This text describes how to setup a local (/etc/passwd) user account on a NIS enabled Solaris (8) machine that does still work if the NIS Servers are offline. One solution ist simply to add a client NIS server on the machine itself. If this is not practical, you have to do some things:
First we see that the login stops at the step getdefaultproj. To see this just login as root and then do a
sotruss su - localuser
To hinder the login process from requesting the user_attr from NIS we add the line
user_attr: files
and change the line:
project: files
in /etc/nsswitch.conf. Then we add a line:
localuser::::
in the /etc/user_attr file.
The sotruss su - localuser should now pass the getdefaultproj fast and hangs at a later line: The initgroups call wants to check for additional groups. Here you have two possibilities: If you want to use the groups nis map, then you have to accept a delay. Edit the /etc/nsswitch.conf:
group: files nis [TRYAGAIN=0]
If the NIS server does not respond, then it does not retry to get the list of groups from NIS. It will take some time (1 Minute) to login but it will work.
If you don't need the groups NIS map then you also just can disable it in nsswitch.conf:
group: files
and you can almost immediate login.
One problem ist the call of pam_setcred. It pauses for some seconds. What does it try? We plug in the network cable to check what it does and do a
snoop host nis-server
while executing a
su - localuser
We see a NIS request to unix.1000@domainname.com in publickey.byname. So that's the problem. If you don't use this map, then just deactivate it:
publickey: files
in nsswitch.conf.
First we see that the login stops at the step getdefaultproj. To see this just login as root and then do a
sotruss su - localuser
To hinder the login process from requesting the user_attr from NIS we add the line
user_attr: files
and change the line:
project: files
in /etc/nsswitch.conf. Then we add a line:
localuser::::
in the /etc/user_attr file.
The sotruss su - localuser should now pass the getdefaultproj fast and hangs at a later line: The initgroups call wants to check for additional groups. Here you have two possibilities: If you want to use the groups nis map, then you have to accept a delay. Edit the /etc/nsswitch.conf:
group: files nis [TRYAGAIN=0]
If the NIS server does not respond, then it does not retry to get the list of groups from NIS. It will take some time (1 Minute) to login but it will work.
If you don't need the groups NIS map then you also just can disable it in nsswitch.conf:
group: files
and you can almost immediate login.
One problem ist the call of pam_setcred. It pauses for some seconds. What does it try? We plug in the network cable to check what it does and do a
snoop host nis-server
while executing a
su - localuser
We see a NIS request to unix.1000@domainname.com in publickey.byname. So that's the problem. If you don't use this map, then just deactivate it:
publickey: files
in nsswitch.conf.
;){kind=link}