[Bug 971256] Re: selecting pam_unix auth with /etc/passwd in ldap results in a broken common-passwd

Brian J. Murrell brian at interlinx.bc.ca
Mon Apr 2 04:24:03 UTC 2012


** Description changed:

  If I use pam-auth-update and select both pam_krb5 and pam_unix as
  mechanisms to authenticate with I get the following common-passwd file:
  
  # here are the per-package modules (the "Primary" block)
  password	requisite			pam_krb5.so minimum_uid=1000
  password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
  # here's the fallback if no module succeeds
  password	requisite			pam_deny.so
  # prime the stack with a positive return value if there isn't one already;
  # this avoids us returning an error just because nothing sets a success code
  # since the modules above will each just jump around
  password	required			pam_permit.so
  # and here are more per-package modules (the "Additional" block)
- password	optional	pam_gnome_keyring.so 
- password	optional	pam_ecryptfs.so 
+ password	optional	pam_gnome_keyring.so
+ password	optional	pam_ecryptfs.so
  # end of pam-auth-update config
  
  However if I have my passwd map in LDAP and not in /etc/passwd the above
  configuration is broken:
  
  $ passwd
- Current Kerberos password: 
+ Current Kerberos password:
  passwd: Authentication token manipulation error
  passwd: password unchanged
  
  And in auth.log:
  
  Apr  2 00:11:15 pc passwd[24223]: pam_unix(passwd:chauthtok): user
  "brian" does not exist in /etc/passwd
  
  If I copy the user "brian" from the ldap map to /etc/passwd:
  
  # getent passwd brian >> /etc/passwd
  # sed -ie 's/:\*:/:x:/' /etc/passwd
  
  and create an appropriate /etc/shadow entry, the passwd command works as
  expected.
  
+ Even though all users are in ldap and kerberos, I want to still be able
+ to authenticate locally as root in the case of network/ldap/kerberos
+ breakage.
+ 
  ProblemType: Bug
  DistroRelease: LinuxMint 12
  Package: libpam-runtime 1.1.3-2ubuntu2.1
  ProcVersionSignature: Ubuntu 3.0.0-16.29-generic-pae 3.0.20
  Uname: Linux 3.0.0-16-generic-pae i686
  ApportVersion: 1.23-0ubuntu4
  Architecture: i386
  Date: Mon Apr  2 00:11:41 2012
  ProcEnviron:
-  PATH=(custom, user)
-  LANG=en_CA.UTF-8
-  SHELL=/bin/bash
+  PATH=(custom, user)
+  LANG=en_CA.UTF-8
+  SHELL=/bin/bash
  SourcePackage: pam
  UpgradeStatus: Upgraded to lisa on 2007-04-05 (1823 days ago)

** Tags removed: lisa
** Tags added: oneiric

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/971256

Title:
  selecting pam_unix auth with /etc/passwd in ldap results in a broken
  common-passwd

Status in “pam” package in Ubuntu:
  New

Bug description:
  If I use pam-auth-update and select both pam_krb5 and pam_unix as
  mechanisms to authenticate with I get the following common-passwd
  file:

  # here are the per-package modules (the "Primary" block)
  password	requisite			pam_krb5.so minimum_uid=1000
  password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
  # here's the fallback if no module succeeds
  password	requisite			pam_deny.so
  # prime the stack with a positive return value if there isn't one already;
  # this avoids us returning an error just because nothing sets a success code
  # since the modules above will each just jump around
  password	required			pam_permit.so
  # and here are more per-package modules (the "Additional" block)
  password	optional	pam_gnome_keyring.so
  password	optional	pam_ecryptfs.so
  # end of pam-auth-update config

  However if I have my passwd map in LDAP and not in /etc/passwd the
  above configuration is broken:

  $ passwd
  Current Kerberos password:
  passwd: Authentication token manipulation error
  passwd: password unchanged

  And in auth.log:

  Apr  2 00:11:15 pc passwd[24223]: pam_unix(passwd:chauthtok): user
  "brian" does not exist in /etc/passwd

  If I copy the user "brian" from the ldap map to /etc/passwd:

  # getent passwd brian >> /etc/passwd
  # sed -ie 's/:\*:/:x:/' /etc/passwd

  and create an appropriate /etc/shadow entry, the passwd command works
  as expected.

  Even though all users are in ldap and kerberos, I want to still be
  able to authenticate locally as root in the case of
  network/ldap/kerberos breakage.

  ProblemType: Bug
  DistroRelease: LinuxMint 12
  Package: libpam-runtime 1.1.3-2ubuntu2.1
  ProcVersionSignature: Ubuntu 3.0.0-16.29-generic-pae 3.0.20
  Uname: Linux 3.0.0-16-generic-pae i686
  ApportVersion: 1.23-0ubuntu4
  Architecture: i386
  Date: Mon Apr  2 00:11:41 2012
  ProcEnviron:
   PATH=(custom, user)
   LANG=en_CA.UTF-8
   SHELL=/bin/bash
  SourcePackage: pam
  UpgradeStatus: Upgraded to lisa on 2007-04-05 (1823 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/971256/+subscriptions




More information about the foundations-bugs mailing list