Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 21 Nov 2004 15:49:05 +0100
From:      Wiktor Niesiobedzki <bsd@w.evip.pl>
To:        Dan Nelson <dnelson@allantgroup.com>
Cc:        Dick Davies <rasputnik@hellooperator.net>
Subject:   Re: Replacing passwd?
Message-ID:  <20041121144905.GE3584@mail.evip.pl>
In-Reply-To: <20041121020745.GC94473@dan.emsphone.com>
References:  <419CD314.80900@fer.hr> <20041118171012.GB19265@dan.emsphone.com> <20041120222325.GC17297@lb.tenfour> <20041121020745.GC94473@dan.emsphone.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 20, 2004 at 08:07:45PM -0600, Dan Nelson wrote:
> > When did that come in? I can't get passwd(1) to change an ldap password, I get:
> > 
> > rasputnik@eris:rasputnik$ passwd
> > passwd: Sorry, `passwd' can only change passwords for local or NIS users.
> > rasputnik@eris:rasputnik$ uname -a
> > FreeBSD eris 5.3-STABLE FreeBSD 5.3-STABLE #4: Mon Oct 25 18:03:11 BST 2004     root@eris:/usr/obj/usr/src/sys/ERIS  i386
> > rasputnik@eris:rasputnik$ 
> > 
> >  - this is an nss_ldap nsswitched account, logged in over ssh (pam_ldap auth).
> 
> Weird.  There's definitely a lot of PAM code in passwd.c.  What happens
> if you comment out the errx() function that prints that error (line
> 124)?
> 
I was playing with it today and removing errx function allows passwd to change
the password, but the other problem I step on is:
How to properly configure /etc/pam.d/passwd

The configuration, which I have now is simply:
password        sufficient      /usr/local/lib/pam_ldap.so
password        sufficient      pam_unix.so             no_warn try_first_pass nullok


But it will give strange results, for example:
% ./passwd
Enter login(LDAP) password: <correct password>
New password: <short password>
Password too short
New password: <same short password>
Password too short
New password: <same short password>
Password too short
New Password: <same short password [1]>
Retype New Password: <same short password>

As we may see, after three failures to get the new password we switch to
pam_unix, which tries to change the user, which does not exists in
/etc/master.passwd.

Or:
% ./passwd
Changing 0 password
Enter login(LDAP) password: <wrong password>
LDAP Password incorrect: try again
Enter login(LDAP) password: <wrong password>
LDAP Password incorrect: try again 
Enter login(LDAP) password: <wrong password>
LDAP Password incorrect: try again
Old Password: <anything>
New Password: <new password>
Retype New Password: <the same string>

Which obviously does not result in any password change, as pam_unix tries to
change the password.


My goal is to have some local users, and some users coming from LDAP, and it
would be the best, when all could have change their password through passwd.

Does this behaviour of passwd shows the problem within pam_unix (as it does
not check, whether the user exists in master.passwd - only by _PWF_SOURCE)

Maybe there is a need, to implement is_user_of_this_auth_method or something
like that?


Cheers,

Wiktor Niesiobedzki



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041121144905.GE3584>