Can't authenticate some accounts
Erik Hensema / HostingXS
hensema at hostingxs.nl
Mon Mar 9 15:12:08 UTC 2009
Dear list,
After installing a new server, we ran into some accounts which can't
authenticate.
In short, I can find just two common symptoms:
a) all accounts are NIS accounts
b) pam_authenticate() returns error 6: "Permission denied".
The problem manifests itself on a small percentage of our accounts. All
accounts are created equal, using a script.
The accounts have a valid md5-crypted password. Changing the password doesn't
work (the account remains locked/unusable).
Failing accounts can be old account (from before installing the server) or new
accounts.
The accounts do work on other servers with older PAM versions (such as
0.99.6.3-29.1).
The accounts are listed correctly by both 'ypcat passwd' and 'getent passwd'.
The accounts never expire and aren't locked.
"Permission denied" on pam_authenticate() is undocumented.
The problem manifests itself on all services.
The configuration of the machine:
auth required pam_env.so
auth sufficient pam_unix2.so
auth sufficient pam_ldap.so use_first_pass
----
nsswitch.conf:
passwd: files nis ldap
shadow: files nis ldap
----
opensuse 11.0 with pam 1.0.1-8.1
I'm at a loss here. I've got no clue where to find the problem. Any pointers
would be greatly appriciated.
--
Met vriendelijke groet,
Erik Hensema / HostingXS Internet Services
More information about the Pam-list
mailing list