Nsswitch.conf
Hi everyone,
I'm going to start by mentioning that I'm new to solaris. I've mostly been an archlinux user thus far. Now I've built a new fileserver and decided to run solaris because I felt that ZFS had a lot to offer, and I'm playing with the idea of moving my webserver into a zone on this new box in order to take the dedicated system offline as it's underutilized.
Now the main things I need so far are kerberos for active directory integration, and smb for file sharing, this seems fairly simple to me, and nothing I haven't done on a typical Linux system
but I'm having problems. getting things going has not been as painless as I expected, I've hit a learning curve so to speak and I'm having a few issues.
I'm going to start with winbind.
How do I configure the nsswitch.conf so that it doesn't get reset after I reboot the system?
everytime I boot, I have to reconfigure it, and restart winbind in order to get anything listed with getent
the other thing there, is when I run getent passwd, I see my AD users listed. but when I run getent group, I only see the local groups, nothing from AD appears
I took another stab at the kclient config. i'd like to know what i'm missing here though
solaris@srv-data:~$ sudo svccfg -s network/dns/client setprop config/nameserver = net_address: "(10.66.1.1 10.66.1.9)"
Password:
solaris@srv-data:~$ sudo svccfg -s network/dns/client setprop config/domain = astring: "sergeinc.org
solaris@srv-data:~$ sudo svccfg -s network/dns/client setprop config/domain = astring: "sergeinc.org"
solaris@srv-data:~$ sudo svccfg -s network/dns/client setprop config/search = astring: "sergeinc.org"
solaris@srv-data:~$ sudo svccfg -s network/dns/client setprop config/host = astring: '("files" "dns")'
solaris@srv-data:~$ sudo nscfg export svc:/network/dns/client:default
solaris@srv-data:~$ cat /etc/resolv.conf
+#+
+# AUTOGENERATEDFROM_SMF_V1_+
+#+
+# WARNING: THIS FILE GENERATED FROM SMF DATA.+
+# DO NOT EDIT THIS FILE. EDITS WILL BE LOST.+
+# See resolv.conf(4) for details.+
domain sergeinc.org*
search sergeinc.org*
nameserver 10.66.1.1*
nameserver 10.66.1.9*
solaris@srv-data:~$ cat /etc/nsswitch.conf
+#+
+# AUTOGENERATEDFROM_SMF_V1_+
+#+
+# WARNING: THIS FILE GENERATED FROM SMF DATA.+
+# DO NOT EDIT THIS FILE. EDITS WILL BE LOST.+
+# See nsswitch.conf(4) for details.+
passwd: files winbind
group: files winbind
hosts: files dns mdns
ipnodes: files dns mdns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
project: files
auth_attr: files
prof_attr: files
tnrhtp: files
tnrhdb: files
sudoers: files
solaris@srv-data:~$ sudo svccfg -s name-service/switch setprop config/host = astring: '("files dns")'
solaris@srv-data:~$ sudo svccfg -s name-service/switch setprop config/ipnodes = astring: '("files dns")'
solaris@srv-data:~$ sudo svcadm refresh svc:/system/name-service/switch:default
solaris@srv-data:~$ cat /etc/nsswitch.conf
+#+
+# AUTOGENERATEDFROM_SMF_V1_+
+#+
+# WARNING: THIS FILE GENERATED FROM SMF DATA.+
+# DO NOT EDIT THIS FILE. EDITS WILL BE LOST.+
+# See nsswitch.conf(4) for details.+
passwd: files winbind
group: files winbind
hosts: files dns*
ipnodes: files dns*
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
project: files
auth_attr: files
prof_attr: files
tnrhtp: files
tnrhdb: files
sudoers: files
solaris@srv-data:~$ sudo cp /etc/krb5/krb5.conf /etc/krb5/krb5.conf.backup
solaris@srv-data:~$ kclient
Can not create directory: /system/volatile/kclient
solaris@srv-data:~$ sudo kclient
Starting client setup
+Is this a client of a non-Solaris KDC ? [y/n]: y+
Which type of KDC is the server:
ms_ad: Microsoft Active Directory
mit: MIT KDC server
heimdal: Heimdal KDC server
shishi: Shishi KDC server
Enter required KDC type: ms_ad
Setting up /etc/krb5/krb5.conf.
