by I'm running a NIS server under Solaris 9, using the passwd.adjunct
map (c2secure). When logged in on a client running Solaris 9 which
uses this NIS server, it's not possible to change the user's password:
% passwd
passwd: Changing password for tst
Enter existing login password: <Enter correct password here>
passwd: Sorry, wrong passwd
Permission denied
When changing the server to use passwd/shadow for the passwd map
instead, it works.
The same setup works when the client is running Solaris 8.
Here's some snoop output for both the Solaris 8 and Solaris 9 client.
The traffic occurs before the user even types his old password:
sol8:
clnt -> srv NIS C MATCH tst in passwd.byname
srv -> clnt NIS R MATCH OK
clnt -> srv NIS C MATCH tst in passwd.adjunct.byname
srv -> clnt NIS R MATCH OK
sol9:
clnt -> srv NIS C MASTER map passwd.byname in par.test
srv -> clnt NIS R MASTER OK peer=srv
clnt -> srv NIS C MATCH tst in passwd.byname
srv -> clnt NIS R MATCH OK
The Solaris 9 client doesn't ever request the passwd.adjunct map.
This leads to two bug reports on sunsolve, which describe a similar
behaviour (for login, not for passwd):
4703750 "Login incorrect" in a nis C2security env on Solaris 9 client
4670947 logins failing when NIS is backend for authentication
They propose a change to /etc/pam.conf to fix the problem. A similar
change for the passwd service in pam.conf fixed my problem, too:
Change:
passwd auth required pam_passwd_auth.so.1
to
passwd auth required pam_unix.so.1
I'm reluctant to keep this change in production without really
knowing about the impact this could have on other things. Ideas,
anyone ?
The real problem is probably hidden in the pam modules themselves,
anyway. If anybody has information/experiences/etc. with this
problem, I'd be happy to hear about it.
mp.
--
Martin Paul | Systems Administrator
University of Vienna, Austria | http://www.par.univie.ac.at/