Patch-ID# 101363-08 Keywords: C2 rpc.yppasswdd rpc.pwdauthd ypserv securenets ypxfr pkginfo pkgmap Synopsis: NSkit 1.0: Jumbo Patch Date: Apr/13/95 Solaris Release: 2.3 SunOS release: 5.3 Unbundled Product: Name Services Transition Kit (5.x NIS BCP-mode Server) Unbundled Release: 1.0 Topic: Fixes to problems reported against patch release 101363-07 (problems related to pkginfo and pkgmap) BugId's fixed with this patch: 1040334 1043667 1058378 1059261 1063796 1039587 1097292 1006905 1156159 1156958 1172101 1174170 1180937 1176534 1195865 1198731 Changes incorporated in this version: 1176534 1195865 1198731 Relevant Architectures: sparc Patches accumulated and obsoleted by this patch: Patches which may conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/init.d/yp /var/yp/Makefile /var/yp/updaters /usr/lib/netsvc/yp/makedbm /usr/lib/netsvc/yp/mkalias /usr/lib/netsvc/yp/mknetid /usr/lib/netsvc/yp/revnetgroup /usr/lib/netsvc/yp/rpc.yppasswdd /usr/lib/netsvc/yp/rpc.ypupdated /usr/lib/netsvc/yp/stdethers /usr/lib/netsvc/yp/stdhosts /usr/lib/netsvc/yp/updpublickey /usr/lib/netsvc/yp/yppush /usr/lib/netsvc/yp/ypserv /usr/lib/netsvc/yp/ypxfr.4x /usr/lib/netsvc/yp/ypxfr_1perday /usr/lib/netsvc/yp/ypxfr_1perhour /usr/lib/netsvc/yp/ypxfr_2perday /usr/lib/netsvc/yp/ypxfrd /usr/lib/netsvc/yp/man/man3/ypupdate.3n /usr/lib/netsvc/yp/man/man5/updaters.5 /usr/lib/netsvc/yp/man/man8/makedbm.8 /usr/lib/netsvc/yp/man/man8/rpc.yppasswdd.8c /usr/lib/netsvc/yp/man/man8/rpc.ypupdated.8c /usr/lib/netsvc/yp/man/man8/ypmake.8 /usr/lib/netsvc/yp/man/man8/yppush.8 /usr/lib/netsvc/yp/man/man8/ypserv.8 /usr/lib/netsvc/yp/man/man8/ypxfr.4x.8 /usr/lib/netsvc/yp/man/man8/ypxfr_1perday.8 /usr/lib/netsvc/yp/man/man8/ypxfr_1perhour.8 /usr/lib/netsvc/yp/man/man8/ypxfr_2perday.8 /usr/lib/netsvc/yp/man/man8/ypxfrd.8 Problem Description: bugid 1176534 Niskit patch 101363-03 does not appear in showrev -p output bugid 1195865 101363-07 has a packaging error bugid 1198731 101363-07 forgot to include e/ hard link from /etc/init.d/yp to /etc/rc2.d/S71yp bugid 1040334 yppasswd will not allow user to change passwd from client. Daemon dies on server. The rpc.yppasswdd called auditing code which doesn't work in Solaris. Remove the code and it stops core dumping and yppasswd now works. bugid 1156159 Need to integrate 4.1.3 YP patch 100482-04 to NSKIT 1.0 on Solaris 2.3 bugid 1156958 ypserv from NSKIT died on Solaris 2.3 with _xdr_yprequest symbol not found This is caused by the BCP support in Solaris being incomplete. They only support public APIs, and by definition anything with a '_' in front of it is private. By adding the code to the server, the problem goes away. bugid 1172101 DNS forwarding does not work with the nskit This is a one line change for the async_resolver which broke DNS forwarding bugid 1174170 "ypinit -m"/"mknetid" won't create NIS netid.byname map if "group" file is large bugid 1180937 /var/yp/Makefile does not create services.byservicename map. The lack of the services.byservicename map reduces the performance of getservbyname nis lookups. NOTE: ===== The /var/yp/Makefile supplied with the NIS kit for Solaris 2.x doesn't deal with the /etc/shadow file, and thus the passwd.byname and passwd.byuid maps that it creates and pushes have 'x' in the passwd field. This means that the passwd map that the NIS clients see is incorrect. It should merge the passwd entry from /etc/shadow. The workaround could be: ----------------------- The following entry for passwd.time should be used instead. It joins lines of the passwd and shadow files -- it uses nawk for its getline feature, while all the other entries in the Makefile uses awk. passwd.time: $(DIR)/passwd $(DIR)/shadow @(nawk 'BEGIN { FS=":"; while ( getline < "$(DIR)/shadow" > 0) shadow[$$1] = $$2; } { $$2 = shadow[$$1]; OFS=":"; printf "%s\t%s\n",$$1,$$0 }' $(DIR)/passwd $(CHKPIPE))| $(MAKEDBM) - $(YPDBDIR)/$(DOM)/passwd.byname; @(nawk 'BEGIN { FS=":"; while ( getline < "$(DIR)/shadow" > 0) shadow[$$1] = $$2; } { $$2 = shadow[$$1]; OFS=":"; printf "%-10d\t%s\n",$$3,$$0 }' $(DIR)/passwd $(CHKPIPE))| $(MAKEDBM) - $(YPDBDIR)/$(DOM)/passwd.byuid; @touch passwd.time; @echo "updated passwd"; @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOM) passwd.byname; fi @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOM) passwd.byuid; fi @if [ ! $(NOPUSH) ]; then echo "pushed passwd"; fi COMMENTS: ======== Both the "ypserv" and "ypxfrd" patch use a /var/yp/securenets file and, if present, only responds to IP addresses in the range given. This file is only read when the daemons (both ypserv & ypxfrd) start. To get a change in /var/yp/securenets to take effect, one must kill and restart the daemons. The format of the file is one of more lines of: netmask netaddr e.g. 255.255.0.0 128.30.0.0 255.255.255.0 128.311.10.0 In the 2nd example, the netmask