# NIS is setup, but I can't add new user / change password



## ethoms (Jul 9, 2014)

I have managed to successfully set[]up an NIS server on FreeBSD 10 as per these instructions: http://www.freebsd.org/doc/handbook/network-nis.html. On another fresh install, I followed the client setup, also 10.0-RELEASE. I can log in to the NIS users I provisioned on the server from my client machine. However, the handbook states that I can add users using `pw useradd` or `adduser`. But it does not work, it only add users locally, not to the NIS maps. If I want the changes, I need to start again, using `ypinit -m mydomain`. Also, yppasswd only changes the passwords locally.

At first *I* just configure the server as a master server. Then I tried making a client also, pointing to itself. Still no joy.

Is it possible to add users without building the domain from scratch? Why doesn't the documented steps work for me?


----------



## ethoms (Jul 9, 2014)

I forgot to mention: I am using the following command to rebuild the maps (from /var/yp):


```
# make conspec-group.com
`conspec-group.com' is up to date.
```


----------



## pboehmer (Jul 9, 2014)

There seems to some "glue" missing since /var/yp/master.passwd does not get updated with either `pw` or `adduser`.  I've been running NIS for a number of years and have been using a wrapper script that copies /etc/master.passwd to /var/yp/master.passwd sans system users.  I've seen some users symlink /etc/master.passwd to /var/yp (possible security issues doing this).  Either way, you will need to issue a `make` in /var/yp anytime the password file is updated.


----------



## ethoms (Jul 10, 2014)

OK, thanks @pboehmer, for shedding some light on this. So I just need to add the new entries to /var/yp/master.passwd, then run `make my-domain`? If so, that's not so bad, but shame the documents don't mention this. Has anyone had any luck with a FreeBSD server but Linux clients using NIS? I get wrong password messages when trying to log in, but `ypcat passwd.byname` works fine. I think it's a compatability issue with the way the different OSes handle shadow files.

I may end up avoiding NIS, in favour of either LDAP, or just using local account matching UIDs and then mount NFS home folders directories via /etc/fstab. The Linux variant is Slackware, so LDAP may be interesting to setup. A simple clean solutions for Linux client NIS would be nice though.


----------



## pboehmer (Jul 10, 2014)

Edit /var/yp/Makefile and set 
	
	



```
UNSECURE=TRUE
```
 and re-issue `make`.  I don't have any linux NIS clients, so not sure if this actually works or not, but the Makefile indicates this is what needs to be done.


----------



## ethoms (Jul 11, 2014)

@pboehhmer: Thanks, I got NIS authentication working in Slackware Linux clients by uncommenting that line. I never thought to check the Makefile for configuration options.

The NIS users' home directories are on FreeBSD 10 RELEASE, each in their own ZFS filesystem.

Only problem now is that I still can't get new users to be added to the NIS maps without rebuilding with ypinit. This means scripting is not possible without using expect, which I don't want to do. I tried adding the new entries from /etc/master.passwd to /var/yp/master.passwd and then `make my-domain`. It does not pick up the changes.

I used the below comand to ad the new entries:


```
cat /etc/master.passwd | egrep "test.fastrack" >> /var/yp/master.passwd
cd /var/yp
make my-domain
```


----------



## ethoms (Jul 11, 2014)

Additionally, the password can't be changed, it won't update the maps. I have yppasswdd running and use yppasswd to change the password.

I think I am missing some configuration. Either that or NIS is broken in 10-RELEASE. I've followed the handbook to set it up.


----------



## ethoms (Jul 11, 2014)

Aha! the yppasswd is for changing the password on the client machine. When I try that I get the following error:


```
yppasswd: pam_chauthtok(): erro in service module
```


----------



## ethoms (Jul 11, 2014)

Aha again! I wasn't running yppasswdd on the client. After doing so, and re-issuing yppasswd client-side, I now get a different error:


```
rpc.yppasswdd: can't get name of NIS master server fro domain my-domain
```

However `ypwhich` returns a single line, my server's IP address. What do I need to do to tell my NIS server it is the master?


----------



## pboehmer (Jul 11, 2014)

The only thing running on your clients should be ypbind. rpc.yppasswdd is ran on the NIS server and ypbind on the client pushes the password change request to the server.  On FreeBSD clients, passwd on clients will detect and utilize NIS for password changes (passwd()).  The yppasswd command is for changing the NIS passwords when logged into the NIS  server, since this changes /var/yp/master.passwd and not /etc/master.passwd.  I cannot comment on the Linux passwd works in relation to NIS.


----------



## ethoms (Jul 13, 2014)

@pboehhmer: Thanks for clarifying these things. However, my testing for NIS takes place on a FreeBSD server and client first. Then I will move on to Slackware for the production clients. I don't have any problem with clients, thanks to your help.

I just can't get changes in /var/master.passwd to update when I issue `make my-domain`. I can only update maps by using `ypinit -m my-domain`. Is NIS borken on FreeBSD 10, I haven't tested it on earlier releases. I have no problem making a script that update /var/yp/master.passwd, but why isn't `make` picking up the changes?


----------



## pboehmer (Jul 14, 2014)

Instead of issuing `make my-domain`, have you tried just `make`?

From what I read above in your setup,  could you have an issue where user updates password from a NIS client machine and you overwrite that change when you update /var/yp/master.passwd on the NIS server?  I believe this is the reason why some people just symlink /etc/master.passwd to /var/yp/master.passwd.


----------



## ethoms (Jul 18, 2014)

Thanks again! Using just plain `make` works!

Updating passwords was not an issue. I didn't do that during my tests. I was trying to update passwords as a separate diagnostics test, because the `make my-domain` was not working. I do not need to update the passwords from client, from server is fine. Infact, I do not want users to be able to change their passwords.

So, it looks like the handbook needs a bit of improvment on the NIS section. I never thought to try just `make`.

As for sym-linking the /etc/master.passwd, I think this is a big security no-no. Also, I want to have local only users on the server. If I were a NIS developer, I would have made a simple solution; just have a blacklist file. Sym-link the /etc/master.passwd and have a blacklist files called something like /etc/master.passwd.blacklist /var/yp/master.passwd.blacklist.


----------

