Discussion:
nsswitch slackware current
(too old to reply)
Dirk van Deun
2021-06-23 15:34:10 UTC
Permalink
Hi,

Is anyone still using NIS out there ? I find that compat mode does
not seem to work anymore in slackware current. The setting "files
nis" does work, but "compat" does not. I have added + to /etc/passwd
and to /etc/group and straced "id" with some account names but no
network connection seems even to be attempted. I switch to "files
nis" and it works fine. Any ideas on what is wrong here ?
--
Dirk van Deun
Lew Pitcher
2021-06-23 16:02:53 UTC
Permalink
Post by Dirk van Deun
Hi,
Is anyone still using NIS out there ? I find that compat mode does
not seem to work anymore in slackware current. The setting "files
nis" does work, but "compat" does not. I have added + to /etc/passwd
and to /etc/group and straced "id" with some account names but no
network connection seems even to be attempted. I switch to "files
nis" and it works fine. Any ideas on what is wrong here ?
I have no solution for you, but an observation and a question.

Observation: In the upcoming release that slackware current represents, Pat has finally
been forced to accept PAM.

Question: How does PAM interact with NSSWITCH, especially in regards to
the use of NIS as an authentication tool?
--
Lew Pitcher
"In Skills, We Trust"
Dirk van Deun
2021-06-25 08:09:56 UTC
Permalink
Post by Lew Pitcher
Question: How does PAM interact with NSSWITCH, especially in regards to
the use of NIS as an authentication tool?
I do not think the problem is PAM-related, I rather suspect it broke
when libnss_nis was split off from glibc into a separate package,
while libnss_compat stayed part of glibc.
--
Dirk van Deun
Henrik Carlqvist
2021-06-23 17:04:07 UTC
Permalink
Is anyone still using NIS out there ? I find that compat mode does not
seem to work anymore in slackware current. The setting "files nis" does
work, but "compat" does not. I have added + to /etc/passwd and to
/etc/group and straced "id" with some account names but no network
connection seems even to be attempted. I switch to "files nis" and it
works fine. Any ideas on what is wrong here ?
I know of some machines still using nis, but none of them use any newer
Slackware than latest stable 14.2. I think that some of the machines
might use compat mode, but they might run even older versions of
Slackware.

I know of some machines which need to include only a subset of the users
in the password nis map and does so by limiting the users by a netgroup
(also distributed by nis). However, I can't say for sure if they use
compat in nsswitch.conf or nis. If I remember I can have a look the next
time I am at that location.

In lack of experience with Slackware current I can't tell what is wrong.
Does strace show that libnss_compat.so.* is being opened?

regards Henrik
Dirk van Deun
2021-06-24 07:52:32 UTC
Permalink
Post by Henrik Carlqvist
I know of some machines which need to include only a subset of the users
in the password nis map and does so by limiting the users by a netgroup
(also distributed by nis). However, I can't say for sure if they use
compat in nsswitch.conf or nis. If I remember I can have a look the next
time I am at that location.
Including accounts individually or by netgroup is exactly what compat
is so handy for.
Post by Henrik Carlqvist
In lack of experience with Slackware current I can't tell what is wrong.
Does strace show that libnss_compat.so.* is being opened?
libnss_compat.so.2 is being opened, /etc/passwd is being read, and
then it gives up: there is no sign of a network connection
being opened. So it seems that libnss_compat is ignoring the + at
the end of my passwd file and just quitting.
--
Dirk van Deun
Henrik Carlqvist
2021-06-24 16:41:25 UTC
Permalink
Post by Henrik Carlqvist
I know of some machines which need to include only a subset of the
users in the password nis map and does so by limiting the users by a
netgroup (also distributed by nis). However, I can't say for sure if
they use compat in nsswitch.conf or nis. If I remember I can have a
look the next time I am at that location.
Including accounts individually or by netgroup is exactly what compat is
so handy for.
Post by Henrik Carlqvist
In lack of experience with Slackware current I can't tell what is wrong.
Does strace show that libnss_compat.so.* is being opened?
libnss_compat.so.2 is being opened, /etc/passwd is being read, and then
it gives up: there is no sign of a network connection being opened. So
it seems that libnss_compat is ignoring the + at the end of my passwd
file and just quitting.
I have now looked at some machines, I use compat in nsswitch.conf for
both machines which only takes a subset of the password map and machines
which take the entire password map. This is a configuration choice done
to have as much common configuration packages as possible.

The machines which really need compat is no newer than Slackware 14.1,
but I also use compat on Slackware 14.2 machines even though nis would be
OK for them.

