Bug#651042: token manipulation error for NIS
On Wed, Jan 11, 2012 at 08:44:05AM +0100, harald.dun...@aixigo.de wrote: Seems that I have to add an option nis to pam_unix.so to make it work (better). My common-passwd is now: Nice to know this works with pam_unix (at least this is consistent with its documentation (nis: NIS RPC is used for setting new passwords.). If the option was not set before, then I'm not surprised by the behavior (this is similar to pam_unix failing to get the authentication token from /etc/shadow) Looking at the NIServer I see that /etc/shadow is changed, even though NIS merges passwd and shadow into a single database. Seems OK to me. It is just weird that passwd asks for the NIS root password, if I try to change the local root password: # passwd Changing password for root. NIS server root password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully It still accepts and changes the local root password, so this is not a big issue. Those prompts are coming from the PAM module, not from passwd itself. SO I guess they are doing the right thing, unless there are mis-configurations from your side. I've read you have to include/exclude some accounts with nis, putting lines like +miquels::: -miquels::: maybe you can also restrict the users which are exported by the server. Question: On Debian /etc/pam.d/common-passwd is generated using pam-auth-update and some templates in /usr/..., AFAICS. What is the _real_ place to add the nis (or other options) to pam_unix.so? Shouldn't it be set by default, if NIS is installed? That might be worth being discussed with the nis maintainer. I do not know nis enough to answer. I would guess that the new PAM config handling mechanism could be used for this. I would propose to close this bug. Do you agree? You may want to open a new bug for the handling of the PAM configuration when NIS is installed/enabled on a system. Best Regards, -- Nekral -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651042: token manipulation error for NIS
Closing this bug is fine with me. Many thanx Harri -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651042: [Pkg-shadow-devel] Bug#651042: token manipulation error for NIS
Hello, On Mon, Jan 09, 2012 at 10:09:44PM +0100, Nicolas François wrote: On Mon, Jan 09, 2012 at 09:22:59AM +0100, harald.dun...@aixigo.de wrote: I had expected passwd is based on pam, isn't it? OK. Right, if supported by PAM, then passwd should work. IIRC passwd's operation for NIS auth works through libc/nss' getspent(), but for changing auth tokens it resorts to writing /etc/shadow directly, am I correct here? And as far as I can remember, changing NIS passwords never worked in passwd... -- With best regards, xrgtn -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651042: token manipulation error for NIS
Seems that I have to add an option nis to pam_unix.so to make it work (better). My common-passwd is now: password [success=1 default=ignore] pam_unix.so obscure sha512 nis password requisite pam_deny.so password required pam_permit.so The other common-* config files are unchanged. Now the token manipulation error is gone: % passwd Changing password for hdunkel. (current) UNIX password: abc Enter new UNIX password: xyz Retype new UNIX password: xyz passwd: password updated successfully Looking at the NIServer I see that /etc/shadow is changed, even though NIS merges passwd and shadow into a single database. Seems OK to me. It is just weird that passwd asks for the NIS root password, if I try to change the local root password: # passwd Changing password for root. NIS server root password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully It still accepts and changes the local root password, so this is not a big issue. Question: On Debian /etc/pam.d/common-passwd is generated using pam-auth-update and some templates in /usr/..., AFAICS. What is the _real_ place to add the nis (or other options) to pam_unix.so? Shouldn't it be set by default, if NIS is installed? Regards Harri pam_config.tar.gz Description: application/gzip
Bug#651042: token manipulation error for NIS
Hi Nicolas, On 01/08/12 16:57, Nicolas François wrote: I do not know NIS, but I do not think passwd should be used to change a password when NIS is in use. According to its own man page yppasswd(1) is deprecated. http://tldp.org/HOWTO/NIS-HOWTO/rpasswdd.html I do not see how this is relevant on Squeeze. pwdutils are not included in Squeeze or Sid. Did passwd work in the past? For Squeeze I cannot say. Do you know if passwd is intended to work in such case? I had expected passwd is based on pam, isn't it? Regards Harri -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651042: token manipulation error for NIS
Hi, On Mon, Jan 09, 2012 at 09:22:59AM +0100, harald.dun...@aixigo.de wrote: On 01/08/12 16:57, Nicolas François wrote: Do you know if passwd is intended to work in such case? I had expected passwd is based on pam, isn't it? OK. Right, if supported by PAM, then passwd should work. Did you get anything in the system log files (/var/log/auth.log or /var/log/syslog)? Which PAM module do you use, with which options? Can you enable auditing or debugging for this PAM module? Best Regards, -- Nekral -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651042: token manipulation error for NIS
Hello, On Mon, Dec 05, 2011 at 10:35:59AM +0100, harald.dun...@aixigo.de wrote: If I try to change the password of my account in NIS, then I get % passwd passwd: Authentication token manipulation error passwd: password unchanged % Please note that it didn't even ask for the old password. Using yppasswd there is no such problem. The NIS Server (Lenny) merges passwd and shadow information. MERGE_PASSWD=true I do not know NIS, but I do not think passwd should be used to change a password when NIS is in use. http://tldp.org/HOWTO/NIS-HOWTO/rpasswdd.html Did passwd work in the past? Do you know if passwd is intended to work in such case? Best Regards, -- Nekral -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651042: token manipulation error for NIS
Package: passwd Version: 1:4.1.4.2+svn3283-2+squeeze1 If I try to change the password of my account in NIS, then I get % passwd passwd: Authentication token manipulation error passwd: password unchanged % Please note that it didn't even ask for the old password. Using yppasswd there is no such problem. The NIS Server (Lenny) merges passwd and shadow information. MERGE_PASSWD=true Regards Harri -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org