On Wed, Jan 06, 2010 at 04:24:04PM -0500, Ken Raeburn wrote:
> Package: libc6
> Version: 2.7-18
> Severity: normal
> File: /lib/libnss_hesiod.so.2
> 
> 
> We've found that since updating to lenny, cron jobs for normal,
> non-local users (who are listed in hesiod) aren't being run.  Adding
> entries to /etc/shadow works around it.  The following message gets
> logged, and the cron job just never runs:
> 
> Jan  6 16:07:01 just-testing CRON[25360]: Authentication service cannot 
> retrieve authentication info
> 
> Chasing things a bit further, cron uses pam, and pam is looking up
> shadow password entries.  (For some reason, this problem doesn't bite
> us with ssh or X login, just cron, so far as we've noticed.)  The
> above error message comes from the pam code.
> 
> The pam code seems to assume that shadow password entries will exist
> for any valid account.  We're using libnss_hesiod, and it doesn't
> support the shadow-password lookups, just regular password lookups.
> 
> A simple test program (that requires a libnss_hesiod setup to
> demonstrate):
> 
>     #include <shadow.h>
>     #include <stdio.h>
>     #include <stdlib.h>
>     int main () {
>       struct spwd *sp = getspnam("nightly");
>       if (sp) { printf("win\n"); exit(0); } else { printf("fail\n"); exit(1); 
> }
>     }
> 
> I expect the pam code's assumption is probably reasonable; if so, then
> libnss_hesiod should be filling in the gap, and we should just be able
> to use "shadow: files hesiod" in nsswitch.conf.
> 

hesiod is not supposed to be used to provide password. Even if used that
way, I don't really see the point of providing a shadow database though
hesiod, as the data will anyway be public, as published in the DNS.

IMHO, that's a wrong assumption that should be fixed in pam.

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
aurel...@aurel32.net                 http://www.aurel32.net



-- 
To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to