change session's login shell

Gary Algier gaa at ulticom.com
Tue Jul 26 14:37:19 UTC 2011 


On 07/26/11 10:10, Frank Van Damme wrote:
> Op 26-07-11 02:34, Gary Algier schreef:
>> On Jul 25, 2011, at 17:24, Tim Nowaczyk<tan7f at virginia.edu>  wrote:
>>
>>>
>>> On Jul 25, 2011, at 5:04 PM, Frank Van Damme wrote:
>>>> So they each use their own methods like grepping /etc/passwd, doing
>>>> ldap lookups, or whatever it takes to come up with a shell - like
>>>> "nothing" in the case of obscure authentication methods that the
>>>> application happens to know nothing about?
>>>>
>>> This is out of scope for the pam list, but you should know that you can simply call getpwnam so you don't have to grep /etc/passwd.  Many large installations don't even have most of their users in /etc/passwd, but use NIS or LDAP instead.  getpwnam uses NSS to get all the users/passwords/groups.  Your initial feature request might be able to be implemented by writing a custom NSS module. [1]
>>>
>>> Cheers,
>>> Tim Nowaczyk
>>>
>>> [1] http://www.gnu.org/s/hello/manual/libc/Extending-NSS.html#Extending-NSS
>>
>> Actually this is already handled in most NIS and some LDAP Implementations using a syntax like:
>>       + at group::::::/bin/myshell    (I may be off on the number of colons).
>> in the /etc/passwd file.  Read the docs for your platform's passwd
>> file syntax and the nsswitch.conf file.  Solaris can do this, your
>> mileage may vary.
>>
>> Fat fingered from my iPad -- miscorrections happen.
>
> Oh, so it's nss providing that info. You got the number of colons
> right, by the way - the syntax details about /etc/passwd can be found in
> nsswitch.conf's man page (...).
>
> So for the googler: specify "compat" as a service to "passwd" in
> /etc/nsswitch.conf, and "ldap" as a service to "passwd_compat".
>
> I set it up now with passwd/group/shadow_compat set to "ldap" and
> putting a plus in /etc/passwd works, +user works, but + at groupname does
> not. I don't get the group's members as output in "getent passwd", even
> if the group is a local group.
>

The groups need to be defined as _netgroups_, not posix groups.  Yet another 
Sun-ism.

-- 
Gary Algier, WB2FWZ          gaa at ulticom.com             +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054      Fax:+1 856 866 2033

Nielsen's First Law of Computer Manuals:
     People don't read documentation voluntarily.

More information about the Pam-list mailing list