[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM> passwd: User not known to the underlying authenticationmodule

On Mon, 28 Aug 2000, Michael A. Dietz wrote:

> > > > /etc/pam.d/other
> > > > auth  required        pam_unix_auth.so
> > > > account       required        pam_unix_acct.so
> > > > password required     pam_unix_passwd.so
> > > > session       required        pam_unix_session.so
> > > For security reasons your pam.d/other should look like:
> > > #%PAM-1.0
> > > auth     required       /lib/security/pam_deny.so
> > > account  required       /lib/security/pam_deny.so
> > > password required       /lib/security/pam_deny.so
> > > session  required       /lib/security/pam_deny.so
> [snip]

> > > Copy the files from /etc/pam.d/login sshd ftp or whatever services you use
> > > over to the new box.  (or reinstall the rpm).  Verify your passwd and
> > > shadow files exist and are not corrupt.

> > Actually, this is exactly what I did.  All the files orginally come from
> > a stock /etc/pam.d/ redhat 6.2 install.  I used the other file
> > /etc/pam.d/other for the other file when I was trying to get it working
> > early on without any luck ever getting it working that way.  I changed
> > it so that I could at least see if I could get it working without that,
> > which it will.  I went ahead and changed the other file to what you had
> > just to make sure, but unfortunatly, that doesn't fix the problem.  Any
> > other ideas?

> It doesn't appear your /etc/pam.d/other file is even authenticating using
> the shadow password functions i.e:

> auth       required     /lib/security/pam_pwdb.so shadow
> account    required     /lib/security/pam_pwdb.so

The shadow option to pam_pwdb.so and pam_unix.so is a *null op* when in
authentication mode, and always has been.  When authenticating, both modules
will automatically recognize a shadowed system, and look up entries in the
shadow file as needed.  The 'shadow' option *only* has meaning when using
these modules in the 'password' section of the PAM config file, in which case
it means to write updates to the shadow file.

The 'shadow' option is therefore superfluous and should be omitted for

> also, most modules support the debug option, try using this and checking
> for errors:
> auth       required     /lib/security/pam_pwdb.so shadow debug
> account    required     /lib/security/pam_pwdb.so debug

> Lastly, pam_unix_auth.so, pam_unix_auth.so, pam_unix_passwd.so, and 
> pam_unix_session.so are now one module: pam_unix.so .


Since pam_unix.so (in /etc/pam.d/other) appears to be working, you might try
using this in your /etc/pam.d/passwd file as well.  It may be that you don't
have libpwdb properly configured, and that this is causing a problem.  If
pam_unix.so works for you, it's probably a better choice in any case.

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []