This spoof patch is a HACK. Use AT YOUR OWN RISK. It suffices for my needs,
so I thought it may be useful to someone else.

What it does
------------

You can 'spoof' maps requested by certain hosts. For example, Solaris 
requires a certain format passwd file (either unshadowed or user:##user and
passwd.adjunct format) requested over NIS. But when Solaris requests the
map 'passwd.byname' it will get the passwd.byname from the NIS server,
in whatever format it may be. I use Linux, and shadow passwords, so
Solaris doesn't get what it wants.

Say I want to use c2security on Solaris, when the user kaos logs in the
passwd entry given to Solaris may look like:

kaos:x:1:1::/home/kaos:/bin/bash

but what it needs is:

kaos:##kaos:1:1::/home/kaos:/bin/bash

which tells Solaris to look in the passwd.adjunct.byname map for the
encrypted password. Anyhow, Solaris must get this when it requests a match
in the 'passwd.byname' map. It would be nice to say:

if Solaris host requests passwd.byname, send it passwd.solaris.byname
instead.

passwd.solaris.byname would be created in the proper format (and also
passwd.adjunct.byname would have to be created). This patch allows the
above 'if' statement. It ONLY applies to the ypmatch call, which is what
login uses. I don't think there is a need for it anywhere else (I could be
wrong). In other words this patch does not affect in any way the output of a
ypcat.

I have tested this patch with v1.3.6 of ypserv.

Setup
-----

Extract the tar to the ypserv source directory. Execute the command:

patch < spoof_patch

Hopefully that will succeed. If it does, configure ypserv as usual from the
INSTALL. If not, I can't really help you :).

Example Spoof
-------------

I have the following setup:

Hostname	Operating System	Type			IP
---------------------------------------------------------------------------
freebase	Linux			NIS server		192.168.0.3
kaos		Solaris x86		soon to be NIS client	192.168.0.1

Basically I want 'kaos' to be an NIS client of 'freebase'. Now there are 2
ways to run the Solaris system: unshadowed passwords via NIS or 'c2security'
mode. Unshadowed means when someone logs in on the Solaris system, a
ypmatch is made on the username, from which it expects from tne NIS server
a line similar to the following:

joe:encrypted_pass:1:1::/home/joe:/bin/bash

In other words, its a passwd file without shadow passwords. c2security means
that when a user logs in, Solaris does a ypmatch on the username and expects:

joe:##joe:1:1::/home/joe:/bin/bash

The ##joe tells it that the encrypted password is in another NIS map, called
passwd.adjunct.byname. So then a match is done on that map which gives
similar output to a shadow file. Here are the steps I used to setup c2security
once I installed this patch.

Made a file /var/yp/spoofmap that looks like:

---- cut here ----

# spoofs for solaris

192.168.0.1             passwd.byname           passwd.solaris.byname
192.168.0.1             passwd.byuid            passwd.solaris.byuid

---- cur here ----

The first field is the host name that we will spoof. You can also use

192.168.0.

which will match 192.168.0.*

The second field is the map request. Whenever a request is made for this
map by the previous host, we instead send the map specified in the third
field. That's simple isn't it?

So now we just have to make passwd.solaris.by* and passwd.adjunct maps, then
we are set. On Linux, this is done simple by adding the rules in 
/var/yp/Makefile:

passwd.solaris.byname: $(PASSWD)                                       
        @echo "Updating $@..."                                                  
        @$(UMASK); \                                                            
        $(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && $$3 >= $(MINUID) ) \           
           print $$1"\t"$$1":##"$$1":"$$3":"$$4"::"$$6":"$$7 }' \
	$^ | $(DBLOAD) -i $^ -o $(YPMAPDIR)/$@ - $@
        -@$(NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@

passwd.solaris.byuid: $(PASSWD)                                        
        @echo "Updating $@..."                                                  
        @$(UMASK); \                                                            
        $(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && $$3 >= $(MINUID) ) \           
           print $$3"\t"$$1":##"$$1":"$$3":"$$4"::"$$6":"$$7 }' \
	$^ | $(DBLOAD) -i $^ -o $(YPMAPDIR)/$@ - $@
        -@$(NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@ 

passwd.adjunct.byname: $(SHADOW)                                                
        @echo "Updating $@..."                                                  
        @$(UMASK); \                                                            
        $(AWK) -F: \
	'!/^[-+#]/ { if ($$1 != "") print $$1"\t"$$1":"$$2":::::" }' $^ \
                | $(DBLOAD) -s -i $^ -o $(YPMAPDIR)/$@ - $@                     
        -@$(NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@   

DON't just copy and paste the above. They are merely examples. If you are
installing this HACK you should know how to edit the Makefile for your site.
Make sure to update the 'all:' rule to include the new maps as well.

Next I had to edit ypserv.conf and added the following lines:

*                          : passwd.solaris.byname    : none       : no
*                          : passwd.solaris.byuid     : none       : no
*                          : passwd.adjunct.byname    : port       : yes

Make sure /var/yp/securenets is all setup ok (no changes required specifically
for this patch).

Kill ypserv, start it up, login on the Solaris machine. Voila, it's now
an NIS client of a real OS :). If you start ypserv in debug mode, you will
see what gets spoofed and what doesn't.

Have fun!

valankar@bigfoot.com