Attempting to join 'SRV-DATA' to the 'SERGEINC.ORG' domain.
Password for [email protected]:
Forest name found: sergeinc.org
Site name not found. Local DCs/GCs will not be discovered.+
Computer account 'SRV-DATA' already exists in the 'SERGEINC.ORG' domain.
+Do you wish to recreate this computer account ? [y/n]: y+
+Would you like to delete any sub-object found for this computer account ? [y/n]: y+
Looking to see if the machine account contains other objects...
Creating the machine account in AD via LDAP.
Warning: unable to create DNS records for client.
This could mean that 'srv-ad.sergeinc.org' is not included as a 'nameserver' in the /etc/resolv.conf file or some other type of error.
Setup COMPLETE.
so that all seemed well.....but then after a reboot....
solaris@srv-data:~$ cat /etc/nsswitch.conf
+#+
+# AUTOGENERATEDFROM_SMF_V1_+
+#+
+# WARNING: THIS FILE GENERATED FROM SMF DATA.+
+# DO NOT EDIT THIS FILE. EDITS WILL BE LOST.+
+# See nsswitch.conf(4) for details.+
passwd: files
group: files
hosts: files dns mdns*
ipnodes: files dns mdns*
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
project: files
auth_attr: files
prof_attr: files
tnrhtp: files
tnrhdb: files
sudoers: files
solaris@srv-data:~$ cat /etc/resolv.conf
+#+
+# AUTOGENERATEDFROM_SMF_V1_+
+#+
+# WARNING: THIS FILE GENERATED FROM SMF DATA.+
+# DO NOT EDIT THIS FILE. EDITS WILL BE LOST.+
+# See resolv.conf(4) for details.+
domain sergeinc.org*
nameserver 10.66.1.1*
solaris@srv-data:~$
Similar Messages
-
NIS+ and nsswitch.conf settings
I am pretty new to NIS+, but I'm investigating setting it up in environment to help alleviate management of various files on a per-system basis. For NIS+, there is the concept of a master server and a replica server. If the master server goes down then then the replica takes over.
If for any reason both master and replica servers are down, then the /etc/nsswitch.conf file determines the order of precedence. The entry for passwd in the nsswitch.conf file is:
passwd: files nisplus
One of my goals of setting up NIS+ is to alleviate having to manage a password file for each machine. If for some reason both of my NIS+ servers are down, it will revert back to the /etc/passwd file. Does this mean I would still need to have an /etc/passwd for each machine as a safeguard? or does NIS+ perform some kind of syncing mechanism to maintain local consistency of files for clients?
Many ThanksNope, he was right. If you look at the /etc/nsswitch.conf (or nsswitch.nisplus if you haven't moved it in yet) you'll see the entry:
passwd: files nisplus
The order of the lookup is "files" (which is your /etc/passwd file) first, and then if it can't find the entry there it will go out to the nis+ server. So essentially you'd take the users you want to use NIS out of the client passwd file and put them into the NIS+ passwd file.
I think the problem you're having is that you still want the users to have the access to the client & resources, even if the master & secondary servers go down. That's just not possible. The master & replica servers are there to provide the functionality of centralized user management. If that functionality is lost, then naturally you will see degradation in the quality of service you provide to the end user. So if both servers do go down, then your users will also be down. That is why there is redundancy built into the NIS+ system so that if one of the NIS+ servers go down, the client has a secondary server it can contact & authenticate to. The theory is that you can get the primary server back up and running while your secondary server handles the load. If you are concerned about the master & secondary server going down at the same time, then please note that you can have more then one secondary NIS+ server.
Daryl -
Question about 'hosts: cluster' entry in /etc/nsswitch.conf
Hi~
my system have "hosts: cluster files dns" entry in /etc/nsswitch.conf.
I know 'files' to see the '/etc/hosts'.
I want to know that 'cluster' to see 'what file'.
Thanks,'cluster' denotes internal lookups, i.e. no file on the file system. If I recall correctly, it allows the system to look up the cluster interconnect private addresses.
Tim
--- -
Configure resolv.conf nsswitch.conf etc to search .local
After installing a new router I find I cannot ping hosts on my local network using just the simple hostname.
I used to be able to ping myhost, but now I find I need to ping myhost.local.
