Date: Sun, 21 Nov 2004 15:49:05 +0100 From: Wiktor Niesiobedzki <bsd@w.evip.pl> To: Dan Nelson <dnelson@allantgroup.com> Cc: Dick Davies <rasputnik@hellooperator.net> Subject: Re: Replacing passwd? Message-ID: <20041121144905.GE3584@mail.evip.pl> In-Reply-To: <20041121020745.GC94473@dan.emsphone.com> References: <419CD314.80900@fer.hr> <20041118171012.GB19265@dan.emsphone.com> <20041120222325.GC17297@lb.tenfour> <20041121020745.GC94473@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 20, 2004 at 08:07:45PM -0600, Dan Nelson wrote: > > When did that come in? I can't get passwd(1) to change an ldap password, I get: > > > > rasputnik@eris:rasputnik$ passwd > > passwd: Sorry, `passwd' can only change passwords for local or NIS users. > > rasputnik@eris:rasputnik$ uname -a > > FreeBSD eris 5.3-STABLE FreeBSD 5.3-STABLE #4: Mon Oct 25 18:03:11 BST 2004 root@eris:/usr/obj/usr/src/sys/ERIS i386 > > rasputnik@eris:rasputnik$ > > > > - this is an nss_ldap nsswitched account, logged in over ssh (pam_ldap auth). > > Weird. There's definitely a lot of PAM code in passwd.c. What happens > if you comment out the errx() function that prints that error (line > 124)? > I was playing with it today and removing errx function allows passwd to change the password, but the other problem I step on is: How to properly configure /etc/pam.d/passwd The configuration, which I have now is simply: password sufficient /usr/local/lib/pam_ldap.so password sufficient pam_unix.so no_warn try_first_pass nullok But it will give strange results, for example: % ./passwd Enter login(LDAP) password: <correct password> New password: <short password> Password too short New password: <same short password> Password too short New password: <same short password> Password too short New Password: <same short password [1]> Retype New Password: <same short password> As we may see, after three failures to get the new password we switch to pam_unix, which tries to change the user, which does not exists in /etc/master.passwd. Or: % ./passwd Changing 0 password Enter login(LDAP) password: <wrong password> LDAP Password incorrect: try again Enter login(LDAP) password: <wrong password> LDAP Password incorrect: try again Enter login(LDAP) password: <wrong password> LDAP Password incorrect: try again Old Password: <anything> New Password: <new password> Retype New Password: <the same string> Which obviously does not result in any password change, as pam_unix tries to change the password. My goal is to have some local users, and some users coming from LDAP, and it would be the best, when all could have change their password through passwd. Does this behaviour of passwd shows the problem within pam_unix (as it does not check, whether the user exists in master.passwd - only by _PWF_SOURCE) Maybe there is a need, to implement is_user_of_this_auth_method or something like that? Cheers, Wiktor Niesiobedzki
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041121144905.GE3584>