From nobody@FreeBSD.org  Wed May 19 09:16:10 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8058316A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 19 May 2004 09:16:10 -0700 (PDT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6371343D1F
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 19 May 2004 09:16:10 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i4JGFhAU071853
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 19 May 2004 09:15:43 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i4JGFhWV071852;
	Wed, 19 May 2004 09:15:43 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200405191615.i4JGFhWV071852@www.freebsd.org>
Date: Wed, 19 May 2004 09:15:43 -0700 (PDT)
From: Stavros Grigorakakis <sgrig@aegean.dmst.aueb.gr>
To: freebsd-gnats-submit@FreeBSD.org
Subject: LINUX NIS clients connecting to FREEBSD NIS servers get authentication failure
X-Send-Pr-Version: www-2.3

>Number:         66893
>Category:       bin
>Synopsis:       [patch] [nis] rpc.yppasswdd(8): Linux NIS clients connecting to FreeBSD NIS servers get authentication failure
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 19 09:20:18 PDT 2004
>Closed-Date:    
>Last-Modified:  Mon Dec 29 17:07:41 UTC 2008
>Originator:     Stavros Grigorakakis
>Release:        
>Organization:
DMST AUEB
>Environment:
FreeBSD aegean.dmst.aueb.gr 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #0
>Description:
     There are some problems connnecting a Linux NIS client to a FreeBSD NIS server
(Linux is RH9 and freeBSD is 4.9 RELEASE but i believe it concerns all versions)

Having both sides setup , users always get an authentication failure on the linux boxes.

Same problem is described in
http://lists.freebsd.org/pipermail/freebsd-net/2003-August/001126.html

There it is suggested that the only problem is a missing NIS map (  named master.passwd in freeBSD)
shadow.byname.

However patching as suggested the /var/yp/Makefile doesnot solve the problem although it sure is necssary to
make the shadow map.

>How-To-Repeat:
      Just try to set out of the box a linux NIS client to authenticate against a Freebsd NIS server
>Fix:
      Linux authentication routine is distrubbed by the presence of asterisk in tha passwd tables and maps
an really foolishly expects an "x"

I have made small modification in line 470 of /var/yp/Makefile
changing from

print $$1":*:"$$3":"$$4":"$$8":"$$9":"$$10}' $^ \
to
 print $$1":x"$$3":"$$4":"$$8":"$$9":"$$10}' $^ \



 FreeBSD NIS clients seem not have spotted the difference.
 However having searched for possible implications i must point out that the asterisk is used in the
 /usr/src/usr.sbin/rpc.yppasswdd/yppasswdd_server.c  (read comments line 348 )  so i suggest changing line 416
  pw->pw_name, *(ptr+1) == '*' ? "*" : pw->pw_passwd,
to
   pw->pw_name, *(ptr+1) == ('*'||'x') ? "x" : pw->pw_passwd,
(I am not so sure what would be the implications if we dont... )

   Results:
    Linux client users can cleanly authenticate now
    I have no indication of any implication in FBSD NIS clients but it sure is necessary for someone to look more thoroughly

    ATTENTION : More work to be done:
    A user on a linux client still cant change his password using yppasswd , so .. they still have to visit a freebsd box and use yppasswd there :-)


Conclusion:
    It would be appreciable if  someone (on either side) made NIS work fine out of the box

>Release-Note:
>Audit-Trail:

From: Andreas Steinel <lnxbil@cs.uni-sb.de>
To: bug-followup@freebsd.org, sgrig@aegean.dmst.aueb.gr
Cc:  
Subject: Re: bin/66893: [patch] rpc.yppasswdd(8): Linux NIS clients connecting to FreeBSD NIS servers get authentication failure
Date: Mon, 27 Mar 2006 07:46:31 +0000

 --nextPart7622022.hpBz1yctux
 Content-Type: text/plain;
   charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 
 Hi,
 
 I write a mail to freebsd-bugs [1] and I get answer to make a pr. So I=20
 searched the bug reports and find this open bug.
 I think that my patch [2] could help to solve the bug in such a way that yo=
 u=20
 don'nt need to patch ypasswd or some c-program else. Only apply the patch a=
 nd=20
 everything works fine.
 
