Thread: root loggin in to console without network?
View Single Post

   
  #10 (permalink)  
Old 01-05-2008, 04:22 AM
Ian Northeast
 
Posts: n/a
Default Re: root loggin in to console without network?
On Wed, 29 Sep 2004 11:06:21 -0400, Dragan Cvetkovic wrote:

> Hi,
>
> we have an AIX 5.1 installation here which we (due to lack of network
> ports in machine room, don't ask) occasionaly have to unhook from the
> network. At this times, even root on console is not able to log in to the
> system. The system asks for the username, I enter root and then there is a
> long delay (even a few days if we let it at it) with several "NIS domain
> xxx.yyy.zzz not responding", or similar messages before the password
> prompt appear. So I have to plug in the network cable, type root password
> and then unplug the cable. Password for root is in /etc/security/passwd,
> all other users are via NIS.
>
> This is obviously not a satisfactory situation. On other Unices, I know
> that I have to play with /etc/nsswitch.conf, but there is no
> /etc/nsswitch.conf on AIX. I have tried changing /etc/security/user to use
> SYSTEM=files for root, (default is compat) but that seem not to be enough
> -- or do I need to do something else as well (like, God forbid, reboot the
> system)?

How about:

disabling NIS (set domainname to "" and stop ypbind) before unplugging the
cable;

logging on before unplugging the cable?

After all the unplugging isn't an unplanned failure is it?

And *don't* reboot an AIX NIS client with its network unplugged! You'll
never be able to log in at all.

Another possibility is to put a NIS slave server on the machine itself.
Then it'll bind to itself if the network doesn't work (and often when it
does too, and other clients may bind to it, so make sure it's good). This
may be the best option in your peculiar situation, if not the simplest.

It's checking NIS to see if root has any supplementary groups by virtue of
the NIS netid (an AIX special which does indeed speed login in a
NIS complex with many users, as long as NIS is working properly, it's
keyed on userid and lists the groups by number) map before it completes
the login process. And as you have noted, it will wait until the end of
the universe if it has to. There is no solution to this lockout that
I know of except providing a NIS server which can be contacted which
responds for the domain name. A laptop running Linux with a NIS server
which serves the domain (it just needs the directory under /var/yp) with
no maps connected by a crossover cable will suffice to break the lock in
an emergency.

AIX's implementation of NIS is the worst I have ever seen. And it used to
be even worse than it is now. Count yourself lucky And I have no down on
AIX in general, I like most of it. But I have suffered from its NIS
deficiencies for many years. This one is probably the worst.

Regards, Ian


Reply With Quote