From owner-freebsd-current@FreeBSD.ORG Sun Nov 21 14:49:17 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 165F016A4CE for ; Sun, 21 Nov 2004 14:49:17 +0000 (GMT) Received: from mail.evip.pl (mail.evip.com.pl [212.244.157.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1938C43D60 for ; Sun, 21 Nov 2004 14:49:16 +0000 (GMT) (envelope-from w@evip.pl) Received: from drwebc by mail.evip.pl with drweb-scanned (Exim 4.22) id 1CVt1V-000NwR-DM; Sun, 21 Nov 2004 15:49:05 +0100 Received: from w by mail.evip.pl with local (Exim 4.22) id 1CVt1V-000NwL-9w; Sun, 21 Nov 2004 15:49:05 +0100 Date: Sun, 21 Nov 2004 15:49:05 +0100 From: Wiktor Niesiobedzki To: Dan Nelson Message-ID: <20041121144905.GE3584@mail.evip.pl> References: <419CD314.80900@fer.hr> <20041118171012.GB19265@dan.emsphone.com> <20041120222325.GC17297@lb.tenfour> <20041121020745.GC94473@dan.emsphone.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041121020745.GC94473@dan.emsphone.com> User-Agent: Mutt/1.5.6i cc: FreeBSD Current Users cc: Dick Davies Subject: Re: Replacing passwd? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2004 14:49:17 -0000 On Sat, Nov 20, 2004 at 08:07:45PM -0600, Dan Nelson wrote: > > When did that come in? I can't get passwd(1) to change an ldap password, I get: > > > > rasputnik@eris:rasputnik$ passwd > > passwd: Sorry, `passwd' can only change passwords for local or NIS users. > > rasputnik@eris:rasputnik$ uname -a > > FreeBSD eris 5.3-STABLE FreeBSD 5.3-STABLE #4: Mon Oct 25 18:03:11 BST 2004 root@eris:/usr/obj/usr/src/sys/ERIS i386 > > rasputnik@eris:rasputnik$ > > > > - this is an nss_ldap nsswitched account, logged in over ssh (pam_ldap auth). > > Weird. There's definitely a lot of PAM code in passwd.c. What happens > if you comment out the errx() function that prints that error (line > 124)? > I was playing with it today and removing errx function allows passwd to change the password, but the other problem I step on is: How to properly configure /etc/pam.d/passwd The configuration, which I have now is simply: password sufficient /usr/local/lib/pam_ldap.so password sufficient pam_unix.so no_warn try_first_pass nullok But it will give strange results, for example: % ./passwd Enter login(LDAP) password: New password: Password too short New password: Password too short New password: Password too short New Password: Retype New Password: As we may see, after three failures to get the new password we switch to pam_unix, which tries to change the user, which does not exists in /etc/master.passwd. Or: % ./passwd Changing 0 password Enter login(LDAP) password: LDAP Password incorrect: try again Enter login(LDAP) password: LDAP Password incorrect: try again Enter login(LDAP) password: LDAP Password incorrect: try again Old Password: New Password: Retype New Password: Which obviously does not result in any password change, as pam_unix tries to change the password. My goal is to have some local users, and some users coming from LDAP, and it would be the best, when all could have change their password through passwd. Does this behaviour of passwd shows the problem within pam_unix (as it does not check, whether the user exists in master.passwd - only by _PWF_SOURCE) Maybe there is a need, to implement is_user_of_this_auth_method or something like that? Cheers, Wiktor Niesiobedzki