totalnetsolutions.net » Security

ypcat passwd: No such map passwd.byname. Reason: No such map in server’s domain

Robert — Mon, 23 May 2011 20:19:23 +0000

We ran into this bit of fun while setting up a NIS domain for testing in the lab today:
rob@rob-kubuntu3:~$ ypcat -d nisdom -h rhel5-64-2 passwd.byname No such map passwd.byname. Reason: No such map in server's domain
It turns out this was a problem with the /var/yp/securenets file, but I’m still not sure what is wrong. The man page for ypserv shows:

A sample securenets file might look like this:

# allow connections from local host — necessary
host 127.0.0.1
# same as 255.255.255.255 127.0.0.1
#
# allow connections from any host
# on the 131.234.223.0 network
255.255.255.0 131.234.223.0

So we set up our securenets to look like this:

host 127.0.0.1
255.255.255.0 10.10.10.0

And tried to connect to the server:rob@rob-kubuntu3:~$ ip addr show dev wlan0 |grep "inet " inet 10.10.10.210/24 brd 10.10.10.255 scope global wlan0 rob@rob-kubuntu3:~$ ypcat -d nisdom -h rhel5-64-2 passwd.byname No such map passwd.byname. Reason: No such map in server's domain rob@rob-kubuntu3:~$ ping -c1 rhel5-64-2 PING rhel5-64-2 (10.10.10.213) 56(84) bytes of data. 64 bytes from rhel5-64-2 (10.10.10.213): icmp_req=1 ttl=64 time=0.823 ms

--- rhel5-64-2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.823/0.823/0.823/0.000 ms

Removing the /var/yp/securenets file allowed us access, so it wasn’t firewall or rpc or portmap issues, to the best I can determine. Adding “host 10.10.10.210″ also worked and allowed the client access. So what’s wrong with the format / man page?

Upgraded WordPress

Robert — Mon, 07 Sep 2009 18:50:12 +0000

Upgrading software – always required to keep things secure. Windows, WordPress, Mac OSx, Linux, Office, Firefox, etc. So I just finished upgrading TotalNetSolutions.net again. Hopefully I’ll be able to be better about this, now that WordPress does the automatic upgrades now.

I’ve been doing the automatic upgrades on one of my other sites since they came out. They’re easy, fast, and even more painless than the 3-step upgrade that works so well. So now, I should be able to keep TNS much further away from the “cobbler’s kids” syndrome so many small company’s systems suffer with.

Cross-forest trusts and new error codes

Robert — Mon, 10 Dec 2007 05:29:43 +0000

If you are setting up a cross-forest trust with selective authentication (which requires a Windows Server 2003 Native mode level forest and domain), don’t forget to grant the “Allowed to Authenticate” right to the users from the trusted domain to the servers they’ll need access to in your domain. The error messages you’ll get back (replicated here in my test VM domains) don’t really say much helpful.

System Error 317 has occurred. The system cannot find message text for message number 0x*** in the message file for ***.

Further information about adding the “Allowed to Authenticate” right to the trusted users is available at Microsoft TechNet. If you have the opportunity to raise your forest and domain functional levels to take advantage of this, I highly recommend it. But I recommend also (even more strongly) documenting precisely what you set.

Current System Status

Robert — Thu, 29 Nov 2007 21:39:12 +0000

Now that I have the system back online, I thought I’d post a quick “where we are” update for any regular readers:

We have restored from most recent backup, but are missing a single post, “PHP, mail(), Apache, and SELinux (FC7)”, which even google.com’s cache didn’t catch in full. I apologize to the readers who were using the instructions in that post whom we met through their comments.
We haven’t yet restored the “comments” table. I haven’t yet decided if we will.
I have fixed the problem of storing backups for the company in 3 different locations, based on system type. Now we only have 2 – onsite and offsite.
The extremely popular How to Change a DC IP address article was restored first. (That page drives over half of our traffic.)

We did a standard forensics review of what happened, and it appears as though a perfect storm of issues hit us – a weekend outage, a hardware failure, and failure to keep publicly exposed software fully up-to-date. The saying often goes, “The cobbler’s kids are the ones without shoes” or something similar to that, and here we failed to follow our own advice, preferring to keep our customers’ systems running smoothly. I know I’ll be spending a few extra hours a week the rest of this year reviewing our internal systems for best practices.

In any case, things are fixed and running great again.

Robert — Fri, 02 Nov 2007 06:33:16 +0000

I�m hunting down an issue on Fedora Core 7 where PHP5 can�t send mail using sendmail or postfix. In /var/log/httpd/access_log we are getting sh: /usr/sbin/sendmail: Permission denied every time the mail() function is accessed, and postfix never sees any connection. This is being caused by SELinux blocking Apache from transitioning from the �httpd� role to the �mta� role – I�m just not sure what the *best* way to fix it is yet. I haven�t seen many posts about this, so stay tuned – I expect to have a fix tomorrow afternoon.