Archive for the 'Security' Category


ypcat passwd: No such map passwd.byname. Reason: No such map in server’s domain

We ran into this bit of fun while setting up a NIS domain for testing in the lab today:
rob@rob-kubuntu3:~$ ypcat -d nisdom -h rhel5-64-2 passwd.byname
No such map passwd.byname. Reason: No such map in server's domain

It turns out this was a problem with the /var/yp/securenets file, but I’m still not sure what is wrong. The man page for ypserv shows:

A sample securenets file might look like this:

# allow connections from local host — necessary
# same as
# allow connections from any host
# on the network

So we set up our securenets to look like this:


And tried to connect to the server:
rob@rob-kubuntu3:~$ ip addr show dev wlan0 |grep "inet "
inet brd scope global wlan0
rob@rob-kubuntu3:~$ ypcat -d nisdom -h rhel5-64-2 passwd.byname
No such map passwd.byname. Reason: No such map in server's domain
rob@rob-kubuntu3:~$ ping -c1 rhel5-64-2
PING rhel5-64-2 ( 56(84) bytes of data.
64 bytes from rhel5-64-2 ( icmp_req=1 ttl=64 time=0.823 ms

--- rhel5-64-2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.823/0.823/0.823/0.000 ms

Removing the /var/yp/securenets file allowed us access, so it wasn’t firewall or rpc or portmap issues, to the best I can determine. Adding “host” also worked and allowed the client access. So what’s wrong with the format / man page?


Upgraded WordPress

Upgrading software – always required to keep things secure. Windows, WordPress, Mac OSx, Linux, Office, Firefox, etc. So I just finished upgrading again. Hopefully I’ll be able to be better about this, now that WordPress does the automatic upgrades now.

I’ve been doing the automatic upgrades on one of my other sites since they came out. They’re easy, fast, and even more painless than the 3-step upgrade that works so well. So now, I should be able to keep TNS much further away from the “cobbler’s kids” syndrome so many small company’s systems suffer with.


Akismet on WordPress

As of today:

“Akismet has caught 347 spam for you since you first installed it.”

That’s since 11/29/2007. Akismet has YET to miscategorize a comment as spam, and it has missed a single spam comment. All I had to do was click “this is spam” and it’s cleaned up.

The only other anti-spam product I’ve seen to perform this well is the IronPort mail system at a client. 130,000 or so attempts / day, 1 spam / day in the entire company queue, and no users complaining about spam in 5 months.

Akismet, Ironport, my hat is off to you both.


Cross-forest trusts and new error codes

If you are setting up a cross-forest trust with selective authentication (which requires a Windows Server 2003 Native mode level forest and domain), don’t forget to grant the “Allowed to Authenticate” right to the users from the trusted domain to the servers they’ll need access to in your domain. The error messages you’ll get back (replicated here in my test VM domains) don’t really say much helpful.

System Error 317 has occurred. The system cannot find message text for message number 0x*** in the message file for ***.

System Error 317

Further information about adding the “Allowed to Authenticate” right to the trusted users is available at Microsoft TechNet. If you have the opportunity to raise your forest and domain functional levels to take advantage of this, I highly recommend it. But I recommend also (even more strongly) documenting precisely what you set.


Current System Status

Now that I have the system back online, I thought I’d post a quick “where we are” update for any regular readers:

  1. We have restored from most recent backup, but are missing a single post, “PHP, mail(), Apache, and SELinux (FC7)”, which even’s cache didn’t catch in full. I apologize to the readers who were using the instructions in that post whom we met through their comments.
  2. We haven’t yet restored the “comments” table. I haven’t yet decided if we will.
  3. I have fixed the problem of storing backups for the company in 3 different locations, based on system type. Now we only have 2 – onsite and offsite.
  4. The extremely popular How to Change a DC IP address article was restored first. (That page drives over half of our traffic.)

We did a standard forensics review of what happened, and it appears as though a perfect storm of issues hit us – a weekend outage, a hardware failure, and failure to keep publicly exposed software fully up-to-date. The saying often goes, “The cobbler’s kids are the ones without shoes” or something similar to that, and here we failed to follow our own advice, preferring to keep our customers’ systems running smoothly. I know I’ll be spending a few extra hours a week the rest of this year reviewing our internal systems for best practices.

In any case, things are fixed and running great again.

About Us

Complete networking solutions for business.
August 2017
« Oct