Installation guide
4.3.7 Enhanced Security
The following notes apply to the use of enhanced security features.
4.3.7.1 Distribution of Enhanced Security Profiles via NIS
The following restrictions apply to distributing enhanced security profiles via
NIS:
• Successful and unsuccessful login attempts for NIS-shared accounts
require the completion of the following steps:
1. The master system’s rpc.yppasswdd daemon must respond and
update the last successful and last unsuccessful login fields in the
prpasswd NIS map.
2. The NIS slave servers must answer to the yppush operation initiated
from the rpc.yppasswdd daemon. (Most successful logins do not
require a yppush operation, but login failures and password changes
do.)
The login process will not continue or terminate until both of these steps
are completed.
The more NIS slave servers that are present in a given NIS domain, the
more time rpc.yppasswdd takes to complete these steps. Also,
nearly-simultaneous login attempts are processed sequentially by the NIS
master, each waiting on a possible yppush for the previous attempt to
succeed. Therefore, if several simultaneous attempts arrive at once, some
may timeout and require you to log in again. You can alleviate this
problem to some extent by using the -p option of yppush. One way to
do this is to modify the /var/yp/Makefile file and change the
YPPUSH= line. The following example allows up to 6 simultaneous
transfers to NIS slave servers (the default number is 4):
YPPUSH=$(YPDIR)/yppush -p 6
• The time allowed for responses to RPC requests is only 25 seconds. The
more profiles that are present in the prpasswd map, the more likely the
time limit is to expire during a login attempt, causing that attempt to fail.
Simultaneous or nearly-simultaneous login attempts will fail if the NIS
master server does not respond quickly enough to the pending login
processes. If the total time taken on the NIS master for the following
commands exceeds 25 seconds, then there will be circumstances under
which only one user will succeed in logging in at a time:
# cd /var/yp
# make passwd prpasswd PRPWDPUSHONLY=1 NOPUSH=’"’
You can decrease the time required for map transfers if you use the
btree format to store the maps on all of your NIS servers.
With successful logins, the rpc.yppasswdd daemon will defer pushing
Base System Software Notes 4–17