Can't authenticate some accounts

Erik Hensema / HostingXS hensema at hostingxs.nl
Mon Mar 9 15:12:08 UTC 2009


Dear list,

After installing a new server, we ran into some accounts which can't 
authenticate.

In short, I can find just two common symptoms:

a) all accounts are NIS accounts
b) pam_authenticate() returns error 6: "Permission denied".

The problem manifests itself on a small percentage of our accounts. All 
accounts are created equal, using a script.
The accounts have a valid md5-crypted password. Changing the password doesn't 
work (the account remains locked/unusable).

Failing accounts can be old account (from before installing the server) or new 
accounts.

The accounts do work on other servers with older PAM versions (such as 
0.99.6.3-29.1).

The accounts are listed correctly by both 'ypcat passwd' and 'getent passwd'.

The accounts never expire and aren't locked.

"Permission denied" on pam_authenticate() is undocumented.

The problem manifests itself on all services.

The configuration of the machine:

auth    required        pam_env.so
auth    sufficient      pam_unix2.so
auth    sufficient      pam_ldap.so     use_first_pass

----

nsswitch.conf:
passwd: files nis ldap
shadow: files nis ldap

----

opensuse 11.0 with pam 1.0.1-8.1

I'm at a loss here. I've got no clue where to find the problem. Any pointers 
would be greatly appriciated.

-- 
Met vriendelijke groet,


Erik Hensema / HostingXS Internet Services




More information about the Pam-list mailing list