 With best regards
 Andreas
 
 
 
 Sources:
 [1] http://lists.freebsd.org/pipermail/freebsd-bugs/2006-March/017532.html
 [2] http://w5/~lnxbil/bsd-patches/nis-clients-unter-linux.patch
 
 
 Inline Patch:
 =2D-- Makefile.dist       Thu Nov  3 09:12:04 2005
 +++ Makefile    Fri Mar 17 09:55:48 2006
 @@ -40,6 +40,11 @@
  # key will be removed from these maps, allowing anyone to access them.
  S=3D-s
 =20
 +# If you want to have linux NIS clients you must enable this:
 +# Comment the line if you have no linux NIS clients
 +#LINUXCOMPMODE=3D1
 +
 +
  # These are commands which this Makefile needs to properly rebuild the
  # NIS databases. Don't change these unless you have a good reason. Also
  # be sure not to place an @ in front of /usr/bin/awk: it isn't necessary
 @@ -196,6 +201,7 @@
  aliases:   mail.aliases
 =20
  master.passwd: master.passwd.byname master.passwd.byuid
 +master.passwd: shadow.byname
 =20
  #
  # This is a special target used only when doing in-place updates with
 @@ -498,6 +504,16 @@
 =20
  $(PASSWD): $(MASTER)
         @echo "Creating new $@ file from $(MASTER)..."
 +.if defined(LINUXCOMPMODE)
 +       @if [ ! $(UNSECURE) ]; then \
 +       $(AWK) -F: '{if ($$1 !=3D "" && $$1 !~ "^#.*" && $$1 !=3D "+") \
 +               print $$1":x:"$$3":"$$4":"$$8":"$$9":"$$10}' $(MASTER) \
 +               > $(PASSWD) ; \
 +       else \
 +       $(AWK) -F: '{if ($$1 !=3D "" && $$1 !~ "^#.*" && $$1 !=3D "+") \
 +               print $$1":"$$2":"$$3":"$$4":"$$8":"$$9":"$$10}' $(MASTER) \
 +               > $(PASSWD) ; fi
 +.else
         @if [ ! $(UNSECURE) ]; then \
         $(AWK) -F: '{if ($$1 !=3D "" && $$1 !~ "^#.*" && $$1 !=3D "+") \
                 print $$1":*:"$$3":"$$4":"$$8":"$$9":"$$10}' $(MASTER) \
 @@ -506,6 +522,7 @@
         $(AWK) -F: '{if ($$1 !=3D "" && $$1 !~ "^#.*" && $$1 !=3D "+") \
                 print $$1":"$$2":"$$3":"$$4":"$$8":"$$9":"$$10}' $(MASTER) \
                 > $(PASSWD) ; fi
 +.endif
 =20
 =20
  passwd.byname: $(PASSWD)
 @@ -613,3 +630,20 @@
         @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi
         @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi
 =20
 +
 +shadow.byname: $(MASTER)
 +.if defined(LINUXCOMPMODE)
 +       @echo "Updating $@..."
 +.if ${MASTER} =3D=3D "/dev/null"
 +       @echo "Master.passwd source file not found -- skipping"
 +.else
 +       @cat $(MASTER) | \
 +       $(AWK) -F: '{ if ($$1 !=3D "" && $$1 !~ "^#.*" && $$1 !=3D "+") \
 +               print $$1"\t"$$1":"$$2":::::::" }' $^ \
 +               | $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP)=
 ; \
 +               $(RMV) $(TMP) $@
 +       @$(DBLOAD) -c
 +       @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi
 +       @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi
 +.endif
 +.endif
 
 =2D-=20
 Andreas Steinel               email: lnxbil@xantippe.cs.uni-sb.de
 Zimmer 122                    web:   http://w5.cs.uni-sb.de
 Bau 36.1                      Phone: +49 (0) 681 302-4135
 Lehrstuhl Prof. Wahlster      fax:   +49 (0) 12 12 / 52 35 64 89
 =46akult=E4t 6 - Informatik      =20
 Universit=E4t des Saarlandes   =20
 66123 Saarbr=FCcken            =20
 
 GPG-Fingerprint:      C09D 96DD 548C 8F13 097A  8D04 8329 7BEA A623 11D6
 
 --nextPart7622022.hpBz1yctux
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.2.2 (FreeBSD)
 
 iD8DBQBEJ5hcgyl76qYjEdYRAsbHAJ9iG1a0ehjIbTq7bFORJgHwoz/L2ACgq6NW
 2RX0uW2UEIRb/eKAv+OaNNw=
 =9Kq9
 -----END PGP SIGNATURE-----
 
