On Wed, Jan 11, 2012 at 08:44:05AM +0100, harald.dun...@aixigo.de wrote: > Seems that I have to add an option "nis" to pam_unix.so to > make it work (better). My common-passwd is now:
Nice to know this works with pam_unix (at least this is consistent with its documentation (nis: NIS RPC is used for setting new passwords.). If the option was not set before, then I'm not surprised by the behavior (this is similar to pam_unix failing to get the authentication token from /etc/shadow) > Looking at the NIServer I see that /etc/shadow is changed, > even though NIS merges passwd and shadow into a single > database. Seems OK to me. > > It is just weird that passwd asks for the NIS root password, > if I try to change the local root password: > > # passwd > Changing password for root. > NIS server root password: > Enter new UNIX password: > Retype new UNIX password: > passwd: password updated successfully > > It still accepts and changes the local root password, so > this is not a big issue. Those prompts are coming from the PAM module, not from passwd itself. SO I guess they are doing the right thing, unless there are mis-configurations from your side. I've read you have to include/exclude some accounts with nis, putting lines like +miquels::::::: -miquels::::::: maybe you can also restrict the users which are exported by the server. > Question: On Debian /etc/pam.d/common-passwd is generated > using pam-auth-update and some templates in /usr/..., AFAICS. > What is the _real_ place to add the "nis" (or other options) > to pam_unix.so? Shouldn't it be set by default, if NIS is > installed? That might be worth being discussed with the nis maintainer. I do not know nis enough to answer. I would guess that the new PAM config handling mechanism could be used for this. I would propose to close this bug. Do you agree? You may want to open a new bug for the handling of the PAM configuration when NIS is installed/enabled on a system. Best Regards, -- Nekral -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
