Linux as a NIS client of a Solaris NIS server

Linux as a NIS client of a Solaris NIS server

I had experimented with this, and am putting this up to help anyone else in the same endeavour. It is by no means instructional. If you don't understand any of this or are not willing to take some risks, DON'T DO IT. Note that all of this may become OBSOLETE (i.e. fixed) with newer version of Redhat and glibc.

My Linux box was running Redhat 5.2. The Solaris 2.5 system was using C2 security, i.e. the use of a passwd.adjunct map. RH 5.2's glibc doesn't have working support for this so it requires that you modify some source. Fortunately it's not the glibc source you have to modify, but PAM. Grab the Redhat 5.2 PAM source. Then edit pam_unix_auth.c and search for NIS+. You should find a small block of code that's doing a seteuid() call. Comment out that whole block of code and compile. I didn't have to install everything, but just copied pam_unix_auth.so to /lib/security/ (make a backup!). Also keep a root shell logged in somewhere in case you can't login :). Note that this modification probably breaks NIS+ support. I don't care because I don't use NIS+.

Now make some modifications to /etc/pam.d/login (and perhaps others, but I didn't need to):

#auth           required        pam_pwdb.so shadow nullok
auth            required        pam_unix_auth.so shadow nullok debug
#account        required        pam_pwdb.so
account         required        pam_unix_acct.so debug
#password       required        pam_pwdb.so shadow nullok use_authtok
password        required        pam_unix_passwd.so shadow nullok
#session        required        pam_pwdb.so
session         required        pam_unix_session.so debug

Edit /etc/nsswitch.conf:

passwd: files nis

You probably can comment out the 'shadow:' line (I just left it in and it worked). After these modifications NIS authentication was working with the Solaris server on login. First the Linux box requests passwd.byname after the user types the username, then passwd.adjunct is retreived and authentication performed. Note that I observed a request for shadow.byname as well, but verified that this map was not being used.

Various notes I gathered

Dejanews thread explaining modifications to pam_unix_auth.c.

Dejanews thread explaining modifications to PAM configuration files.