOSED DUPLICATE of bug 54443
Product: Red Hat Linux
Classification: Retired
Component: ypbind (Show other bugs)
7.2
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Alexander Larsson
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-04-29 19:00 EDT by Seth Master
Modified: 2007-04-18 12:42 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-04-30 20:01:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Seth Master 2002-04-29 19:00:31 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)

Description of problem:
unable to rlogin, rsh, ssh, and telnet into the machine with NIS users.



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. try to ssh, rlogin, rsh, or telnet into the machine.
2.
3.
	

Actual Results:  it asks for username and password again.

Expected Results:  A NIS user should have been able telnet, rsh, ssh, and 
rlogin into the box.

Additional info:

/var/log/messages shows:
Apr 29 15:56:24 reddog sshd(pam_unix)[1351]: authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=ballad  user=smaster
Apr 29 15:56:33 reddog pam_rhosts_auth[1352]: denied to smaster@ballad as 
smaster: access not allowed
Apr 29 15:56:36 reddog rlogin(pam_unix)[1352]: authentication failure; logname= 
uid=0 euid=0 tty=rlogin ruser=smaster rhost=ballad  user=smaster
Apr 29 15:56:38 reddog in.rlogind[1352]: PAM authentication failed for 
in.rlogind
Apr 29 15:56:42 reddog login(pam_unix)[1353]: authentication failure; logname= 
uid=0 euid=0 tty=pts/1 ruser= rhost=ballad  user=smaster
Apr 29 15:56:44 reddog login[1353]: FAILED LOGIN 1 FROM ballad FOR smaster, 
Authentication failure
Apr 29 15:56:46 reddog login(pam_unix)[1353]: auth could not identify password 
for [smaster]
Apr 29 15:56:55 reddog pam_rhosts_auth[1354]: denied to smaster@ballad as 
smaster: access not allowed
Apr 29 15:56:57 reddog rlogin(pam_unix)[1354]: authentication failure; logname= 
uid=0 euid=0 tty=rlogin
 ruser=smaster rhost=ballad  user=smaster
Apr 29 15:57:00 reddog in.rlogind[1354]: PAM authentication failed for 
in.rlogind
Apr 29 15:57:44 reddog login(pam_unix)[1355]: auth could not identify password 
for [smaster]
Apr 29 15:57:44 reddog login[1355]: FAILED LOGIN 1 FROM ballad FOR smaster, 
Authentication failure
Apr 29 15:57:46 reddog login(pam_unix)[1355]: auth could not identify password 
for [smaster]
Apr 29 15:57:52 reddog login(pam_unix)[1362]: authentication failure; logname= 
uid=0 euid=0 tty=pts/1 r
user= rhost=ballad  user=smaster
Apr 29 15:57:55 reddog login[1362]: FAILED LOGIN 1 FROM ballad FOR smaster, 
Authentication failure

# telnet reddog
Trying 127.0.0.1...
Connected to reddog.
Escape character is '^]'.
Red Hat Linux release 7.2 (Enigma)
Kernel 2.4.7-10smp on an i686
login: smaster
Password: 
Login incorrect

login: smaster
Password: 
Login incorrect

login: 
Password: 

Login incorrect
Connection closed by foreign host.
# rsh reddog
Password: 
Password: 
Login incorrect

login: 
Password: 

Login incorrect
rlogin: connection closed.
# rlogin reddog
Password: 
Password: 
Login incorrect

login: 
Password: 

Login incorrect
rlogin: connection closed.
Comment 1 Alexander Larsson 2002-04-29 19:16:52 EDT
You need to enable nis in /etc/nsswitch.conf 
Comment 2 Seth Master 2002-04-29 19:23:11 EDT
/etc/nsswitch.conf is as follows.
passwd:     files nis
shadow:     files nis
group:      files nis
hosts:      files nis dns
bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files nis
rpc:        files
services:   files nis
netgroup:   files nis
#publickey:  nisplus
automount: 
aliases:    files
Comment 3 Nalin Dahyabhai 2002-04-30 14:22:46 EDT
Was NIS configured with authconfig or manually?  Is the ypbind service enabled
and running (/sbin/chkconfig ypbind on; /sbin/service ypbind restart)?  What do
"domainname" and "ypwhich" print?  Is the client system able to see the contents
of the server's passwd map (ypcat -k passwd)?
Comment 4 Nalin Dahyabhai 2002-04-30 14:26:58 EDT
Additionally, was the system configured with a firewall?  The default
firewalling options block all UDP traffic, which stops all RPC-based services
(like NIS) from working.
Comment 5 Seth Master 2002-04-30 15:44:05 EDT
the system was not configured with a firewall, or atleast not in the 
installation process, but is there a way to check that post install?

ypcat -k password works correctly

If I am logged in as root on the console, I can su - jlevy for example and I 
will become the user and be in his homedir, we mount homedir from the fstab 
file instead of using automounter.

