Your message dated Mon, 20 Jan 2025 12:36:12 -0700
with message-id <[email protected]>
and subject line pam_unix no longer supports nis in Debian
has caused the Debian Bug report #687609,
regarding pam_unix.so ... nis => prevents root from changing his or any local 
users password
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
687609: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687609
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-modules
Version: 1.1.3-7.1
Severity: normal
File: /lib/x86_64-linux-gnu/security/pam_unix.so

Hi,

I'm using the nis option of pam_unix.so to allow NIS users changing
their password via passwd (which allows the use of sha512 hashes instead
of crypt hashes which is done by yppasswd).

/etc/pam.d/common-password contains:
password       [success=1 default=ignore]      pam_unix.so obscure sha512 nis

The following works:
* local users may change their local password
* NIS users may change their NIS password (with a sane hash)

But unfortunately the following no longer works:

# passwd
Changing password for root.
NIS server root password: [pressed return]
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error
passwd: password unchanged

# passwd -r files

does not change anything

# passwd louser
Changing password for louser.
NIS server root password: [pressed return]
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error
passwd: password unchanged

But the following works:

# passwd louser
Changing password for louser.
NIS server root password: [enter old password of local user louser]
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

same for root works, too:

# passwd
Changing password for root.
NIS server root password: [enter old local root password]
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

That does just not work for changing the password of a local user if the
old password is not known to root, which requires temporarily editing
the pam configuration and disabling the nis option.


Andreas

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-modules:amd64 depends on:
ii  debconf [debconf-2.0]  1.5.46
ii  libc6                  2.13-35
ii  libdb5.1               5.1.29-5
ii  libpam-modules-bin     1.1.3-7.1
ii  libpam0g               1.1.3-7.1
ii  libselinux1            2.1.9-5

libpam-modules:amd64 recommends no packages.

libpam-modules:amd64 suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
version: 1.4.0-13

Debian has dropped support for NIS in pam_unix.
Today, you need to use yppassword to change NIS passwords, and local
password changes continue to work.
So this bug is no longer present.

--- End Message ---

Reply via email to