SUMMARY: nis+ unable to authenticate server

From: Ron Stanonik (stanonik@nprdc.navy.mil)
Date: Tue Aug 24 1993 - 12:35:04 CDT


We clobbered our root master server's credentials and were unable
to do anything in secure mode. In insecure mode (rpc.nisd -S 0)
we were able to reassign credentials for the root master server,
but returning to secure mode still nothing worked. The problem
was that we had neglected to update the directories' copies of
the root master server's credentials. nisupdkeys did the trick.

Thanks,

Ron Stanonik
stanonik@nprdc.navy.mil

Date: Fri, 23 Jul 93 17:41:06 PDT
From: Tracy.Ong@Corp.Sun.COM (Tracy Ong)
To: stanonik

Changing the _credentials_ of the root master server is difficult to
do (explanation included later.) The salient point is that you can
change the _password_ on the root server without changing its _credentials_.

To change the password of the root master server, use the passwd command.
(we assume that the password for root on the NIS+ servers is _not_ in
 NIS+ because that would put them in a vulnerable position.)

You do _NOT_ need to change the key because the server keeps a clear copy
of the secret key in /etc/.rootkey and you don't need to use the password
to decrypt it. If however you wish to re-encrypt the existing secret key
you can use the -p option of chkey (New for 1093, not available as a patch
(no one has asked))

If you wish to change the keys for the root master server then you have
to do it as follows:

1) use these commands in _this_ order:
   nisupdkeys -CH master.server.name. groups_dir.domain.name.
   nisupdkeys -CH master.server.name. org_dir.domain.name.
   nisupdkeys -CH master.server.name. domain.name.

(this CLEARS the key for the HOST "master.server.name" in these directory

2) Kill rpc.nisd and restart it at security level 0 then run this command:

   nistbladm -R cname=master.server.name. cred.org_dir.domain.name.
   nisaddcred des

   < this deletes the old credential and creates a new one.>

3) Shutdown and restart any replicas of org_dir.domain.name. at run level 0

   nisping org_dir.domain.name.

   < this propogates the new key pair to the replicas. >

   nisdupdkeys domain.name.
   nisupddkeys org_dir.domain.name.
   nisupdkeys groups_dir.domain.name.

   < this puts the new credential in the effected directory objects >

3) Kill and restart all rpc.nisd servers at level 0 to security level 2.

You're done. Note that changing a server's key affects all directory
objects containing the key.

Alternatively we should be able to create a publickey file for these guys.

Date: Sun, 25 Jul 93 21:16:56 +0200
From: Wolfgang Ratzka <wolfgang.ratzka@rphs1.physik.uni-regensburg.de>
To: stanonik (Ron Stanonik)
Subject: Re: nis+ unable to authenticate server
Newsgroups: comp.unix.solaris

If you changed the credentials of the server root, you will have
to run nisupdkeys (in -S 0 mode):

# /usr/lib/nis/nisupdkeys your.domain.
# /usr/lib/nis/nisupdkeys org_dir.your.domain.
# /usr/lib/nis/nisupdkeys groups_dir.your.domain.

(I hope this is right, but I won't try to reproduce your error right
now ;-). I once did change the root credentials and got the same error
message. But as I had a fresh dump of the var partition on tape, I
did it the other way...)

-- _
| | )
|/\| \ Wolfgang Ratzka

-- 
Ron Stanonik
stanonik@nprdc.navy.mil
ucsd!nprdc!stanonik



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:08 CDT