I also looked at a Solaris machine (that version of Solaris might be
newer than both 14.1 and 14.2) which needs to use a subset of the
password map and that had:

passwd: compat

but it also had a line:

passwd_compat: nis

Maybe newer glibc also requires some *_compat-lines in nsswitch.conf?

regards Henrik
Dirk van Deun
2021-06-24 19:26:39 UTC
Permalink
Post by Henrik Carlqvist
I also looked at a Solaris machine (that version of Solaris might be
newer than both 14.1 and 14.2) which needs to use a subset of the
passwd: compat
passwd_compat: nis
Maybe newer glibc also requires some *_compat-lines in nsswitch.conf?
According to the man page of nsswitch.conf, nis is the default setting
for passwd_compat and friends. I tried setting it explicitly anyway
but as by then I expected that did not solve the problem.
--
Dirk van Deun
Henrik Carlqvist
2021-06-25 12:07:30 UTC
Permalink
Post by Henrik Carlqvist
I know of some machines which need to include only a subset of the
users in the password nis map and does so by limiting the users by a
netgroup (also distributed by nis). However, I can't say for sure if
they use compat in nsswitch.conf or nis. If I remember I can have a
look the next time I am at that location.
Including accounts individually or by netgroup is exactly what compat is
so handy for.
Post by Henrik Carlqvist
In lack of experience with Slackware current I can't tell what is wrong.
Does strace show that libnss_compat.so.* is being opened?
libnss_compat.so.2 is being opened, /etc/passwd is being read, and then
it gives up: there is no sign of a network connection being opened. So
it seems that libnss_compat is ignoring the + at the end of my passwd
file and just quitting.
So what about libnss_nis.so.*, is that one also opened?

As you said in another post, this could be because libnss_nis no longer
is a part of glibc. I looked at the source code of glibc in current and
found in file NEWS:

-8<-----------------------
* Remove configure option --enable-obsolete-nsl. libnsl is only built
as shared library for backward compatibility and the NSS modules "nis"
and "nisplus" are not built at all and libnsl's headers aren't
installed. This compatibility is kept only for architectures and ABIs
that have been added in or before version 2.28. Replacement
implementations based on TI-RPC, which additionally support IPv6, are
available from <https://github.com/thkukuk/>. This change does not
affect the "compat" NSS module, which does not depend on libnsl
since 2.27 and thus can be used without NIS.
-8<-----------------------

So we now obviously have a compat module which can be used without NIS,
but can it be used with NIS? I find no configure option which says
anything about NIS.

Maybe this is an upstream problem in glibc.

Maybe this is a bug introduced by some of the Slackware patches in
https://mirrors.slackware.com/slackware/slackware-current/source/l/glibc/
patches/

Maybe the glibc package has to be built after the libnss_nis package for
compat to support nis.

regards Henrik
Dirk van Deun
2021-06-25 16:45:51 UTC
Permalink
Post by Henrik Carlqvist
libnss_compat.so.2 is being opened, /etc/passwd is being read, and then
it gives up: there is no sign of a network connection being opened. So
it seems that libnss_compat is ignoring the + at the end of my passwd
file and just quitting.
So what about libnss_nis.so.*, is that one also opened?
No. That is to say, if I only add "+" to /etc/passwd. If I add
a netgroup using "+@...", libnss_files and libnss_nis are also opened,
probably because netgroup is configured as "files nis" in
nsswitch.conf. But then it would appear that only the netgroup entry
is looked up via NIS, and the process stops there. The end result
is again "no such user".
Post by Henrik Carlqvist
So we now obviously have a compat module which can be used without NIS,
but can it be used with NIS? I find no configure option which says
anything about NIS.
It is supposed not to depend on NIS anymore, but if it cannot be used
with NIS when libnss_nis happens to be present, what is it's use ?
Then it would just be a second nss_files.
--
Dirk van Deun
Henrik Carlqvist
2021-06-25 19:13:13 UTC
Permalink
Post by Dirk van Deun
It is supposed not to depend on NIS anymore, but if it cannot be used
with NIS when libnss_nis happens to be present, what is it's use ? Then
it would just be a second nss_files.
Maybe libnss_compat can be used together with other cataloge services
like ldap, but I fully agree that it would be a major feature loss if
compat is no longer usable together with NIS. For me that would be a show
stopper for Slackware 15 in some environments.

regards Henrik

K. Venken
2021-06-24 07:22:31 UTC
Permalink
Post by Dirk van Deun
Hi,
Is anyone still using NIS out there ? I find that compat mode does
not seem to work anymore in slackware current. The setting "files
nis" does work, but "compat" does not. I have added + to /etc/passwd
and to /etc/group and straced "id" with some account names but no
network connection seems even to be attempted. I switch to "files
nis" and it works fine. Any ideas on what is wrong here ?
I am using NIS. I am using compat, but I only distribute passwords and
groups. The actual version is a current from 20190917, due to hardware
support. It has no PAM. I also had to change the mail aliases file in
/var/yp/Makefile (which was still OK in 14.2).

nsswitch.conf

passwd: compat
group: compat

hosts: files dns
networks: files

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
bootparams: files

automount: files
aliases: files

kind regards
Loading...