My nsswitch.conf hosts line looks like
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname wins
I tried adding various search values to /etc/resolv.conf, but couldn't find one that worked.
Is there a way to get the .local domain searched, my router (although expensive) doesn't seem to facilitate this?After some digging in the nss-mdns package source I find that the option to respect resolv.conf search domains is turned off in the Arch build. However, a simple patch to nss.c seems to fix things up fairly easily. A more complex one would be required to respect the /etc/mdns.allowed file domains. It seems like such an obvious thing to do for domainless searches that I wonder why this wasn't done by the original author.
$ diff nss.c.orig nss.c
380a381,407
> if (u.count == 0 && avahi_works && !strstr(name, ".")) {
> const char *p="local";
> int fullnamesize;
> char *fullname;
> fullnamesize = strlen(name) + strlen(p) + 2;
> if ((fullname = malloc(fullnamesize))){
> snprintf(fullname, fullnamesize, "%s.%s", name, p);
> if (verify_name_allowed(fullname)) {
> int r;
> if ((r = avahi_resolve_name(af, fullname, data)) < 0) {
> /* Lookup failed */
> avahi_works = 0;
> }
> else if (r == 0) {
> /* Lookup succeeded */
> if (af == AF_INET && ipv4_func)
> ipv4_func((ipv4_address_t*) data, &u);
> if (af == AF_INET6 && ipv6_func)
> ipv6_func((ipv6_address_t*)data, &u);
> }
> else
> /* Lookup suceeded, but nothing found */
> status = NSS_STATUS_NOTFOUND;
> }
> free(fullname);
> }
> } -
Trouble using nsswitch.conf
Hello,
In order to make some ldap replication test, I need to give an ldap service a fake IP address for a known host. It used to work on previous versions of Solaris.
my nsswitch.conf file defines host as :
hosts: files dns
On Solaris 9, if I define in /etc/hosts
1.2.3.4 www.sun.com
and I telnet to www.sun.com
host# telnet www.sun.com
Trying 1.2.3.4...
I get the correct answer
On Solaris 10 box, there always a dns request and the /etc/hosts file is ignored.
I tried to invalide the nscd cache with an nscd -i hosts but I still get the same behaviour.
Any idea ?
Regards,
Fred.The problem may not be with /etc/hosts.
This is actually a link to /etc/inet/hosts and you will also notice the file /etc/inet/ipnodes. If there is an entry in /etc/inet/ipnodes for the host in question, it will get read before /etc/inet/hosts.
At least this is what I have encountered when trying to change the IP address of my system and not realizing that in Solaris 10 it included my host in this file even though it was only in /etc/inet/hosts under Solaris 9. -
Nsswitch.conf after reboot delete my modification
Hi.
I need a line "files winbind" on nsswitch.conf to enable login of samba/ad users
I did so
svccfg -s svc:/system/name-service/switch:default
setprop config/password = astring: "files winbind"
setprop config/group = astring: "files winbind"
validate
refresh
svcadm refresh svc:/system/name-service/switch:default
and then i check wibind
grep winbind /etc/nsswitch.conf
and return ok the lines.
But on reboot change are missing!
Why?Certainly because the NWAM service is running.
Check if svc:/network/location:default is enabled. -
My file nsswitch.conf says files only
Hello Lee , How can I change fo files dns.Thanks Thanks Thanks!
make sure that you've a name sever specified in /etc/resolv.conf and this dns is reachable from your host. Add "dns" to the line "host: files" in "/etc/nsswitch.conf" file. The line should look like "host: files dns" after you save your "nsswitch.conf" file. You may need to reboot your host.
-
Nsswitch.conf modification requires reboot?
I have a couple Solaris 10 SPARC machines running. I am trying to modify nsswitch.conf to add/remove the dns entry for hosts. It seems that this can not be done on the fly as it used to be in previous versions (9,8,7)
Many posts I have seen have provided one of the two following options.
Modify nsswitch.conf and reboot
sys-unconfig and reboot.
Neither of these are really valid options on any machine that is not just the average desktop and even then it is arguable that a simple change like this should not require a reboot. I have trying bouncing nscd and/or name-services with svcadm but no luck.
Anyone know how I can make changes to nsswitch.conf and have them take place without a reboot? Also, is there something in 10 that caches names besides nscd? Does it have a restart or flush option?
