Re: Replacing passwd?

From: Wiktor Niesiobedzki <bsd_at_w.evip.pl>
Date: Sun, 21 Nov 2004 21:37:33 +0100
On Sun, Nov 21, 2004 at 01:56:26PM -0600, Dan Nelson wrote:
> In the last episode (Nov 21), Dan Nelson said:
> > In the last episode (Nov 21), Wiktor Niesiobedzki said:
> > > I was playing with it today and removing errx function allows passwd
> > > to change the password, but the other problem I step on is: How to
> > > properly configure /etc/pam.d/passwd
> > > 
> > > The configuration, which I have now is simply:
> > > password        sufficient      /usr/local/lib/pam_ldap.so
> > > password        sufficient      pam_unix.so             no_warn try_first_pass nullok
> > 
> > You probably don't need pam_unix in there at all, since there's no way
> > it'll work (no local passwd entry).
> 
> I take that back; you do want it, so you can change root's password.
> But you need to make it "required", not sufficient.  It's a quirk of
> how pam works, I think, but the last entry cannot be marked
> "sufficient".
That was my first try, but then I got:
% ./passwd 
Enter login(LDAP) password: <correct_password>
passwd: sorry: pam_chauthtok - permission denied

(The error message from passwd I added by myself in pam_check macro, so in
case of pam_err == PAM_AUTH_ERR || pam_err == PAM_PERM_DENIED || pam_err ==
PAM_AUTHTOK_RECOVERY_ERR it also prints the func, as well as error message)


Is this a bug in pam? (After checking token in module marked sufficient and
returing with no error, we go to required module?).

In this configuration I just don't quite follow, what happens, because as far
as I have debuged pam_ldap.so, it returns from pam_sm_chauthtok with no
error...


Cheers,

Wiktor Niesiobedzki
Received on Sun Nov 21 2004 - 19:37:38 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:22 UTC