[Pkg-shadow-devel] Bug#651042: token manipulation error for NIS
Nicolas François
nicolas.francois at centraliens.net
Wed Jan 11 22:32:28 UTC 2012
On Wed, Jan 11, 2012 at 08:44:05AM +0100, harald.dunkel at aixigo.de wrote:
> Seems that I have to add an option "nis" to pam_unix.so to
> make it work (better). My common-passwd is now:
Nice to know this works with pam_unix (at least this is consistent with its
documentation (nis: NIS RPC is used for setting new passwords.).
If the option was not set before, then I'm not surprised by the behavior
(this is similar to pam_unix failing to get the authentication token from /etc/shadow)
> Looking at the NIServer I see that /etc/shadow is changed,
> even though NIS merges passwd and shadow into a single
> database. Seems OK to me.
>
> It is just weird that passwd asks for the NIS root password,
> if I try to change the local root password:
>
> # passwd
> Changing password for root.
> NIS server root password:
> Enter new UNIX password:
> Retype new UNIX password:
> passwd: password updated successfully
>
> It still accepts and changes the local root password, so
> this is not a big issue.
Those prompts are coming from the PAM module, not from passwd itself. SO
I guess they are doing the right thing, unless there are mis-configurations
from your side.
I've read you have to include/exclude some accounts with nis, putting
lines like
+miquels:::::::
-miquels:::::::
maybe you can also restrict the users which are exported by the server.
> Question: On Debian /etc/pam.d/common-passwd is generated
> using pam-auth-update and some templates in /usr/..., AFAICS.
> What is the _real_ place to add the "nis" (or other options)
> to pam_unix.so? Shouldn't it be set by default, if NIS is
> installed?
That might be worth being discussed with the nis maintainer. I do not
know nis enough to answer.
I would guess that the new PAM config handling mechanism could be used for
this.
I would propose to close this bug. Do you agree?
You may want to open a new bug for the handling of the PAM configuration
when NIS is installed/enabled on a system.
Best Regards,
--
Nekral
More information about the Pkg-shadow-devel
mailing list