Andy Rabagliati andyr at
Fri Apr 7 09:45:48 BST 2006

On Thu, 06 Apr 2006, Jerry Haltom wrote:

> Run:
> getent passwd
> getent shadow
> NSS is responsible for retrieving a number of named "tables". They are
> passwd, shadow, group, hosts, etc. Anything you see in /etc/nsswitch.
> You can use getent to query one of those NSS tables.
> pam_unix authenticates users by comparing the password entered to the
> password in the passwd (or shadow) NSS tables. Normally, these NSS
> tables are mapped to /etc/shadow or /etc/passwd, which are local on the
> box., and shadow is only readable by root. Using NSS to map them to LDAP
> queries is fine.
> However, this means you are passing passwords or hashes over the LDAP
> connection to the hosts, to make up their NSS tables. Any user can query
> for one of these records, and get another users password.
> If I'm wrong let me know, however.

"getent passwd" indeed lists my LDAP users in addition to local users,
and a crypt'ed password is listed also for LDAP users.

Thanks for your explanation, it is a great help. Learn something new
every day.

Cheers,     Andy!

More information about the ubuntu-devel mailing list