Patch-ID# 101363-09 Keywords: C2 rpc.yppasswdd rpc.pwdauthd ypserv securenets ypxfr pkginfo pkgmap Synopsis: NSkit 1.0: Jumbo Patch Date: Oct/30/95 Solaris Release: 2.3 SunOS Release: 5.3 Unbundled Product: Name Services Transition Kit (5.x NIS BCP-mode Server) Unbundled Release: 1.0 Topic: Fixes to problems reported against patch release 101363-07 (problems related to pkginfo and pkgmap) BugId's fixed with this patch: 1040334 1043667 1058378 1059261 1063796 1039587 1097292 1006905 1156159 1156958 1172101 1174170 1180937 1176534 1195865 1198731 1176534 1195865 1198731 Changes incorporated in this version: 1191748 1171978 Relevant Architectures: sparc Patches accumulated and obsoleted by this patch: Patches which may conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/init.d/yp /var/yp/Makefile /var/yp/updaters /usr/lib/netsvc/yp/makedbm /usr/lib/netsvc/yp/mkalias /usr/lib/netsvc/yp/mknetid /usr/lib/netsvc/yp/revnetgroup /usr/lib/netsvc/yp/rpc.pwdauthd /usr/lib/netsvc/yp/rpc.yppasswdd /usr/lib/netsvc/yp/rpc.ypupdated /usr/lib/netsvc/yp/stdethers /usr/lib/netsvc/yp/stdhosts /usr/lib/netsvc/yp/updpublickey /usr/lib/netsvc/yp/yppush /usr/lib/netsvc/yp/ypserv /usr/lib/netsvc/yp/ypxfr.4x /usr/lib/netsvc/yp/ypxfr_1perday /usr/lib/netsvc/yp/ypxfr_1perhour /usr/lib/netsvc/yp/ypxfr_2perday /usr/lib/netsvc/yp/ypxfrd /usr/lib/netsvc/yp/man/man3/ypupdate.3n /usr/lib/netsvc/yp/man/man5/updaters.5 /usr/lib/netsvc/yp/man/man8/makedbm.8 /usr/lib/netsvc/yp/man/man8/pwdauthd.8c /usr/lib/netsvc/yp/man/man8/rpc.yppasswdd.8c /usr/lib/netsvc/yp/man/man8/rpc.ypupdated.8c /usr/lib/netsvc/yp/man/man8/ypmake.8 /usr/lib/netsvc/yp/man/man8/yppush.8 /usr/lib/netsvc/yp/man/man8/ypserv.8 /usr/lib/netsvc/yp/man/man8/ypxfr.4x.8 /usr/lib/netsvc/yp/man/man8/ypxfr_1perday.8 /usr/lib/netsvc/yp/man/man8/ypxfr_1perhour.8 /usr/lib/netsvc/yp/man/man8/ypxfr_2perday.8 /usr/lib/netsvc/yp/man/man8/ypxfrd.8 Problem Description: (from 101363-09) bugid 1191748 yppasswd fails to perform make passwd bugid 1171978 ypcat does not work when using /var/yp/securenets (from 101363-08) bugid 1176534 Niskit patch 101363-03 does not appear in showrev -p output bugid 1195865 101363-07 has a packaging error bugid 1198731 101363-07 forgot to include e/ hard link from /etc/init.d/yp to /etc/rc2.d/S71yp (from 101363-07) bugid 1040334 yppasswd will not allow user to change passwd from client. Daemon dies on server. The rpc.yppasswdd called auditing code which doesn't work in Solaris. Remove the code and it stops core dumping and yppasswd now works. bugid 1156159 Need to integrate 4.1.3 YP patch 100482-04 to NSKIT 1.0 on Solaris 2.3 bugid 1156958 ypserv from NSKIT died on Solaris 2.3 with _xdr_yprequest symbol not found This is caused by the BCP support in Solaris being incomplete. They only support public APIs, and by definition anything with a '_' in front of it is private. By adding the code to the server, the problem goes away. bugid 1172101 DNS forwarding does not work with the nskit This is a one line change for the async_resolver which broke DNS forwarding bugid 1174170 "ypinit -m"/"mknetid" won't create NIS netid.byname map if "group" file is large bugid 1180937 /var/yp/Makefile does not create services.byservicename map. The lack of the services.byservicename map reduces the performance of getservbyname nis lookups. COMMENTS: ======== ypserv & ypxfrd) start. To get a change in /var/yp/securenets to take effect, one must kill and restart the daemons. The format of the file is one of more lines of: netmask netaddr e.g. 255.255.0.0 128.30.0.0 255.255.255.0 128.311.10.0 In the 2nd example, the netmask is 255.255.255.0 and the network address is 128.311.10.0 . This setup will only allow the ypserv to respond to those IP addresses which are within the subnet 128.311.10 range. Patch Installation Instructions: -------------------------------- Use the following command to install the patch: cd pkgadd -d `pwd` SUNWnskit This will install the patch appropriately. Please note that we are not using installpatch utility but utility like "showrev -p" should still be able to pick up the release of the patch once the it is installed using "pkgadd -d ....". Other specific or unique installation instructions may also be necessary and should be described below. Note: ===== In addition for bugid 1156159 This adds the /var/yp/securenets which allows you to restrict access to your YP server based on IP addr or subnet masks. (see old bugid 1036869) Special Install Instructions: ----------------------------- Only on the MASTER NIS server ============================= 1. Modify the /etc/init.d/yp file on the NIS master server to enable "rpc.yppasswdd" daemon. Basically, take away the "#" sign in front of these lines. # Edit and uncomment this to automate rpc.yppasswdd startup. # if [ -f $YPDIR/rpc.yppasswdd ];then # $YPDIR/rpc.yppasswdd /var/yp/passwd -m \ # passwd PWDIR=/var/yp; echo ' yppasswdd\c' # fi If your NIS master server is configured to run C2, then also modify this line to exclude the argument "passwd" after the "-m" option. Basically, the rpc.yppasswdd command should now look like this: if [ -f $YPDIR/rpc.yppasswdd ];then $YPDIR/rpc.yppasswdd /var/yp/passwd \ /etc/security/passwd.adjunct -m \ PWDIR=/var/yp; echo ' yppasswdd\c' fi 2. If your NIS master server is configured to run C2, then proceed to step 3. Otherwise, you can either start up the rpc.yppasswdd command (with the required options) manually or simply reboot the NIS master server here. 3. If your NIS master server is configured to run C2, make sure that the below pseudo-users are added to /etc/passwd and /etc/security/passwd.adjunct before changing any binaries. This is so that the auditing of the rpc.pwdauthd and rpc.yppasswd can occur. These entries are not needed on the NIS client machines since they will pick these changes up from the NIS master server. Then, go to step 4. * Addition to the /etc/passwd file: AUpwdauthd:##AUpwdauthd:10:10:::/bin/false AUyppasswdd:##AUyppasswdd:11:10:::/bin/false * Addition to the /etc/security/passwd.adjunct file: AUpwdauthd:*::::: AUyppasswdd:*::::: 4. Go to the section labeled with "Final steps for non-standard configuration". Only on NIS client machines not running C2 security with a NIS MASTER NIS server converted to running C2 security. ============================================================== Normally all machines will be C2 converted within a NIS domain to achieve C2 classification. These steps are for cases where NIS clients have not been C2 converted, but the NIS MASTER has been converted. Machines with a NIS master using passwd shadowing (passwd.adjunct) need to run the rpc.pwdauthd to decrypt shadowed passwd's. This daemon will automatically be started by the default startup script if a passwd.adjunct file exists. Do the following to create this file with a "+" entry in it to use the NIS passwd.adjunct map. # mkdir /etc/security # chown root.staff /etc/security # chmod 2711 /etc/security # echo "+" > /etc/security/passwd.adjunct # chown root.staff /etc/security/passwd.adjunct # chmod 644 /etc/security/passwd.adjunct Final steps for non-standard configuration ========================================== Now, complete the install by loading in the modified binaries. Note that the dynamically linked binaries are incompatible with the use of the US Encryption Kit. If you will be using the US Encryption Kit, load the static versions (rpc.pwdauthd.static and rpc.yppasswdd.static) of the provided binaries. First save the FCS distribution versions as a precaution: # cp /usr/lib/netsvc/yp/rpc.pwdauthd /usr/lib/netsvc/yp/rpc.pwdauthd.FCS # cp /usr/lib/netsvc/yp/rpc.yppasswdd /usr/lib/netsvc/yp/rpc.yppasswdd.FCS It is critical that the following steps be completed in single-user mode, so that the rpc.pwdauthd and rpc.yppasswd daemons are both disabled while the new versions are installed. # init 1 The new version of the binaries can now be installed. # cd /directory_where_the_new_binaries_are_located # cp rpc.pwdauthd /usr/lib/netsvc/yp/rpc.pwdauthd # chown root.staff /usr/lib/netsvc/yp/rpc.pwdauthd # chmod 755 /usr/lib/netsvc/yp/rpc.pwdauthd # cp rpc.yppasswdd /usr/lib/netsvc/yp/rpc.yppasswdd # chown root.staff /usr/lib/netsvc/yp/rpc.yppasswdd # chmod 755 /usr/lib/netsvc/yp/rpc.yppasswdd Double check permissions of the new files. If the permissions are set incorrectly, login will not be able to occur except in single user mode (boot -s). Now you can either enter a ^D (control D) from single user mode or reboot the machine. This finishes the installation.