Red Hat Bugzilla – Bug 678318
nss_nis client generates refused connect to procedure ypproc_match errors on NIS server
Last modified: 2016-11-24 11:11:08 EST
Created attachment 479346 [details] patch for ADJUNCT_AS_SHADOW Description of problem: The nss_nis client code in glibc tries to read the passwd.adjunct table if it sees ##username in the password field of a passwd entry. The passwd.adjunct table is typically restricted on the NIS server to privileged ports from the client, so normal users cannot read the passwd.adjunct table. The NIS server logs an error if a normal user (coming from a port >1024) tries to read passwd.adjunct: Feb 16 22:55:00 vm116 ypserv[2722]: refused connect from 10.12.58.117:34419 to procedure ypproc_match (foonis,passwd.adjunct.byname;-1) Every time a normal user needs to look up a username, e.g., 'id', 'ls -l', 'ps aux', and more, the server logs this error message. In addition to filling up the NIS server logs with these messages, it also hurts performance on the NIS clients since they're doing needless lookups. An upstream patch added an ADJUNCT_AS_SHADOW feature to glibc: http://sourceware.org/bugzilla/show_bug.cgi?id=11134 http://sourceware.org/git/?p=glibc.git;a=commit;h=71170aa0a956c59d8bad0cf6f5ed31d78c90e332 This feature solves both problems -- error logs and performance -- by only looking at passwd.adjunct when it's actually necessary, i.e., during authentication. Version-Release number of selected component (if applicable): glibc-2.5-58 How reproducible: every time Steps to Reproduce: 1. configure a NIS server to use passwd.adjunct tables for encrypted passwords https://access.redhat.com/kb/docs/DOC-44987 2. configure the NIS client to use the server 3. login as a regular user 4. run some commands like 'id' and 'ls -l' as the regular user while watching /var/log/messages on the NIS server Actual results: many errors 'refused connect from IP:PORT to procedure ypproc_match' in the logs Expected results: no errors Additional info:
There are two identical chunks of the patch that are not valid anymore: - buffer[len] = '\0'; + if (__builtin_expect (adjunct_used, false)) + /* This is an ugly trick. The format of passwd.adjunct.byname almost + matches the shadow.byname format except that the last two fields + are missing. Synthesize them by marking them empty. */ + strcpy (&buffer[len], "::"); + else + buffer[len] = '\0'; Solaris now uses 9 fields in shadow and passwd.adjunct just like Linux. http://download.oracle.com/docs/cd/E18752_01/html/816-5174/shadow-4.html
Created attachment 502123 [details] patch for ADJUNCT_AS_SHADOW modified Here is an updated patch without the "dirty trick" to add two colons to the passwd.adjunct entries. It works for me with 8 colons in the table: [root@localhost ~]# ypmatch ralph passwd.adjunct.byname ralph:REDACTED::::::: [root@localhost ~]# ypmatch ralph passwd.adjunct.byname | awk -F: '{print NF}' 9 [root@localhost ~]# ssh ralph@localhost ralph@localhost's password: Last login: Tue May 31 16:27:01 2011 from localhost.localdomain [ralph@localhost ~]$
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0260.html