Both are correct:
# ypwhich 
ballad
# domainname
mtview.reasoning.com

# cat yp.conf
domain mtview.reasoning.com server 199.108.177.67

I removed some stuff from the listing, but left the important stuff
# chkconfig --list
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
random          0:off   1:off   2:on    3:on    4:on    5:on    6:off
ipchains        0:off   1:off   2:off   3:off   4:off   5:on    6:off
iptables        0:off   1:off   2:off   3:off   4:off   5:on    6:off
portmap         0:off   1:off   2:off   3:on    4:on    5:on    6:off
xinetd          0:off   1:off   2:off   3:on    4:on    5:on    6:off
autofs          0:off   1:off   2:off   3:off   4:off   5:off   6:off
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nfslock         0:off   1:off   2:off   3:on    4:on    5:on    6:off
identd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
ypbind          0:off   1:off   2:off   3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
rstatd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
rusersd         0:off   1:off   2:off   3:off   4:off   5:off   6:off
vncserver       0:off   1:off   2:off   3:off   4:off   5:off   6:off
xinetd based services:
        rexec:  on
        rlogin: on
        rsh:    on
        ntalk:  on
        talk:   on
        telnet: on
Comment 6 Nalin Dahyabhai 2002-04-30 16:00:44 EDT
Does the second field of the user's entry in the NIS password table list the
crypted password ( ypmatch smaster passwd | cut -f2 -d: ), or is there something
else in the field?

You can check your firewall settings by running "ipchains -L" (or "iptables -L",
if your firewall was configured to use iptables instead of ipchains).
Comment 7 Seth Master 2002-04-30 16:06:33 EDT
ypmatch smaster passwd does show the 2nd field encrypted passwd
Comment 8 Nalin Dahyabhai 2002-04-30 16:52:05 EDT
Please double-check that the crypted field is correct. Run:
python -c 'import crypt;print crypt.crypt("PASSWORD","SALT")'
substituting the user's password for PASSWORD, and the value obtained from ypcat
for SALT, and comparing the output to the value of the field.  It should match
exactly.
Comment 9 Seth Master 2002-04-30 17:01:19 EDT
ok, it matches exactly
Comment 10 Nalin Dahyabhai 2002-04-30 17:18:48 EDT
Have the PAM configuration files been modified from their defaults at all?  Are
NIS users able to log in at the system console?
Comment 11 Seth Master 2002-04-30 17:47:24 EDT
no, the PAM stuff is from the default install.
NIS users are not able to login in at console either.
the only way in is ssh -l root <servername> from an other machine.

But if Im logged in console as root, and su - jlevy which is a NIS user, I do 
get logged in as the user, with his environment, and his homedir.
Comment 12 Nalin Dahyabhai 2002-04-30 18:04:11 EDT
Does the user's password have more than eight characters in it?  If so, has the
errata from http://www.redhat.com/support/errata/RHBA-2001-149.html (which
itself updates http://www.redhat.com/support/errata/RHBA-2001-127.html) been
applied?
Comment 13 Seth Master 2002-04-30 20:01:11 EDT
well, that solved the problem! thanks, and I thought we were going to discover 
a bug.

Now, how does a person normally get notified, receive, and update there 
machines with errata fixes?
Comment 14 Nalin Dahyabhai 2002-05-01 08:44:35 EDT
Notifications for all errata go to redhat-watch-list@redhat.com, which you can
subscribe to at https://listman.redhat.com/mailman/listinfo/redhat-watch-list;
errata are also available via Red Hat Network (which you can sign up to use by
running 'rhn_register') and the main web site at http://www.redhat.com/errata/.

*** This bug has been marked as a duplicate of 54443 ***

Note You need to log in before you can comment on or make changes to this bug.