From owner-freebsd-current@FreeBSD.ORG Sun Nov 21 20:37:38 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8498716A4CE for ; Sun, 21 Nov 2004 20:37:38 +0000 (GMT) Received: from mail.evip.pl (mail.evip.com.pl [212.244.157.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B74943D49 for ; Sun, 21 Nov 2004 20:37:37 +0000 (GMT) (envelope-from w@evip.pl) Received: from drwebc by mail.evip.pl with drweb-scanned (Exim 4.22) id 1CVySj-000OtU-U4; Sun, 21 Nov 2004 21:37:33 +0100 Received: from w by mail.evip.pl with local (Exim 4.22) id 1CVySj-000OtO-Qh; Sun, 21 Nov 2004 21:37:33 +0100 Date: Sun, 21 Nov 2004 21:37:33 +0100 From: Wiktor Niesiobedzki To: Dan Nelson Message-ID: <20041121203733.GF3584@mail.evip.pl> References: <419CD314.80900@fer.hr> <20041118171012.GB19265@dan.emsphone.com> <20041120222325.GC17297@lb.tenfour> <20041121020745.GC94473@dan.emsphone.com> <20041121144905.GE3584@mail.evip.pl> <20041121174033.GA3019@dan.emsphone.com> <20041121195626.GA8805@dan.emsphone.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041121195626.GA8805@dan.emsphone.com> User-Agent: Mutt/1.5.6i cc: FreeBSD Current Users Subject: Re: Replacing passwd? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2004 20:37:38 -0000 On Sun, Nov 21, 2004 at 01:56:26PM -0600, Dan Nelson wrote: > In the last episode (Nov 21), Dan Nelson said: > > In the last episode (Nov 21), Wiktor Niesiobedzki said: > > > I was playing with it today and removing errx function allows passwd > > > to change the password, but the other problem I step on is: How to > > > properly configure /etc/pam.d/passwd > > > > > > The configuration, which I have now is simply: > > > password sufficient /usr/local/lib/pam_ldap.so > > > password sufficient pam_unix.so no_warn try_first_pass nullok > > > > You probably don't need pam_unix in there at all, since there's no way > > it'll work (no local passwd entry). > > I take that back; you do want it, so you can change root's password. > But you need to make it "required", not sufficient. It's a quirk of > how pam works, I think, but the last entry cannot be marked > "sufficient". That was my first try, but then I got: % ./passwd Enter login(LDAP) password: passwd: sorry: pam_chauthtok - permission denied (The error message from passwd I added by myself in pam_check macro, so in case of pam_err == PAM_AUTH_ERR || pam_err == PAM_PERM_DENIED || pam_err == PAM_AUTHTOK_RECOVERY_ERR it also prints the func, as well as error message) Is this a bug in pam? (After checking token in module marked sufficient and returing with no error, we go to required module?). In this configuration I just don't quite follow, what happens, because as far as I have debuged pam_ldap.so, it returns from pam_sm_chauthtok with no error... Cheers, Wiktor Niesiobedzki