Bug 43915
Summary: | passwd fails when a local account and a NIS account have the same id. | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Ian Mortimer <i.mortimer> |
Component: | pam | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Aaron Brown <abrown> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 7.2 | CC: | aleksey, edfriedmangvs, gt, herrold, menscher, moniot, orion |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-03-24 18:27:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ian Mortimer
2001-06-08 00:41:53 UTC
This worked fine for me ever since 6.0- 7.1 until the recent kernel upgrade. Now I get the following: As user on the yp server (same result on the client) ----------------------------------- [gerald@keen gerald]$ passwd Changing password for gerald (current) UNIX password: passwd: Authentication token manipulation error ---------------------------------- As root on the yp server ---------------------------------- [root@keen yp]# passwd gerald Changing password for user gerald New UNIX password: Retype new UNIX password: RPC: Can't encode arguments The password has not been changed on keen.esi.ac.at. passwd: Authentication token manipulation error ----------------------------------- If I turn off ypbind on the server it works on the server but not on any client. Moreover, the yp databse is not updated. This brakes my site completely! *** This bug has been marked as a duplicate of 55383 *** If you're not running the yppasswdd service on the server, updates over the network from a client will always fail (yppasswdd actually performs the updates). If the NIS server is configured as a client of itself, then the passwd command will behave the same as it would on a client. Removing "nis" from the line in /etc/pam.d/system-auth which uses pam_unix to change passwords (it should read similar to "passwd sufficient /lib/security/pam_unix.so nis") should force all updates to be made to local files only. > ... should force all updates to be made to local files only.
This is not ideal. Better would be if updates were made to local files if a
local
account is defined but otherwise to NIS. That allows you to override the NIS
database with a locally defined account for a specific user on a particular host
(could be a NIS client or a server but more likely it would be a client) .
Other users still authenticate against NIS on this host and this specific user
still
authenticates against NIS on other hosts.
Just did some tests under 7.2. All boxes run 7.2 + all updates. The file /etc/pam.d/system-auth contains: password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow nis If I run ypbind on the server, I get on the server: ------------------------------------------------------ [root@keen root]# passwd gt Changing password for user gt New password: Retype new password: RPC: Can't encode arguments The password has not been changed on keen.esi.ac.at. passwd: Failed preliminary check by password service [root@keen root]# su - gt [gt@keen gt]$ passwd Changing password for gt (current) UNIX password: New password: Retype new password: RPC: Timed out The password has not been changed on keen.esi.ac.at. passwd: Failed preliminary check by password service -------------------------------------------------------- Changing the password on the client works fine. If I stop ypbind on the server I can change the password on the server, but the NIS data base is not updated. If I change it on the client the NIS data base is updated. I have the sane issue. I have a local account defined in /etc/passwd with the same login name and uid as a NIS account, passwd won't change the password of either account. Paswd needs to change the local password in this situation according to the priority in /etc/nsswitch.conf: passwd: files nis However I get the error RPC: Server can't decode arguments The password has not been changed on <server> passwd: Authentication token manipulation Please provide a fix for this soon. This one is a serious problem Well , I mean't to say "same issue". -Raja Please increase the priority on this as I have this issue long going at our Client's site here. regards -Raja I have the same issue on RedHat 9. When logging in, passwords are checked against the local /etc/shadow first, but when changing them with passwd, the NIS password is changed, not the local one. This makes it very hard to change the local password or to fixed expired passwords. Nothing on this since 2002-05? Yeesh. The current PAM (in FC3 updates) is changed so that in case of same accounts in the local /etc/passwd and and NIS, it changes only the local account password, not the remote one in the NIS server. Use yppasswd for changing the remote password. *** Bug 55383 has been marked as a duplicate of this bug. *** *** Bug 73778 has been marked as a duplicate of this bug. *** |