 --nextPart7622022.hpBz1yctux--

From: =?UTF-8?B?VHVsaW8gR3VpbWFyw6NlcyBkYSBTaWx2YQ==?=
 <tuliogs@pgt.mpt.gov.br>
To: bug-followup@FreeBSD.org, sgrig@aegean.dmst.aueb.gr,
        Andreas Steinel <lnxbil@cs.uni-sb.de>
Cc:  
Subject: Re: bin/66893: [patch] rpc.yppasswdd(8): Linux NIS clients connecting
 to FreeBSD NIS servers get authentication failure
Date: Thu, 24 Jan 2008 15:04:52 -0200

 --------------070106010709060003080104
 Content-Type: text/plain; charset=UTF-8; format=flowed
 Content-Transfer-Encoding: 8bit
 
 Hello,
     the patch from Mr. Andreas Steinel fails with the following errors 
 (FBSD 5.3-RELEASE, but similar to 6.0):
 ===================
 Hunk #1 succeeded at 40.
 Hunk #2 failed at 201.
 Hunk #3 failed at 504.
 Hunk #4 failed at 522.
 Hunk #5 succeeded at 629 with fuzz 2 (offset -1 lines).
 patch: **** misordered hunks! output would be garbled
 ===================
 
 In fact, the lines that need to be altered are not those. Besides, there 
 are strange characters sequences (=2D, =3D etc., probably an encoding 
 issue) in the above copy of patch, but not in the original file at
 http://www.bsdforen.de/showthread.php?t=14059
 
 However, when manually applying this patch, "make" fails with:
 ====================
 "Makefile", line 597: Need an operator
 "Makefile", line 607: Need an operator
 "Makefile", line 609: warning: duplicate script for target "@if" ignored
 "Makefile", line 609: warning: duplicate script for target "[" ignored
 "Makefile", line 611: warning: duplicate script for target "@if" ignored
 "Makefile", line 611: warning: duplicate script for target "[" ignored
 make: fatal errors encountered -- cannot continue
 ====================
 
   The reason, simple as it is, is that the patch is indented with 
 spaces, and for some reason "make" doesn´t accept that. The solution is 
 to replace the spaces with tabs. I´m submitting a copy of the resulting 
 unified diff, which can be applied with:
 patch -p1 Makefile <Yp.Makefile.patch
   It was built for 5.3-RELEASE, but also works on 6.2-RELEASE (untested 
 as NIS-server, though) with only different offsets. If some peaceful 
 mind would apply it to 6.4 or  7.1, or host it at FreeBSD servers, I 
 (and all other people that would use Linux clients) will be very 
 grateful. It´s about time to such a simple issue to disappear, don´t you 
 think? ;-)
   One last note, though, is that passwd from the client machines will 
 alter only the NIS passwords, not the server´s own pwd.db, which I don´t 
 know if it´s a desired behaviour. Having said that, I´m attaching the 
 patch, but here it is (inline), for any case:
 ------------------------------
 
 +++ Makefile    Tue Jan 22 21:45:02 2008
 @@ -40,6 +40,10 @@
  # key will be removed from these maps, allowing anyone to access them.
  S=-s
  
 +# If you want to have linux NIS clients you must enable this:
 +# Comment the line if you have no linux NIS clients
 +LINUXCOMPMODE=1
 +
  # These are commands which this Makefile needs to properly rebuild the
  # NIS databases. Don't change these unless you have a good reason. Also
  # be sure not to place an @ in front of /usr/bin/awk: it isn't necessary
 @@ -187,7 +191,7 @@
  publickey: publickey.byname
  aliases:   mail.aliases
  
 -master.passwd:    master.passwd.byname master.passwd.byuid
 +master.passwd:    master.passwd.byname master.passwd.byuid shadow.byname
  
  #
  # This is a special target used only when doing in-place updates with
 @@ -460,6 +464,16 @@
  
  $(PASSWD): $(MASTER)
      @echo "Creating new $@ file from $(MASTER)..."
 +.if defined(LINUXCOMPMODE)
 +    @if [ ! $(UNSECURE) ]; then \
 +    $(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
 +        print $$1":x:"$$3":"$$4":"$$8":"$$9":"$$10}' $(MASTER) \
 +        > $(PASSWD) ; \
 +    else \
 +    $(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
 +        print $$1":"$$2":"$$3":"$$4":"$$8":"$$9":"$$10}' $(MASTER) \
 +        > $(PASSWD) ; fi
 +.else
      @if [ ! $(UNSECURE) ]; then \
      $(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
          print $$1":*:"$$3":"$$4":"$$8":"$$9":"$$10}' $(MASTER) \
 @@ -468,6 +482,7 @@
      $(AWK) -F: '{if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
          print $$1":"$$2":"$$3":"$$4":"$$8":"$$9":"$$10}' $(MASTER) \
          > $(PASSWD) ; fi
 +.endif
  
