[Pkg-shadow-devel] Bug#651042: token manipulation error for NIS

Nicolas François nicolas.francois at centraliens.net
Wed Jan 11 22:32:28 UTC 2012

On Wed, Jan 11, 2012 at 08:44:05AM +0100, harald.dunkel at aixigo.de wrote:
> Seems that I have to add an option "nis" to pam_unix.so to
> make it work (better). My common-passwd is now:

Nice to know this works with pam_unix (at least this is consistent with its
documentation (nis: NIS RPC is used for setting new passwords.).

If the option was not set before, then I'm not surprised by the behavior
(this is similar to pam_unix failing to get the authentication token from /etc/shadow)

> Looking at the NIServer I see that /etc/shadow is changed,
> even though NIS merges passwd and shadow into a single
> database. Seems OK to me.
> It is just weird that passwd asks for the NIS root password,
> if I try to change the local root password:
> 	# passwd
> 	Changing password for root.
> 	NIS server root password:
> 	Enter new UNIX password:
> 	Retype new UNIX password:
> 	passwd: password updated successfully
> It still accepts and changes the local root password, so
> this is not a big issue.

Those prompts are coming from the PAM module, not from passwd itself. SO
I guess they are doing the right thing, unless there are mis-configurations
from your side.

I've read you have to include/exclude some accounts with nis, putting
lines like

maybe you can also restrict the users which are exported by the server.

> Question: On Debian /etc/pam.d/common-passwd is generated
> using pam-auth-update and some templates in /usr/..., AFAICS.
> What is the _real_ place to add the "nis" (or other options)
> to pam_unix.so? Shouldn't it be set by default, if NIS is
> installed?

That might be worth being discussed with the nis maintainer. I do not
know nis enough to answer.
I would guess that the new PAM config handling mechanism could be used for

I would propose to close this bug. Do you agree?

You may want to open a new bug for the handling of the PAM configuration
when NIS is installed/enabled on a system.

Best Regards,

More information about the Pkg-shadow-devel mailing list