Bug 2363005

Summary:	pam-1.7.1-3.fc43 breaks "passwd" with nis
Product:	[Fedora] Fedora	Reporter:	Edgar Hoch <edgar.hoch>
Component:	pam	Assignee:	Iker Pedrosa <ipedrosa>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	42	CC:	besser82, ipedrosa, tm
Target Milestone:	---	Keywords:	Regression, Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	pam-1.7.1-4.fc43 pam-1.7.0-7.fc42	Doc Type:	---
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2026-01-13 00:49:15 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Edgar Hoch 2025-04-29 21:27:01 UTC

On Fedora 42, "passwd" fails to change the password of nis users.

Failed: pam 1.7.0-4.fc42
Works: pam 1.6.1-8.fc42

After downgrading to pam 1.6.1-8.fc42 (downloaded from koji), passwd works as usual.

So, there must be some change between these two versions that causes the problem.

When I call "passwd" as a user which is listed in nis, then it prints the following messages:

passwd: Authentication token manipulation error
passwd: password unchanged

It does not prompt for a password.

In the journal, I found the following message, corresponding to the "passwd" call:

pam_unix(passwd:chauthtok): user "myuser" does not exist in /etc/passwd or NIS

As far as I can see using strace and ltrace on a Fedora 41 (works) and a Fedora 42 (works not) machine, the problem seems to be in call "pam_chauthtok".


On Fedora 41, with pam-1.6.1-7.fc41, after checking file /etc/passwd, the program reads files to contact a nis server.


openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_dev=makedev(0xfd, 0), st_ino=4358205, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=16, st_size=6947, st_atime=1745901155 /* 2025-04-29T06:32:35.391204746+0200 */, st_atime_nsec=391204746, st_mtime=1738469807 /* 2025-02-02T05:16:47.743521863+0100 */, st_mtime_nsec=743521863, st_ctime=1738469807 /* 2025-02-02T05:16:47.743521863+0100 */, st_ctime_nsec=743521863}) = 0
read(3, "root:x:0:0:Super User:/root:/bin"..., 4096) = 4096
read(3, "nologin\nfestival:x:965:966:festi"..., 4096) = 2851
read(3, "", 4096)                       = 0
close(3)                                = 0
openat(AT_FDCWD, "/var/yp/binding/imsv.3", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_dev=makedev(0xfd, 0x2), st_ino=1966086, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=156, st_atime=1745855821 /* 2025-04-28T17:57:01.403899084+0200 */, st_atime_nsec=403899084, st_mtime=1744991762 /* 2025-04-18T17:56:02.430747125+0200 */, st_mtime_nsec=430747125, st_ctime=1744991762 /* 2025-04-18T17:56:02.430747125+0200 */, st_ctime_nsec=430747125}) = 0
read(3, "\0\0\0\1\0\0\0\3udp\0\0\0\0\1\0\0\0\1\0\0\0\4inet\0\0\0\3"..., 4096) = 156
close(3)                                = 0


On Fedora 42, with pam-1.7.0-4.fc42, after checking file /etc/passwd, the program does something other, but not contacting the nis server.


openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_dev=makedev(0xfc, 0), st_ino=788214, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=3069, st_atime=1745927224 /* 2025-04-29T13:47:04.457000000+0200 */, st_atime_nsec=457000000, st_mtime=1745271891 /* 2025-04-21T23:44:51.883633244+0200 */, st_mtime_nsec=883633244, st_ctime=1745271891 /* 2025-04-21T23:44:51.903031078+0200 */, st_ctime_nsec=903031078}) = 0
read(3, "root:x:0:0:Super User:/root:/bin"..., 4096) = 3069
read(3, "", 4096)                       = 0
close(3)                                = 0
getpid()                                = 8645
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_dev=makedev(0xfc, 0), st_ino=1571226, st_mode=S_IFREG|0644, st_nlink=6, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=2298, st_atime=1745927224 /* 2025-04-29T13:47:04.665000000+0200 */, st_atime_nsec=665000000, st_mtime=1743033600 /* 2025-03-27T01:00:00+0100 */, st_mtime_nsec=0, st_ctime=1745270208 /* 2025-04-21T23:16:48.752177892+0200 */, st_ctime_nsec=752177892}) = 0
fstat(3, {st_dev=makedev(0xfc, 0), st_ino=1571226, st_mode=S_IFREG|0644, st_nlink=6, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=2298, st_atime=1745927224 /* 2025-04-29T13:47:04.665000000+0200 */, st_atime_nsec=665000000, st_mtime=1743033600 /* 2025-03-27T01:00:00+0100 */, st_mtime_nsec=0, st_ctime=1745270208 /* 2025-04-21T23:16:48.752177892+0200 */, st_ctime_nsec=752177892}) = 0
read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\t\0\0\0\0"..., 4096) = 2298
lseek(3, -1449, SEEK_CUR)               = 849
read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\t\0\0\0\0"..., 4096) = 1449
lseek(3, 2297, SEEK_SET)                = 2297
close(3)                                = 0


The configuration files are the same in both cases.

On the same host, using Fedora 42 provided package pam-1.7.0-4.fc42, "passwd" fails. Downgrading to pam-1.6.1-8.fc42, downloaded from koji (it is not in the Fedora 42 repos), "passwd" works as in Fedora 41.

Does someone find the cause of this problem?


Reproducible: Always

Comment 1 Edgar Hoch 2026-01-07 04:48:46 UTC

The pull request on Github fixes this bug.

Maybe that a new version for current fedora releases can be build, including the patch, because I don't know how long it takes until pam will create a new release.

Comment 2 Iker Pedrosa 2026-01-07 13:32:36 UTC

I'm fine with backporting this fix once it lands upstream

Comment 3 Edgar Hoch 2026-01-09 00:40:41 UTC

My pull request was the best solution, the maintainer of pam has provided a better solution, which was merged into upstream now.
The commit is linked in this bug report.

Comment 4 Edgar Hoch 2026-01-09 00:41:40 UTC

(In reply to Edgar Hoch from comment #3)
> My pull request was NOT the best solution...

Comment 5 Fedora Update System 2026-01-10 19:15:25 UTC

FEDORA-2026-9d87acf55d (pam-1.7.1-4.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-9d87acf55d

Comment 6 Fedora Update System 2026-01-10 19:43:31 UTC

FEDORA-2026-b6531cf3b5 (pam-1.7.0-7.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-b6531cf3b5

Comment 7 Fedora Update System 2026-01-11 01:28:47 UTC

FEDORA-2026-9d87acf55d has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-9d87acf55d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-9d87acf55d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2026-01-11 01:51:36 UTC

FEDORA-2026-b6531cf3b5 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-b6531cf3b5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-b6531cf3b5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2026-01-13 00:49:15 UTC

FEDORA-2026-9d87acf55d (pam-1.7.1-4.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Fedora Update System 2026-01-14 01:10:37 UTC

FEDORA-2026-b6531cf3b5 (pam-1.7.0-7.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.