ypserv doesn't get notified when yppasswdd changes a password
Problem:User changes a password using
yppasswd, aparrently successfully, but the password isn't changed (ie user can still login with the old password after a long period of time).
We can prove that
yppasswdd is doing the right thing:
- /etc/shadow is updated; and
- /var/yp/$DOMAIN/passwd.by* are both updated.
However, if you
ypcat passwd, the password hash is not changed (ie it differs from what is in /etc/shadow).
Naturally,
service ypserv restart propogates the change correctly; but this is not practical as a long term solution.
Underlying cause: It turns out that yppasswdd knows to update the passwd.by* maps when a password is changed. This is done through /var/yp/Makefile. This makefile included a flag to makedbm (-c) which tells it to notify ypserv that the database files have changed once the updated files have been written. If the localhost is not in securenets, ypserv ignores the notification as coming from an unathorized host, and never notices that the underlying databases have been changed.
Solution:Add to /var/yp/securenets:
Comments:
- It turns out in this case that /var/yp/securenets was generated by Webmin. Never Trust The Gui.
- There were other legacy problems with the maps (mostly revolving around the initial maps being generated with localhost.localdomain listed as the map master); it is possible that this problem is a symptom of the same issue.