Thanks!Changes to nsswitch.conf take effect immediately.
If you change the IP address for a host, you may have to wait for up to an hour to see the new value, as the NSCD (Name Service Cache Daemon) may have the old value cached.
In this case, the easiest thing to do is invalidate the NSCD hosts cache, using nscd -i hosts.
BTW - Do not diable the nscd. It's saving you a lot of overhead. You can see what it's doing by using nscd -g.
There's no point in rebooting unless you're changing the IP address of your host. In that case, after changing /etc/hosts, you can either ifconfig the new address on to your interface (and possiblery reconnect) or reboot. -
LDAP, reboots, nsswitch.conf
I've seen other questions on LDAP, but not with these symptoms.
I have an LDAP server (Linux) and an iMac with 10.5 as a client.
- After a fresh install I set up the client with Directory Utility to do user name lookups on the server. It works.
- I reboot the client. LDAP no longer works.
- I delete, and re-add, the info in Directory Utility. It still does not work.
- I delete the info in Directory Utility. I reboot. I then re-add the info in Directory Utility. It works again.
ldapsearch always works after adding the info in Directory Utility. It looks like it 'forgets' that I want the user lookup to use LDAP across reboots. That information, incidentally, is usually contained in nsswitch.conf in a Linux/UNIX system.
Anyone know what is going on? Also, how does 10.5 know that user info should be looked up in LDAP? Or is an LDAP search always done?I too would like to know what the OS X equivalent of the nsswitch.conf file is... we're tryin to setup Kerberos for single sign on into our Windows AD domain.
-
Solaris 11 Express - nsswitch.conf settings lost after system reboot
I have made the follow changes to my /etc/nsswitch.conf file below. everything work good until i reboot the system, i look in the nsswitch.conf file and see that the setting are back to default. What am i doing wrong?
Changes
passwd: files winbind
group: files winbind
Default
passwd: files
group: filesHi,
please use the search function.
Have a look at the 2nd last post:
Re: resolv.conf - blank every new start of machine or waking up from sleep
Bye -
Pam.conf does not use ldap for password length check when changing passwd
I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AMyou can try passwd -r ldap for changing the ldap passwds...
-
Nsswitch doesn't run PADL's nss_ldap.so
Hi, all!
I've really broken my brain.
I've successfully compiled PADL's nss_ldap-253 with openldap-2.3.21 and openssl-0.9.7i. All linked static.
/etc/nsswitch.conf reads "passwd: files ldap". nss_ldap.so copied to /usr/lib/nss_ldap.so.1.
When I run `getent passwd` it displays content of /etc/passwd only and exits with code 0. truss shows that it opens /usr/lib/nss_ldap.so.1. But it doesn't run any functions, even nssldap_passwd_constr().
I've downloaded ready-to-use nss_ldap.so.1 from www.symas.com and it works fine. It frustrates and encourages me. I cannot understand what is wrong with my job?
I have Sun Fire V240, Solaris 9 9/05, GCC 3.4.2.
openssl-0.9.7i:
# ./config no-hw threads
# make ; make install
openldap-2.3.21:
# ./configure disable-ipv6 disable-slapd disable-slurpd disable-shared --without-cyrus-sasl \
--with-tls CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib
# make depend ; make ; make install
nss_ldap-253:
# CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib LIBS="-lssl -lcrypto" \
./configure with-ldap-dir=/usr/local with-ldap-lib=openldap --enable-rfc2307bis \
with-ldap-conf-file=/etc/ldap.conf with-ldap-secret-file=/etc/ldap.secret
# LDADD=-L/usr/local/ssl/lib make
# cp nss_ldap.so /usr/lib/nss_ldap.so.1
# ln -s /etc/ldap.conf /usr/local/etc/openldap/ldap.confGCC 3.4.2 was the matter. GCC 3.3.2 works fine.
-
Solaris 10, resolv.conf and format
Since I installed solaris 10 and konfigured DNS via nsswitch.conf and resolv.conf I cannot access to the disks with the format command. The disks are listed but when I choose one the shell freezes.
