My original post was:
>I have recently migrated our NIS server running SunOS 4.1.4 to NIS+ master
>root server running Solaris 2.5.1. Prior to the installation of NIS+
>master root server, I created user accounts using admintool and preassigned
>password for individual user. Installation for both root master server and
>NIS+ clients went smoothly using NIS+ setup scripts found in /usr/lib/nis.
>After completion, users were asked to carry out following steps:
>
> - login into any of the client machine using pre-assigned password
> - keylogin followed by chkey to sync the passwords
> - finally, use 'passwd -r nisplus' to change to new password
>
>With above procedure, user is able to login/rlogin to any of our NIS+
>client machine using his new password. However, the new password does not
>work if user tries to login/rlogin into the root server. The use will get
>'Login incorrect' error. But user can login/rlogin into the root server
>using the old pre-assigned password eventhough the user has already changed
>his password to a new password. The server only complains that the
>password and network password are not in sync (password does not decrypt
>secret key). If user changes his password back to the old pre-assigned
>password using 'passwd -r nisplus' from a client machine, his will then
>able to login/rlogin into the server successfully.
>
>Is this normal? If not, how should I go about correcting the problem. Why
>is it that the NIS+ server still remembers all the old passwords?
It was suggested that I should check the password entry in the
/etc/nsswitch.conf file on the root server. It turns out that the
nsswitch.conf file had files then nis+ listed for the password entry. By
rearranging the password entry in the nsswitch.conf file so as to direct
the system to use NIS+ map first, the problem was solved.
Basically, unlike NIS, when user updates his/her password using 'passwd -r
nisplus' on a NIS+ client machine, it is the NIS+ database on the NIS+
server which gets updated. The local /etc/passwd and /etc/shadow files
will not get updated with the new password, so the old password remains.
By having files defined before nisplus in the password entry of the
nsswitch.conf file, if a user trys to login/rlogin to the NIS+ server, the
system will , as directed by the nsswitch.conf file, lookup password from
/etc/passwd (which is out of date) instead from NIS+ database. Hence
results in 'Login incorrect' error.
It was also suggested I should remove those entries that are in the NIS+
password table from the local /etc/passwd file.
Thanks again to everyone who answered!
Shieh