pam_unix.so + nsswitch.conf + nis

Vassilis Vatikiotis vatikiot at iit.demokritos.gr
Tue Aug 21 16:33:27 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

Short: is the STATUS=ACTION mechanism in nsswitch.conf works as intended?

Long:
I'm trying to configure a NIS client so that it would allow local
account logins via the 'files' database and network account login via
'nis' database in the nsswitch.conf file. So I've setup my nsswitch.conf
  like that:

passwd:         files [success=return] nis
group:          files [success=return] nis
shadow:         files [success=return] nis

the rule [success=return] is superfluous since 'return' is the default
action on 'succes' (according to nsswitch.conf man page). But I want to
enforce the 'return on success' behaviour just in case.

It works, local and network users can login but I notice this behaviour.
Whenever a local user tries to login, NIS kicks in and several messages
pass between the NIS client and server. Why does this happen? Local
account logins are checked against the 'files' database in nsswitch.conf
and since the default action (AND the [success=return] behaviour) is
'return', there shouldn't be any NIS lookups.

Why do I want to implement such a authentication behaviour? For
conversation's sake assume that no NIS user is allowed to login in the
NIS client and only local users are allowed (pam_localuser etc,etc). The
problem arises when I try to install a firewall on that NIS client.
Local logins (ssh'ing actually) fail because, instead of returning from
a successful local 'files' lookup - just as 'files [success=return] nis'
implies, the auth process continues with a NIS lookup. And at that point
the firewall blocks it (I haven't setup rules for NIS yet, I just allow
ssh).

Any answers are welcomed since I'm banging my head on this for quite
some time.
thx, vassilis

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGyxPXgUWLzP4xLCERAv14AKCW1vjmvw7rGILG4Ehs2SHfBSbZGgCaA7Co
6mYuFHynwoQmYKg+1lIJev8=
=+wOQ
-----END PGP SIGNATURE-----

More information about the Pam-list mailing list