I can't argue with the results you're getting; but a check of the binary for format shows no dependency on libresolv:
# ldd `which format`
libadm.so.1 => /lib/libadm.so.1
libefi.so.1 => /lib/libefi.so.1
libdiskmgt.so.1 => /usr/lib/libdiskmgt.so.1
libnvpair.so.1 => /lib/libnvpair.so.1
libdevid.so.1 => /lib/libdevid.so.1
libc.so.1 => /lib/libc.so.1
libuuid.so.1 => /lib/libuuid.so.1
libdevinfo.so.1 => /lib/libdevinfo.so.1
libkstat.so.1 => /lib/libkstat.so.1
libsysevent.so.1 => /lib/libsysevent.so.1
libvolmgt.so.1 => /usr/lib/libvolmgt.so.1
libnsl.so.1 => /lib/libnsl.so.1
libsocket.so.1 => /lib/libsocket.so.1
libsec.so.1 => /lib/libsec.so.1
libgen.so.1 => /lib/libgen.so.1
libdoor.so.1 => /lib/libdoor.so.1
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libscf.so.1 => /lib/libscf.so.1
libavl.so.1 => /lib/libavl.so.1
libuutil.so.1 => /lib/libuutil.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,SPARC-Enterprise-T2000/lib/libc_psr.so.1
/platform/SUNW,SPARC-Enterprise-T2000/lib/libmd_psr.so.1
# To be even more thorough I ran ldd against the entire output of the previous command. Sorry about the poor spacing, when grep doesn't find the string libresolv it will not force the linefeed.
# for file in `cat /tmp/so.list`
do
echo "$file \c"
ldd $file | grep libresolv
done
/lib/libadm.so.1 /lib/libefi.so.1 /usr/lib/libdiskmgt.so.1
/lib/libnvpair.so.1 /lib/libdevid.so.1 /lib/libc.so.1 /lib/libuuid.so.1
/lib/libdevinfo.so.1 /lib/libkstat.so.1 /lib/libsysevent.so.1
/usr/lib/libvolmgt.so.1 /lib/libnsl.so.1 /lib/libsocket.so.1
/lib/libsec.so.1 /lib/libgen.so.1 /lib/libdoor.so.1 /lib/libmp.so.2
/lib/libmd.so.1 /lib/libscf.so.1 /lib/libavl.so.1 /lib/libuutil.so.1
/lib/libm.so.2 # That left two so's to check (one field, not three on output):
# cat /tmp/onefield
/platform/SUNW,SPARC-Enterprise-T2000/lib/libc_psr.so.1
/platform/SUNW,SPARC-Enterprise-T2000/lib/libmd_psr.so.1
# for file in `cat /tmp/onefield`
do
echo $file
ldd $file | grep libresolv
done/platform/SUNW,SPARC-Enterprise-T2000/lib/libc_psr.so.1
/platform/SUNW,SPARC-Enterprise-T2000/lib/libmd_psr.so.1
# So we know that libresolv (which is used for name to address or address to name) isn't called by anything that format touches.
I don't have an answer; only the evidence given above that there seems to be no relation to the usage of DNS with format's failure.
Two things, make sure your patches are up to date; and I'm assuming you are running as root...
Cheers, -
Nsswitch behavior -vs- man page?
I have a question about Solaris 10's /etc/nsswitch.conf
functionality. It seems like it does not work as it use to, say in
Solaris 8 or 9, yet the man page for nsswitch.conf indicates that for
DNS, NIS, and "all other sources" that the DEFAULT criteria should be
"NOTFOUND=continue".
Yet for the past few years it seems I must manually put something like
the lines below in the nsswitch file for "continue" to work
correctly? Is this a bug, or am I completely misunderstanding the man
page and/or how nsswitch REALLY works? Very possible!
hosts: files [NOTFOUND=continue] dns [NOTFOUND=continue] nis
ipnodes: files [NOTFOUND=continue] dns [NOTFOUND=continue] nis
If I use the "default sample file for NIS (/etc/nsswitch.nis) which
may contain something like "hosts: nis [NOTFOUND=return] files" and
yet I want to add DNS, what might the line look like?
I know I have to copy the sample file to the .conf file extension.
Thanks,Your question is a little fuzzy, but I'll try to answer anyway...
nsswitch.conf file is responsible for specifying the name services that are to be used when trying to find a particular piece of information.
In Solaris, there are 5 possible sources (name services): files, nis, nisplus, dns and ldap.
