pam_unix.so + nsswitch.conf + nis

Dominik George natureshadow at gmail.com
Tue Aug 21 18:11:15 UTC 2007 

Did you follow some how-to that tells you to add +:::: or something like
that to your passwd and shadow files? If so, NIS requests will be sent upon
file and compat resolution.

2007/8/21, Vassilis Vatikiotis <vatikiot at iit.demokritos.gr>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all,
>
> Short: is the STATUS=ACTION mechanism in nsswitch.conf works as intended?
>
> Long:
> I'm trying to configure a NIS client so that it would allow local
> account logins via the 'files' database and network account login via
> 'nis' database in the nsswitch.conf file. So I've setup my nsswitch.conf
>   like that:
>
> passwd:         files [success=return] nis
> group:          files [success=return] nis
> shadow:         files [success=return] nis
>
> the rule [success=return] is superfluous since 'return' is the default
> action on 'succes' (according to nsswitch.conf man page). But I want to
> enforce the 'return on success' behaviour just in case.
>
> It works, local and network users can login but I notice this behaviour.
> Whenever a local user tries to login, NIS kicks in and several messages
> pass between the NIS client and server. Why does this happen? Local
> account logins are checked against the 'files' database in nsswitch.conf
> and since the default action (AND the [success=return] behaviour) is
> 'return', there shouldn't be any NIS lookups.
>
> Why do I want to implement such a authentication behaviour? For
> conversation's sake assume that no NIS user is allowed to login in the
> NIS client and only local users are allowed (pam_localuser etc,etc). The
> problem arises when I try to install a firewall on that NIS client.
> Local logins (ssh'ing actually) fail because, instead of returning from
> a successful local 'files' lookup - just as 'files [success=return] nis'
> implies, the auth process continues with a NIS lookup. And at that point
> the firewall blocks it (I haven't setup rules for NIS yet, I just allow
> ssh).
>
> Any answers are welcomed since I'm banging my head on this for quite
> some time.
> thx, vassilis
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGyxPXgUWLzP4xLCERAv14AKCW1vjmvw7rGILG4Ehs2SHfBSbZGgCaA7Co
> 6mYuFHynwoQmYKg+1lIJev8=
> =+wOQ
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20070821/d3d5d735/attachment.htm>

More information about the Pam-list mailing list