  
  passwd.byname: $(PASSWD)
 @@ -574,4 +589,22 @@
      @$(DBLOAD) -c
      @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi
      @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi
 +
 +
 +shadow.byname: $(MASTER)
 +.if defined(LINUXCOMPMODE)
 +    @echo "Updating $@..."
 +.if ${MASTER} == "/dev/null"
 +    @echo "Master.passwd source file not found -- skipping"
 +.else
 +    @cat $(MASTER) | \
 +    $(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \
 +        print $$1"\t"$$1":"$$2":::::::" }' $^ \
 +        | $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \
 +        $(RMV) $(TMP) $@
 +    @$(DBLOAD) -c
 +    @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi
 +    @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi
 +.endif
 +.endif
 
 --------------------
   Thanks to Mr. Steinel for the original work and efforts. Sincerely,
 
 Tulio G. da Silva
 
 --------------070106010709060003080104
 Content-Type: text/plain;
  name="Yp.Makefile.patch"
 Content-Transfer-Encoding: base64
 Content-Disposition: inline;
  filename="Yp.Makefile.patch"
 
 KysrIE1ha2VmaWxlCVR1ZSBKYW4gMjIgMjE6NDU6MDIgMjAwOA0KQEAgLTQwLDYgKzQwLDEw
 IEBADQogIyBrZXkgd2lsbCBiZSByZW1vdmVkIGZyb20gdGhlc2UgbWFwcywgYWxsb3dpbmcg
 YW55b25lIHRvIGFjY2VzcyB0aGVtLg0KIFM9LXMNCiANCisjIElmIHlvdSB3YW50IHRvIGhh
 dmUgbGludXggTklTIGNsaWVudHMgeW91IG11c3QgZW5hYmxlIHRoaXM6DQorIyBDb21tZW50
 IHRoZSBsaW5lIGlmIHlvdSBoYXZlIG5vIGxpbnV4IE5JUyBjbGllbnRzDQorTElOVVhDT01Q
 TU9ERT0xDQorDQogIyBUaGVzZSBhcmUgY29tbWFuZHMgd2hpY2ggdGhpcyBNYWtlZmlsZSBu
 ZWVkcyB0byBwcm9wZXJseSByZWJ1aWxkIHRoZQ0KICMgTklTIGRhdGFiYXNlcy4gRG9uJ3Qg
 Y2hhbmdlIHRoZXNlIHVubGVzcyB5b3UgaGF2ZSBhIGdvb2QgcmVhc29uLiBBbHNvDQogIyBi
 ZSBzdXJlIG5vdCB0byBwbGFjZSBhbiBAIGluIGZyb250IG9mIC91c3IvYmluL2F3azogaXQg
 aXNuJ3QgbmVjZXNzYXJ5DQpAQCAtMTg3LDcgKzE5MSw3IEBADQogcHVibGlja2V5OiBwdWJs
 aWNrZXkuYnluYW1lDQogYWxpYXNlczogICBtYWlsLmFsaWFzZXMNCiANCi1tYXN0ZXIucGFz
 c3dkOgltYXN0ZXIucGFzc3dkLmJ5bmFtZSBtYXN0ZXIucGFzc3dkLmJ5dWlkDQorbWFzdGVy
 LnBhc3N3ZDoJbWFzdGVyLnBhc3N3ZC5ieW5hbWUgbWFzdGVyLnBhc3N3ZC5ieXVpZCBzaGFk
 b3cuYnluYW1lDQogDQogIw0KICMgVGhpcyBpcyBhIHNwZWNpYWwgdGFyZ2V0IHVzZWQgb25s
 eSB3aGVuIGRvaW5nIGluLXBsYWNlIHVwZGF0ZXMgd2l0aA0KQEAgLTQ2MCw2ICs0NjQsMTYg
 QEANCiANCiAkKFBBU1NXRCk6ICQoTUFTVEVSKQ0KIAlAZWNobyAiQ3JlYXRpbmcgbmV3ICRA
 IGZpbGUgZnJvbSAkKE1BU1RFUikuLi4iDQorLmlmIGRlZmluZWQoTElOVVhDT01QTU9ERSkN
 CisJQGlmIFsgISAkKFVOU0VDVVJFKSBdOyB0aGVuIFwNCisJJChBV0spIC1GOiAne2lmICgk
 JDEgIT0gIiIgJiYgJCQxICF+ICJeIy4qIiAmJiAkJDEgIT0gIisiKSBcDQorCQlwcmludCAk
 JDEiOng6IiQkMyI6IiQkNCI6IiQkOCI6IiQkOSI6IiQkMTB9JyAkKE1BU1RFUikgXA0KKwkJ
 PiAkKFBBU1NXRCkgOyBcDQorCWVsc2UgXA0KKwkkKEFXSykgLUY6ICd7aWYgKCQkMSAhPSAi
 IiAmJiAkJDEgIX4gIl4jLioiICYmICQkMSAhPSAiKyIpIFwNCisJCXByaW50ICQkMSI6IiQk
 MiI6IiQkMyI6IiQkNCI6IiQkOCI6IiQkOSI6IiQkMTB9JyAkKE1BU1RFUikgXA0KKwkJPiAk
 KFBBU1NXRCkgOyBmaQ0KKy5lbHNlDQogCUBpZiBbICEgJChVTlNFQ1VSRSkgXTsgdGhlbiBc
 DQogCSQoQVdLKSAtRjogJ3tpZiAoJCQxICE9ICIiICYmICQkMSAhfiAiXiMuKiIgJiYgJCQx
 ICE9ICIrIikgXA0KIAkJcHJpbnQgJCQxIjoqOiIkJDMiOiIkJDQiOiIkJDgiOiIkJDkiOiIk
 JDEwfScgJChNQVNURVIpIFwNCkBAIC00NjgsNiArNDgyLDcgQEANCiAJJChBV0spIC1GOiAn
 e2lmICgkJDEgIT0gIiIgJiYgJCQxICF+ICJeIy4qIiAmJiAkJDEgIT0gIisiKSBcDQogCQlw
 cmludCAkJDEiOiIkJDIiOiIkJDMiOiIkJDQiOiIkJDgiOiIkJDkiOiIkJDEwfScgJChNQVNU
 RVIpIFwNCiAJCT4gJChQQVNTV0QpIDsgZmkNCisuZW5kaWYNCiANCiANCiBwYXNzd2QuYnlu
 YW1lOiAkKFBBU1NXRCkNCkBAIC01NzQsNCArNTg5LDIyIEBADQogCUAkKERCTE9BRCkgLWMN
 CiAJQGlmIFsgISAkKE5PUFVTSCkgXTsgdGhlbiAkKFlQUFVTSCkgLWQgJChET01BSU4pICRA
 OyBmaQ0KIAlAaWYgWyAhICQoTk9QVVNIKSBdOyB0aGVuIGVjaG8gIlB1c2hlZCAkQCBtYXAu
 IiA7IGZpDQorDQorDQorc2hhZG93LmJ5bmFtZTogJChNQVNURVIpDQorLmlmIGRlZmluZWQo
 TElOVVhDT01QTU9ERSkNCisJQGVjaG8gIlVwZGF0aW5nICRALi4uIg0KKy5pZiAke01BU1RF
 Un0gPT0gIi9kZXYvbnVsbCINCisJQGVjaG8gIk1hc3Rlci5wYXNzd2Qgc291cmNlIGZpbGUg
 bm90IGZvdW5kIC0tIHNraXBwaW5nIg0KKy5lbHNlDQorCUBjYXQgJChNQVNURVIpIHwgXA0K
 KwkkKEFXSykgLUY6ICd7IGlmICgkJDEgIT0gIiIgJiYgJCQxICF+ICJeIy4qIiAmJiAkJDEg
 IT0gIisiKSBcDQorCQlwcmludCAkJDEiXHQiJCQxIjoiJCQyIjo6Ojo6OjoiIH0nICReIFwN
 CisJCXwgJChEQkxPQUQpICR7U30gLWYgLWkgJChNQVNURVIpIC1vICQoWVBNQVBESVIpLyRA
 IC0gJChUTVApOyBcDQorCQkkKFJNVikgJChUTVApICRADQorCUAkKERCTE9BRCkgLWMNCisJ
 QGlmIFsgISAkKE5PUFVTSCkgXTsgdGhlbiAkKFlQUFVTSCkgLWQgJChET01BSU4pICRAOyBm
 aQ0KKwlAaWYgWyAhICQoTk9QVVNIKSBdOyB0aGVuIGVjaG8gIlB1c2hlZCAkQCBtYXAuIiA7
 IGZpDQorLmVuZGlmDQorLmVuZGlmDQo=
 
 --------------070106010709060003080104--
 
 
>Unformatted:
