Password expiration with NIS

[blainepruitt]

This might be a dumb question, which most of mine are, but does anyone know if you can do password expiration with NIS? I searched all over the place and can't find any documentation, and I'm hearing conflicting opinions from different admins. I'm currently running Solaris 8, with NIS, not NIS+ and can't seem to get my shadow file setup correctly. I want password expiration every 35 days, with users being notified when there are 14 days left in the cycle. Here is an example line:

joeuser:encryptedpassword:11790:20:35:14:90:118000:

I'm familiar with each field, but by no means am I confident in my config so far. Any help you could provide would be extremely helpful. Thanks in advance for your assistance.

-bp

 

[Apricot]

Some copy's from manual's:

ypcat is one of the most obvious commands to use for NIS debugging.
If, for example, a user can not log in, you might want to consult
ypcat, to verify that their passwd does appear in the NIS map:

%% /usr/bin/ypcat passwd

ypcat will not always gives you the full info, because by default it
does not show the column that the map is being indexed (or keyed) off
of. To ensure that you are seeing everything, you can run ypcat with
the -k option:

%% /usr/bin/ypcat -k passwd

ypcat is one of the most obvious commands to use for NIS debugging.
If, for example, a user can not log in, you might want to consult
ypcat, to verify that their passwd does appear in the NIS map:

%% /usr/bin/ypcat passwd

ypcat will not always gives you the full info, because by default it
does not show the column that the map is being indexed (or keyed) off
of. To ensure that you are seeing everything, you can run ypcat with
the -k option:

%% /usr/bin/ypcat -k passwd


If you are running NIS, you must create credentials for all users and hosts that might want to access the
secure partition.

Root can add credentials for users with the following command:

# newkey -u username

Users can create their own credentials with the following command:

$ chkey

The passwd supplied to these programs should be the same as the user's passwd.

Root can add credentials for hosts with the following command:

# newkey -h machinename

The passwd supplied to newkey in this case should be the same as the machine's root passwd.

It is important to note that rpc.yppasswd must be running on your NIS server for these commands to work.
In addition, push out publickey maps afterwards to make sure that the most up-to-date credential information
is available.

Once this is all done, secure NFS should work on your NIS network, with two caveats: First, keyserv must be
running on your client machines. If this is not the case, adjust your rc files, so that it automatically starts
up. Second, if a user does not supply a passwd when logging in (due to a .rhosts or /etc/hosts.equiv for
example) or if his secure key is different than his passwd, then he will need to execute the command 'keylogin'
before he can access the secure NFS partition.

4.7: NIS passwd Problems

Q: Why do I get the following error when running yppasswd:

"can't find rpc.yppasswd server"

A: This means that you have not enabled rpc.yppasswdd on your NIS
master server. Section 3.11 explains how to do this.

Q: Why do I get the following errors when running yppasswd:

"RPC timed out"
"yppasswd couldn't change entry, RPC call failed."

or

"passwd file is busy"

A: The passwd file has gotten locked. If there is genuinelly nothing
else that should be using it, remove the lock file on the NIS master:

%% rm /etc/passwd.tmp


Q: How do I hand edit the passwd file when yppasswdd is running?

A: rpc.yppasswdd's lock file is '/etc/.pwd.lock'. The admin can prevent the daemon from doing the edit by making that file unwritable ("chmod 000 file" should do it). She should see a syslog msg from the daemon
(if a pw change is attempted) "...Passwd file(s) busy...". She should be sure to remove that lock file (or make it writable) when she is done with the hand edit.

Another (if a bit crude) workaround is to kill the daemon and restart when the hand edit is done.

regards ph