passwords

Marcel Kunath kunathma@pilot.msu.edu
Tue, 27 Jun 2000 11:49:26 -0400 (EDT)


Ok,

I am running quite few services on one machine.

1. regular user accounts
2. NIS with NFS (exported /home)
3. Samba


All of these three use password authentication of some sort. I am a bit
confused to keep all the password files, 'algorithms', authentication
mechanisms straight and also usable.

Please correct me if I say something wrong in the following paragraphs.


Regular Users
-------------

I generate a normal user. The users password is kept in /etc/passwd. The shadow
password is kept in /etc/shadow. Are these two files kept in sync? I may chose
to use normal password or shadow passwords for authentication.


NIS
---

I am giving the user the right to log in over the network via NFS/NIS. To do
this I export the /home directory and as well set up the NIS 'database'. This
is done by running

/usr/lib/yp/ypinit -m

on the master NIS server.

Where do the database contents get stored?

To keep the regular password and the NIS password in sync the user should
update their password via the command 'yppasswd' instead of 'passwd'. This
updates the password in the NIS database. Does this also update the password in
/etc/passwd on the master?

What files does passwd affect if run on the master?
What files does passwd affect if run on the client?
What files does yppasswd affect if run on the master?
What files does yppasswd affect if run on the client?

If you run passwd on a client it will store(?) the new password only on the
client (/etc/passwd) where the user account doesn't even exist because it is
exported through NFS use of /home. If you run passwd on the master it gets
stored in /etc/passwd on the master.

This causes the passwords for local master access and NIS access to be out of
sync. The new password is needed to log in on the master. The old password is
still needed for the NIS client, since the database was not updated. Running
/usr/lib/yp/ypinit -m again brings the files
into sync again.

Because I run NIS I edited the file /etc/nsswitch.conf on the client but not on
the master. This file determines on the client to check for NIS
authentication (first or only for NIS access). On the server this file is not
edited so it does check the local configuration. On the master it checks the
local password or the local stored database password for NIS? I am a bit
confused here.

Now there seems to be a special relationship between NIS password and
/etc/passwd after you run the NIS database update. They are basically in
sync.

Samba
-----

Samba can share resources between Windows and Linux. It uses authentication. To
give the user access to a Linux drive on a Windows machine I add the user to
the /etc/smbpasswd file with the use of the program 'smbpasswd'. Before adding
the user it checks if the user exists in /etc/passwd.

I provide Samba with a Samba password for the user. This password is stored in
/etc/smbpasswd and may be different from /etc/passwd or the NIS password.

Furthermore a password is locally stored on the Windows (98) machine. It is
used to check if it matches the password in the Samba password file. if you
change the password on the Windows machine it will not match the Samba password
anymore unless you also change the Samba password. Authentication will be
denied if they do not match.


Keeping it straight
-------------------

1. If I am on the master I update my password with 'yppasswd'.
2. If I am on a Linux client I update my password with 'yppasswd'.
3. If I am on a Windows client I update my password first by changing my
password on the Samba host. Then I change my local Windows password to the same
password. This keeps the Windows password and Samba password in sync. The Samba
help material mentions a script/line to be put into /etc/smb.conf:

#from smb.conf
#
passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \
"*Password changed*"
passwd program = /usr/bin/passwd %u
#end

What would this do? Does this change the password on the Windows client? Does
this change the password on the master? Which password on the master gets
changed? When do these lines get provoked?

On the side there is no relation between Samba and NIS password and they may or
may not be the same depending on what the user choses as password(s) for the
two.




I am sure there is people who run all these three services on one box. Feel
free to give a lengthy instruction on /etc/passwd, /etc/shadow, NIS database,
and /etc/smbpasswd and how to use them right and in a practical manner.

Maybe it is time to write up a how-to on this topic. I think it would be
useful.

mk