Bug 2363005 - pam-1.7.1-3.fc43 breaks "passwd" with nis
Summary: pam-1.7.1-3.fc43 breaks "passwd" with nis
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 42
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Iker Pedrosa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-29 21:27 UTC by Edgar Hoch
Modified: 2026-01-14 01:10 UTC (History)
3 users (show)

Fixed In Version: pam-1.7.1-4.fc43 pam-1.7.0-7.fc42
Clone Of:
Environment:
Last Closed: 2026-01-13 00:49:15 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github linux-pam/linux-pam/commit/aebea0f3a930f05f6835307da0c4da4240675f74 0 None None None 2026-01-09 00:37:19 UTC

Description Edgar Hoch 2025-04-29 21:27:01 UTC 
On Fedora 42, "passwd" fails to change the password of nis users.

Failed: pam 1.7.0-4.fc42
Works: pam 1.6.1-8.fc42

After downgrading to pam 1.6.1-8.fc42 (downloaded from koji), passwd works as usual.

So, there must be some change between these two versions that causes the problem.

When I call "passwd" as a user which is listed in nis, then it prints the following messages:

passwd: Authentication token manipulation error
passwd: password unchanged

It does not prompt for a password.

In the journal, I found the following message, corresponding to the "passwd" call:

pam_unix(passwd:chauthtok): user "myuser" does not exist in /etc/passwd or NIS

As far as I can see using strace and ltrace on a Fedora 41 (works) and a Fedora 42 (works not) machine, the problem seems to be in call "pam_chauthtok".


On Fedora 41, with pam-1.6.1-7.fc41, after checking file /etc/passwd, the program reads files to contact a nis server.


openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_dev=makedev(0xfd, 0), st_ino=4358205, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=16, st_size=6947, st_atime=1745901155 /* 2025-04-29T06:32:35.391204746+0200 */, st_atime_nsec=391204746, st_mtime=1738469807 /* 2025-02-02T05:16:47.743521863+0100 */, st_mtime_nsec=743521863, st_ctime=1738469807 /* 2025-02-02T05:16:47.743521863+0100 */, st_ctime_nsec=743521863}) = 0
read(3, "root:x:0:0:Super User:/root:/bin"..., 4096) = 4096
read(3, "nologin\nfestival:x:965:966:festi"..., 4096) = 2851
read(3, "", 4096)                       = 0
close(3)                                = 0
openat(AT_FDCWD, "/var/yp/binding/imsv.3", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_dev=makedev(0xfd, 0x2), st_ino=1966086, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=156, st_atime=1745855821 /* 2025-04-28T17:57:01.403899084+0200 */, st_atime_nsec=403899084, st_mtime=1744991762 /* 2025-04-18T17:56:02.430747125+0200 */, st_mtime_nsec=430747125, st_ctime=1744991762 /* 2025-04-18T17:56:02.430747125+0200 */, st_ctime_nsec=430747125}) = 0
read(3, "\0\0\0\1\0\0\0\3udp\0\0\0\0\1\0\0\0\1\0\0\0\4inet\0\0\0\3"..., 4096) = 156
close(3)                                = 0


On Fedora 42, with pam-1.7.0-4.fc42, after checking file /etc/passwd, the program does something other, but not contacting the nis server.


openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_dev=makedev(0xfc, 0), st_ino=788214, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=3069, st_atime=1745927224 /* 2025-04-29T13:47:04.457000000+0200 */, st_atime_nsec=457000000, st_mtime=1745271891 /* 2025-04-21T23:44:51.883633244+0200 */, st_mtime_nsec=883633244, st_ctime=1745271891 /* 2025-04-21T23:44:51.903031078+0200 */, st_ctime_nsec=903031078}) = 0
read(3, "root:x:0:0:Super User:/root:/bin"..., 4096) = 3069
read(3, "", 4096)                       = 0
close(3)                                = 0
getpid()                                = 8645
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_dev=makedev(0xfc, 0), st_ino=1571226, st_mode=S_IFREG|0644, st_nlink=6, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=2298, st_atime=1745927224 /* 2025-04-29T13:47:04.665000000+0200 */, st_atime_nsec=665000000, st_mtime=1743033600 /* 2025-03-27T01:00:00+0100 */, st_mtime_nsec=0, st_ctime=1745270208 /* 2025-04-21T23:16:48.752177892+0200 */, st_ctime_nsec=752177892}) = 0
fstat(3, {st_dev=makedev(0xfc, 0), st_ino=1571226, st_mode=S_IFREG|0644, st_nlink=6, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=2298, st_atime=1745927224 /* 2025-04-29T13:47:04.665000000+0200 */, st_atime_nsec=665000000, st_mtime=1743033600 /* 2025-03-27T01:00:00+0100 */, st_mtime_nsec=0, st_ctime=1745270208 /* 2025-04-21T23:16:48.752177892+0200 */, st_ctime_nsec=752177892}) = 0
read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\t\0\0\0\0"..., 4096) = 2298
lseek(3, -1449, SEEK_CUR)               = 849
read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\t\0\0\0\0"..., 4096) = 1449
lseek(3, 2297, SEEK_SET)                = 2297
close(3)                                = 0


The configuration files are the same in both cases.

On the same host, using Fedora 42 provided package pam-1.7.0-4.fc42, "passwd" fails. Downgrading to pam-1.6.1-8.fc42, downloaded from koji (it is not in the Fedora 42 repos), "passwd" works as in Fedora 41.

Does someone find the cause of this problem?


Reproducible: Always
Comment 1 Edgar Hoch 2026-01-07 04:48:46 UTC 
The pull request on Github fixes this bug.

Maybe that a new version for current fedora releases can be build, including the patch, because I don't know how long it takes until pam will create a new release.
Comment 2 Iker Pedrosa 2026-01-07 13:32:36 UTC 
I'm fine with backporting this fix once it lands upstream
Comment 3 Edgar Hoch 2026-01-09 00:40:41 UTC 
My pull request was the best solution, the maintainer of pam has provided a better solution, which was merged into upstream now.
The commit is linked in this bug report.
Comment 4 Edgar Hoch 2026-01-09 00:41:40 UTC 
(In reply to Edgar Hoch from comment #3)
> My pull request was NOT the best solution...
Comment 5 Fedora Update System 2026-01-10 19:15:25 UTC 
FEDORA-2026-9d87acf55d (pam-1.7.1-4.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-9d87acf55d
Comment 6 Fedora Update System 2026-01-10 19:43:31 UTC 
FEDORA-2026-b6531cf3b5 (pam-1.7.0-7.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-b6531cf3b5
Comment 7 Fedora Update System 2026-01-11 01:28:47 UTC 
FEDORA-2026-9d87acf55d has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-9d87acf55d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-9d87acf55d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2026-01-11 01:51:36 UTC 
FEDORA-2026-b6531cf3b5 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-b6531cf3b5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-b6531cf3b5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2026-01-13 00:49:15 UTC 
FEDORA-2026-9d87acf55d (pam-1.7.1-4.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2026-01-14 01:10:37 UTC 
FEDORA-2026-b6531cf3b5 (pam-1.7.0-7.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.