change session's login shell

Frank Van Damme frank.vandamme at gmail.com
Tue Jul 26 14:10:49 UTC 2011 

Op 26-07-11 02:34, Gary Algier schreef:
> On Jul 25, 2011, at 17:24, Tim Nowaczyk <tan7f at virginia.edu> wrote:
> 
>>
>> On Jul 25, 2011, at 5:04 PM, Frank Van Damme wrote:
>>> So they each use their own methods like grepping /etc/passwd, doing
>>> ldap lookups, or whatever it takes to come up with a shell - like
>>> "nothing" in the case of obscure authentication methods that the
>>> application happens to know nothing about?
>>>
>> This is out of scope for the pam list, but you should know that you can simply call getpwnam so you don't have to grep /etc/passwd.  Many large installations don't even have most of their users in /etc/passwd, but use NIS or LDAP instead.  getpwnam uses NSS to get all the users/passwords/groups.  Your initial feature request might be able to be implemented by writing a custom NSS module. [1]
>>
>> Cheers,
>> Tim Nowaczyk
>>
>> [1] http://www.gnu.org/s/hello/manual/libc/Extending-NSS.html#Extending-NSS
> 
> Actually this is already handled in most NIS and some LDAP Implementations using a syntax like:
>      + at group::::::/bin/myshell    (I may be off on the number of colons).
> in the /etc/passwd file.  Read the docs for your platform's passwd
> file syntax and the nsswitch.conf file.  Solaris can do this, your
> mileage may vary.
> 
> Fat fingered from my iPad -- miscorrections happen.

Oh, so it's nss providing that info. You got the number of colons
right, by the way - the syntax details about /etc/passwd can be found in
nsswitch.conf's man page (...).

So for the googler: specify "compat" as a service to "passwd" in
/etc/nsswitch.conf, and "ldap" as a service to "passwd_compat".

I set it up now with passwd/group/shadow_compat set to "ldap" and
putting a plus in /etc/passwd works, +user works, but + at groupname does
not. I don't get the group's members as output in "getent passwd", even
if the group is a local group.

-- 
No part of this copyright message may be reproduced, read or seen,
dead or alive or by any means, including but not limited to telepathy
without the benevolence of the author.

More information about the Pam-list mailing list