pam_unix.so + nsswitch.conf + nis

Wed Aug 22 17:01:35 UTC 2007

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tomas Mraz wrote:
> On Wed, 2007-08-22 at 12:40 +0300, Vassilis Vatikiotis wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>>> And the compat option is not for NIS lookups, it works with
>>>> every other service, too.
>> Right, I didn't know that. Good to know.
>>
>>>> What you mean is, that the +::::: notation in passwd/shadow files
>>>> was used in libc5 without NYS to support NIS,
>> Yes you put much better.... my powers of expressiveness in english are
>> lacking Im afraid
>>
>> I was using the compat option with the + notation in my /etc files but I
>> was under the impression that since the compat option was "outdated", it
>> was a good thing to change it. The "files nis" in nsswitch.conf works,
>> meaning that lookups, local and NIS, work but still there is this
>> problem. Why, after a successful "files" lookup, the control doesn't
>> return to the caller function and goes on initiating a conversation with
>> the NIS server? Don't know if that conversation is a lookup or something
>> else to be honest.
> There might be for example lookup for some group which is non-existant
> in local /etc/group. Do you have pam_access.so in the pam configs? Or
> pam_limits.so? And if yes what are the contents of access.conf and
> limits.conf?
> 

Unfortunately that's not the case. The machine allows only root to ssh
to it (via pam_localuser.so), all other system accounts are locked. root
belongs only to local group 0 and it's the only account which is allowed
to ssh to that machine.

No pam_access.so in the pam limits. pam_limits.so is used but the
limits.conf is all commented out.

pam conf for ssh follows along with the common-* files

# PAM configuration for the Secure Shell service
auth       required     pam_env.so # [1]
auth       required     pam_env.so envfile=/etc/default/locale
auth       required     pam_localuser.so
@include common-auth

account    required     pam_nologin.so
@include common-account

@include common-session
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so # NB Everything is commented out
in /etc/security/limits.conf (my comment )

@include common-password

===========>
common-account file

account required        pam_warn.so
account required        pam_unix.so

==============>
common-auth file

auth    required        pam_warn.so
auth    required        pam_unix.so nullok_secure debug

===============>
common-password file

password required         pam_cracklib.so retry=3 minlen=6 difok=3
password required         pam_unix.so use_authtok nullok md5

===============>
common-session file

session required        pam_unix.so

===============>
and finally the nsswitch.conf

passwd:         files [success=return] nis
group:          files [success=return] nis
shadow:         files [success=return] nis
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

There are no +/- entries in the NIS client passwd/group/shadow files.

PS. SuSE uses pam_unix or pam_unix2? Cause *it seems* that SuSE behaves
as I expect (control returns on successful local lookup). I'll fire a VM
and test it.

thx again
vassilis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGzGvvgUWLzP4xLCERAp8CAKCUv+jjkJA6NmJP1rqmuHZhmTB+vwCfSKKj
tMrY/xLCVr5QXg5jtUkm9xU=
=GZqf
-----END PGP SIGNATURE-----