System information: Hesiod

With Kerberos installed and configured, a user can be authenticated and authorized for login on the console. Once authorized, however, the Linux system needs certain information, such as user id, home directory, and group memberships, which is usually stored in /etc/passwd. Under Ultrix and OSF1, the solution has been to update the password file whenever a user logs in. Under Linux, we'll use nss_hesiod to always grab the information directly from the source.

What is Hesiod?

Part of MIT's original Project Athena, Hesiod is a network database built on top of DNS that can be used to store small text records of any kind. At Iowa State, it's used to store password and group entries, information about available network services, and pointers to AFS lockers.

Installing Hesiod

The nss_hesiod support in glibc 2.1 will let us get to the password information that we need, but to get to other records, we'll need an additional Hesiod package. Preconfigured RPMs and SRPMs can be downloaded from ftp://aafugit.org/VINCENT/. You will need at least the hesiod RPM; if you plan to recompile any Project Vincent applications, you may also need the hesiod-devel RPM. Again, if you prefer to build from source, the Project Athena packages can be found at ftp://athena-dist.mit.edu/pub/ATHENA/hesiod/.

If you install from source, you will need to configure Hesiod by hand to point to ISU's domain. This is done in the file /etc/hesiod.conf. For complete information on configuring Hesiod, see the hesiod.conf(5) man page. A minimum configuration file for Project Vincent should contain these lines:

lhs=.ns
rhs=.IASTATE.EDU
classes=HS,IN

Because Hesiod is built on top of DNS, you must also configure /etc/resolv.conf on your system to include at least one of ISU's nameservers. By default, programs under Linux (using glibc) will only send queries to the first three name servers listed in this file, so there must be a Hesiod-capable nameserver among these first three. Here is a sample resolv.conf, suitable for use on a machine that's running a local caching nameserver:

search bb.iastate.edu iastate.edu
nameserver 127.0.0.1
nameserver 129.186.1.200
nameserver 129.186.140.200

Here, we use the IPs for ns-1 and ns-2.iastate.edu. Any of the standard Iowa State nameservers may be used here, as well as the authoritative Hesiod servers, vs-1, vs-2, and vs-3. You can verify that Hesiod is working correctly using the command hesinfo bitbucket filsys.

Configuring NSS

Now that you have Hesiod installed and configured, you can start using nss_hesiod. To do this, you will need to modify the NSS configuration in /etc/nsswitch.conf. At a minimum, you will want to modify the passwd: and group: lines as below:

passwd:     files hesiod
group:      files hesiod

Even though all Project Vincent accounts are accessed through Hesiod, it's a good idea to consult the /etc/passwd and /etc/group files first for information about administrators and special local accounts.

Once NSS has been configured in this manner, well-behaved Unix applications will look to both the password file and the hesiod database for account information. To confirm this, you can run id vorlon, which should give you user id and group information for user vorlon on Project Vincent. Not all applications will be well-behaved: in particular, the pam_pwdb PAM module and RedHat's passwd command read the password file directly. passwd will therefore not work as expected in all cases, and pam_pwdb is largely useless: you should use pam_unix on your system instead.