[Bug 971256] Re: selecting pam_unix auth with /etc/passwd in ldap results in a broken common-passwd
Brian J. Murrell
brian at interlinx.bc.ca
Mon Apr 2 04:24:03 UTC 2012
** Description changed:
If I use pam-auth-update and select both pam_krb5 and pam_unix as
mechanisms to authenticate with I get the following common-passwd file:
# here are the per-package modules (the "Primary" block)
password requisite pam_krb5.so minimum_uid=1000
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
- password optional pam_gnome_keyring.so
- password optional pam_ecryptfs.so
+ password optional pam_gnome_keyring.so
+ password optional pam_ecryptfs.so
# end of pam-auth-update config
However if I have my passwd map in LDAP and not in /etc/passwd the above
configuration is broken:
$ passwd
- Current Kerberos password:
+ Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged
And in auth.log:
Apr 2 00:11:15 pc passwd[24223]: pam_unix(passwd:chauthtok): user
"brian" does not exist in /etc/passwd
If I copy the user "brian" from the ldap map to /etc/passwd:
# getent passwd brian >> /etc/passwd
# sed -ie 's/:\*:/:x:/' /etc/passwd
and create an appropriate /etc/shadow entry, the passwd command works as
expected.
+ Even though all users are in ldap and kerberos, I want to still be able
+ to authenticate locally as root in the case of network/ldap/kerberos
+ breakage.
+
ProblemType: Bug
DistroRelease: LinuxMint 12
Package: libpam-runtime 1.1.3-2ubuntu2.1
ProcVersionSignature: Ubuntu 3.0.0-16.29-generic-pae 3.0.20
Uname: Linux 3.0.0-16-generic-pae i686
ApportVersion: 1.23-0ubuntu4
Architecture: i386
Date: Mon Apr 2 00:11:41 2012
ProcEnviron:
- PATH=(custom, user)
- LANG=en_CA.UTF-8
- SHELL=/bin/bash
+ PATH=(custom, user)
+ LANG=en_CA.UTF-8
+ SHELL=/bin/bash
SourcePackage: pam
UpgradeStatus: Upgraded to lisa on 2007-04-05 (1823 days ago)
** Tags removed: lisa
** Tags added: oneiric
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/971256
Title:
selecting pam_unix auth with /etc/passwd in ldap results in a broken
common-passwd
Status in “pam” package in Ubuntu:
New
Bug description:
If I use pam-auth-update and select both pam_krb5 and pam_unix as
mechanisms to authenticate with I get the following common-passwd
file:
# here are the per-package modules (the "Primary" block)
password requisite pam_krb5.so minimum_uid=1000
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
password optional pam_ecryptfs.so
# end of pam-auth-update config
However if I have my passwd map in LDAP and not in /etc/passwd the
above configuration is broken:
$ passwd
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged
And in auth.log:
Apr 2 00:11:15 pc passwd[24223]: pam_unix(passwd:chauthtok): user
"brian" does not exist in /etc/passwd
If I copy the user "brian" from the ldap map to /etc/passwd:
# getent passwd brian >> /etc/passwd
# sed -ie 's/:\*:/:x:/' /etc/passwd
and create an appropriate /etc/shadow entry, the passwd command works
as expected.
Even though all users are in ldap and kerberos, I want to still be
able to authenticate locally as root in the case of
network/ldap/kerberos breakage.
ProblemType: Bug
DistroRelease: LinuxMint 12
Package: libpam-runtime 1.1.3-2ubuntu2.1
ProcVersionSignature: Ubuntu 3.0.0-16.29-generic-pae 3.0.20
Uname: Linux 3.0.0-16-generic-pae i686
ApportVersion: 1.23-0ubuntu4
Architecture: i386
Date: Mon Apr 2 00:11:41 2012
ProcEnviron:
PATH=(custom, user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
SourcePackage: pam
UpgradeStatus: Upgraded to lisa on 2007-04-05 (1823 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/971256/+subscriptions
More information about the foundations-bugs
mailing list