You may specify multiple (even all) sources to be used. All sources are checked in the order they are written on a line.
Every source may return 4 status values: SUCCESS, NOTFOUND, UNAVAIL or TRYAGAIN.
For every return status, there are 2 possible actions: continue and return. continue means "try the next source", return means "don't look any further". The default action for every status is continue, except for the SUCCESS status, when action is *return", obviously...
One can overwrite the default action for each status, by specifying what action should be taken for any return status.
Let's take for instance this line:
hosts: files dns [NOTFOUND=continue] nis [NOTFOUND=return] ldapThis is interpreted as follows:
- first check "files" (i.e. check /etc/inet/inpnodes, /etc/inet/hosts); no action is specified for any return status, so default actions are in place: if the entry is found on files (SUCCESS), then action is return" , if status is anything else, then action is continue* and next source is checked
- next source is "dns"; if SUCCESS, program will return; if NOTFOUND , then continue to the next source (this is also the default action, but it doesn't matter - this line is just for teaching purposes...); if UNAVAIL (service dns is not configured) or TRYAGAIN (server was too busy to respond to request), then apply default action: *continue"
- next source is nis; if SUCCESS ,then default action (*return*); if NOTFOUND then overwrite default action and return ; so, if the entry is found or not found in nis, the next source (ldap) will not be checked.
and so on....
>
If I use the "default sample file for NIS (/etc/nsswitch.nis) which
may contain something like "hosts: nis [NOTFOUND=return] files" and
yet I want to add DNS, what might the line look like?
{quote}
Well, it depends; suppose you want to check dns after nis and before files. The line may look like this:
{code}
hosts: nis dns files
{code}
The above entry will check dns even if nis returns NOTFOUND.
Hope you got the idea...
kido -
Nsswitch & resolv config files deleted upon reboot
Hello,
I've recently installed Solaris 10 x86 on an IBM Thinkpad X23. I used the cardbus & pcwl driver to get my Netgear MA401 802.11b wifi card recognized.
I created the files hostname and dhcp files for my interface.
jin:~> cat /etc/hostname.pcwl0
jin:~> cat /etc/dhcp.pcwl0
wait 60
primaryThe interface is automatically plumbed and configured upon boot, however I still have to manually edit nsswitch.conf (adding dns) and create /etc/resolv.conf.
DHCP does create (or modifies) my /etc/hosts file.
jin:~> cat /etc/hosts
# Internet host table
10.0.0.13 localhost jin jin. # Added by DHCPHere is the problem. When I reboot, my modifications to nsswitch.conf aren't there and resolv.conf completely missing.
I don't have the specifics of my dhcp server however I do know that its running on a Debian Linux system and it works perfectly for other Linux, Windows, and Mac OS systems.
At this point, I'm contemplating creating a script in /etc/rc3.d to properly create / modify these files.
Any help that you all can provide would be appreciated.Take a look at /etc/default/dhcpagent , in the very end of this file there is a parameter called
PARAM_REQUEST_LIST, which tells the dhcpagent what data it should get from the DHCP server.
If your machine keeps editing /etc/hostname* and resolv.conf upon reboot, you should probably delete 6,12 and 15 from the variable mentioned above.
7/M.
Maybe you are looking for
-
IPhone cannot be synced. The disk could not be read from or written to.
New error that started showing when syncing my iPhone, iPad and AppleTV....
-
My VNC will no longer start gnome, can only use twm
Hi, I have 3 or 3 Sun Servers (Solaris SPARC 10 update 8) that I administer. For one server, and as 1 users, I can't start gnome in VNC. I can start twm. Here is the error: here is my startup script for aptest user: #!/bin/sh [ -r $HOME/.Xresources ]
-
My eMac's screen has gone green in the corner and i am worried.
I have an eMac which was bought for me, brand new, back in sept 2003 so it is now 4 years old however it has had most of its use in the last 9 months to a year, since i upgraded my operating software and went wireless, before this i had to use the hu
-
Hi All, Is there any routine in Standard SAP which will put value of Latest GR price Rgds, VSP
-
Clarification in File system transfer
are these sytems (pxd , pxq , pxp) 3 different systems, ie: different physical systems(client systems) or just partitions in a single server..how do they stay connected?. Then in help.sap.com they have given a step like this ""To export or import d