is 255.255.255.0 and the network address is 128.311.10.0 . This setup will only allow the ypserv to respond to those IP addresses which are within the subnet 128.311.10 range. Patch Installation Instructions: -------------------------------- Use the following command to install the patch: cd pkgadd -d `pwd` SUNWnskit This will install the patch appropriately. Please note that we are not using installpatch utility which makes this installed patch not recognized by other patch utilities like showrev -p. This problem will be fixed in the later release of the patch. Other specific or unique installation instructions may also be necessary and should be described below. Special Install Instructions: ----------------------------- From patch 101363-02 In addition for bugid 1156159 This adds the /var/yp/securenets which allows you to restrict access to your YP server based on IP addr or subnet masks. (see old bugid 1036869) From patch 101363-01 ============================================================================= Only on the MASTER NIS server ============================================================================= * Add the following lines to the /etc/init.d/yp file on the NIS master, after * the entry for ypbind startup. Note that the -m option has no arguments, * thus ensuring both passwd and passwd.adjunct maps are built when a passwd * change occurs. # # This starts yppasswd daemon and tells it to look for the passwd.adjunct file # if [ -f /usr/lib/netsvc/yp/rpc.yppasswdd -a -d /var/yp/`domainname` ]; then rpc.yppasswdd /etc/passwd /etc/security/passwd.adjunct -m; echo rpc.yppa sswdd if * Now follow the step given for all systems. ============================================================================= Only on NIS client machines not running C2 security with a MASTER NIS server converted to running C2 security. ============================================================================= * Normally all machines will be C2 converted within a NIS domain to * achieve C2 classification. These steps are for cases where NIS * clients have not been C2 converted, but the NIS MASTER has been converted. * * Machines with a NIS master using passwd shadowing (passwd.adjunct) need * to run the rpc.pwdauthd to decrypt shadowed passwd's. This daemon will * automatically be started by the default rc.local script if a passwd.adjunct * file exists. Do the following to create this file with a "+" entry in it * to use the NIS passwd.adjunct map. # mkdir /etc/security # chown root.staff /etc/security # chmod 2711 /etc/security # echo "+" > /etc/security/passwd.adjunct # chown root.staff /etc/security/passwd.adjunct # chmod 644 /etc/security/passwd.adjunct * Now follow the step given for all systems. ============================================================================= Generically for all systems: =========================================================================== * The following pseudo-users must be added to /etc/passwd and * * /etc/security/passwd.adjunct before changing any binaries * * This is so the auditing of the rpc.pwdauthd and rpc.yppasswd can occur * * These additions do not need to be done on NIS client machines since * they will pick these changes up from the NIS master. * * * /etc/passwd additions: * AUpwdauthd:##AUpwdauthd:10:10:::/bin/false AUyppasswdd:##AUyppasswdd:11:10:::/bin/false * */etc/security/passwd.adjunct additions: * AUpwdauthd:*::::: * AUyppasswdd:*::::: * =========================================================================== Now, complete the install by loading in the modified binaries. Note that the dynamically linked binaries are incompatible with the use of the US Encryption Kit. If you will be using the US Encryption Kit, load the static versions (rpc.pwdauthd.static and rpc.yppasswdd.static) of the provided binaries. First save the FCS distribution versions as a precaution: # cp /usr/lib/netsvc/yp/rpc.pwdauthd /usr/lib/netsvc/yp/rpc.pwdauthd.FCS # cp /usr/lib/netsvc/yp/rpc.yppasswdd /usr/lib/netsvc/yp/rpc.yppasswdd.FCS It is critical that the following steps be completed in single-user mode, so that the rpc.pwdauthd and rpc.yppasswd daemons are both disabled while the new versions are installed. # init 1 The new version of the binaries can now be installed. # cp rpc.pwdauthd /usr/lib/netsvc/yp/rpc.pwdauthd # chown root.staff /usr/lib/netsvc/yp/rpc.pwdauthd # chmod 755 /usr/lib/netsvc/yp/rpc.pwdauthd # cp rpc.yppasswdd /usr/lib/netsvc/yp/rpc.yppasswdd # chown root.staff /usr/lib/netsvc/yp/rpc.yppasswdd # chmod 755 /usr/lib/netsvc/yp/rpc.yppasswdd Double check permissions of the new files. If the permissions are set incorrectly, login will not be able to occur except in single user mode (boot -s). Now you can either enter a ^D (control D) from single user mode or reboot the machine. This finishes the installation.