[Bug 971256] Re: selecting pam_unix auth with /etc/passwd in ldap results in a broken common-passwd

Steve Langasek steve.langasek at canonical.com
Tue Apr 3 03:14:38 UTC 2012 

*** This bug is a duplicate of bug 971253 ***
    https://bugs.launchpad.net/bugs/971253

this looks like a duplicate of bug #971253, using a krb5 config that
doesn't match the system one.

** This bug has been marked a duplicate of bug 971253
   only krb5 results in broken common-passwd

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/971256

Title:
  selecting pam_unix auth with /etc/passwd in ldap results in a broken
  common-passwd

Status in “pam” package in Ubuntu:
  New

Bug description:
  If I use pam-auth-update and select both pam_krb5 and pam_unix as
  mechanisms to authenticate with I get the following common-passwd
  file:

  # here are the per-package modules (the "Primary" block)
  password	requisite			pam_krb5.so minimum_uid=1000
  password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
  # here's the fallback if no module succeeds
  password	requisite			pam_deny.so
  # prime the stack with a positive return value if there isn't one already;
  # this avoids us returning an error just because nothing sets a success code
  # since the modules above will each just jump around
  password	required			pam_permit.so
  # and here are more per-package modules (the "Additional" block)
  password	optional	pam_gnome_keyring.so
  password	optional	pam_ecryptfs.so
  # end of pam-auth-update config

  However if I have my passwd map in LDAP and not in /etc/passwd the
  above configuration is broken:

  $ passwd
  Current Kerberos password:
  passwd: Authentication token manipulation error
  passwd: password unchanged

  And in auth.log:

  Apr  2 00:11:15 pc passwd[24223]: pam_unix(passwd:chauthtok): user
  "brian" does not exist in /etc/passwd

  If I copy the user "brian" from the ldap map to /etc/passwd:

  # getent passwd brian >> /etc/passwd
  # sed -ie 's/:\*:/:x:/' /etc/passwd

  and create an appropriate /etc/shadow entry, the passwd command works
  as expected.

  Even though all users are in ldap and kerberos, I want to still be
  able to authenticate locally as root in the case of
  network/ldap/kerberos breakage.

  ProblemType: Bug
  DistroRelease: LinuxMint 12
  Package: libpam-runtime 1.1.3-2ubuntu2.1
  ProcVersionSignature: Ubuntu 3.0.0-16.29-generic-pae 3.0.20
  Uname: Linux 3.0.0-16-generic-pae i686
  ApportVersion: 1.23-0ubuntu4
  Architecture: i386
  Date: Mon Apr  2 00:11:41 2012
  ProcEnviron:
   PATH=(custom, user)
   LANG=en_CA.UTF-8
   SHELL=/bin/bash
  SourcePackage: pam
  UpgradeStatus: Upgraded to lisa on 2007-04-05 (1823 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/971256/+subscriptions

More information about the foundations-bugs mailing list