SUMMARY: passwd -r nis fails (more info)

From: David L. Markowitz (David.Markowitz@litronic.com)
Date: Tue Jul 06 1999 - 15:41:03 CDT

My first summary said:
> It turns out that newer versions of Solaris do not allow root to change
> NIS* passwords. From man passwd(1) in Solaris 2.5.1 and later:
>
> In the files case, superusers (for instance, real and effec-
> tive uid equal to 0, see id(1M) and su(1M)) may change any
> password;
>
> But, from man passwd(1) in Solaris 2.4 the same section reads:
>
> Super-users (for instance, real and effective uid equal to
> zero, see id(1M) and su(1M)) may change any password;
>
> So, in 2.5 or 2.5.1 this root power was rescinded. Nice of them to
> document it so well. :-(

However, I got more response to my summary than to my original question.
It turns out that this root power was *not* available in Solaris 2 until
very recently, when it was added back in. A sentence was added to the
end of the paragraph from which I quoted above:

                                                 If NIS is in
      effect, superuser on the root master can change any password
      without being prompted for the old NIS passwd , and is not
      forced to comply with password construction requirements.

It turns out that if this had been a later OS, or had certain patches
(below), it would have worked.

Casper Dik explained it best (as usual). Thanks also to Niall O Broin
and Gerard Henry.

> From: Casper Dik <casper@holland.sun.com>
>
> Uhm, the power couldn't have existed in 2.4, I'm sure (because of how
> NIS as a protocol works).
>
> However, in newer releases we've added a backdoor protocol taht works
> on the master server only:
>
> If NIS is in
> effect, superuser on the root master can change any password
> without being prompted for the old NIS passwd , and is not
> forced to comply with password construction requirements.
>
> ...
>
> In SunOS 4 days, you could use "passwd -F" on the NIS master source.
>
> There's patch 106563-04 (PAM) and 103053-08 (NSKIT 1.2) that fix this
> problem when they're both applied.

        David L. Markowitz Director, UNIX Software
        David.Markowitz@litronic.com Litronic Industries
        http://members.home.net/rttrek http://www.litronic.com/

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:23 CDT