Bug#469635: pam_unix fails to update password on NIS

Thu, 06 Mar 2008 02:07:31 -0800 

Package: libpam-modules
Version: 0.99.7.1-5

The passwd target of the module pam_unix fails to update passwords on NIS,
even when the argument "nis" is given.

(something like
password   required   pam_unix.so nis nullok obscure min=4 md5
in /etc/pam.d/common-passwd)

The command passwd fails just after the old password is entered :

$ passwd
Changing password for quentin.
(current) UNIX password: 
passwd: Authentication service cannot retrieve authentication info
passwd: password unchanged
$

The problem lies within the function pam_unix_passwd.c:_unix_verify_shadow,
which calls _unix_getpwnam with bad arguments. This call was added with
Debian patch 026_pam_unix_passwd_unknown_user.

I suggest the following patch be applied (it has to be applied on the patched 
tree,
but maybe it was not the good way to do)

It also corrects another call to _unix_getpwnam, where a nis call is tried
even when nis is not given in the command line.

It was tried on NIS with shadow support and also on a machine without nis and
without the nis switch on the module command.

---
Signed-off-by: Quentin Godfroy <[EMAIL PROTECTED]>
diff -ruNp pam-0.99.7.1/Linux-PAM/modules/pam_unix/pam_unix_passwd.c 
pam-0.99.7.1-patch/Linux-PAM/modules/pam_unix/pam_unix_passwd.c
--- pam-0.99.7.1/Linux-PAM/modules/pam_unix/pam_unix_passwd.c   2008-03-05 
20:30:37.000000000 +0100
+++ pam-0.99.7.1-patch/Linux-PAM/modules/pam_unix/pam_unix_passwd.c     
2008-03-05 21:30:56.000000000 +0100
@@ -879,7 +879,7 @@ static int _unix_verify_shadow(pam_handl
        int retval = PAM_SUCCESS;
 
        /* UNIX passwords area */
-       _unix_getpwnam(pamh, user, 1, 0, &pwd); /* Get password *file* entry... 
*/
+       _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd);        /* Get 
password entry... */
        if (pwd == NULL)
                return PAM_AUTHINFO_UNAVAIL;    /* We don't need to do the 
rest... */
 
@@ -1073,7 +1073,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
                return PAM_USER_UNKNOWN;
        } else {
                struct passwd *pwd;
-               _unix_getpwnam(pamh, user, 1, 1, &pwd);
+               _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd);
                if (pwd == NULL) {
                        pam_syslog(pamh, LOG_DEBUG,
                                "user \"%s\" has corrupted passwd entry",
@@ -1155,7 +1151,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
                        pam_syslog(pamh, LOG_CRIT,
                                 "failed to set PAM_OLDAUTHTOK");
                }
-               retval = _unix_verify_shadow(pamh,user, ctrl);
+               retval = _unix_verify_shadow(pamh, user, ctrl);
                if (retval == PAM_AUTHTOK_ERR) {
                        if (off(UNIX__IAMROOT, ctrl))
                                _make_remark(pamh, ctrl, PAM_ERROR_MSG,



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to