Bug 43915 - passwd fails when a local account and a NIS account have the same id.
passwd fails when a local account and a NIS account have the same id.
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
7.2
All Linux
medium Severity high
: ---
: ---
Assigned To: Tomas Mraz
Aaron Brown
:
: 55383 73778 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-07 20:41 EDT by Ian Mortimer
Modified: 2007-04-18 12:33 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-24 13:27:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ian Mortimer 2001-06-07 20:41:53 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.4.2-2 i686)

Description of problem:
If you have a local account defined in /etc/passwd with the same login name
and uid as a NIS account, passwd won't change the password of either
account.  

In previous versions of RH Linux (at least in 6.2 anyway) passwd would
update 
the local password in this situation  according to the priority in
/etc/nsswitch.conf:

   passwd:    files nis



How reproducible:
Always

Steps to Reproduce:
1. stop ypbind
2. create a local account with the same login name and uid as a NIS
account.
3. start ypbind
4. login to the newly created account
5. run passwd to (try to) change the password
	

Actual Results:  The password change fails for both the NIS account and the
local account with this error message:

   RPC: Server can't decode arguments
   The password has not been changed on <server>
   passwd: Authentication token manipulation error

Expected Results:  The local account password should have been changed.

Additional info:
Comment 1 Gerald Teschl 2001-10-20 13:36:59 EDT
This worked fine for me ever since 6.0- 7.1 until the recent kernel upgrade.
Now I get the following:

As user on the yp server (same result on the client)
-----------------------------------
[gerald@keen gerald]$ passwd
Changing password for gerald
(current) UNIX password:
passwd: Authentication token manipulation error
----------------------------------
As root on the yp server
----------------------------------
[root@keen yp]# passwd gerald
Changing password for user gerald
New UNIX password:
Retype new UNIX password:
RPC: Can't encode arguments
The password has not been changed on keen.esi.ac.at.
passwd: Authentication token manipulation error
-----------------------------------

If I turn off ypbind on the server it works on the server but not on any client.
Moreover,
the yp databse is not updated.

This brakes my site completely!
Comment 2 Joshua Buysse 2001-11-14 14:19:45 EST

*** This bug has been marked as a duplicate of 55383 ***
Comment 3 Nalin Dahyabhai 2002-02-14 17:49:16 EST
If you're not running the yppasswdd service on the server, updates over the
network from a client will always fail (yppasswdd actually performs the updates).

If the NIS server is configured as a client of itself, then the passwd command
will behave the same as it would on a client.  Removing "nis" from the line in
/etc/pam.d/system-auth which uses pam_unix to change passwords (it should read
similar to "passwd sufficient /lib/security/pam_unix.so nis") should force all
updates to be made to local files only.
Comment 4 Ian Mortimer 2002-02-14 18:04:16 EST
> ... should force all updates to be made to local files only.

This is not ideal.  Better would be if updates were made to local files if a
local
account is defined but otherwise to NIS.   That allows you to override the NIS
database with a locally defined account for a specific user on a particular host
(could be a NIS client or a server but more likely it would be a client) . 

Other users still authenticate against NIS on this host and this specific user
still 
authenticates against NIS on other hosts.
Comment 5 Gerald Teschl 2002-02-14 18:15:49 EST
Just did some tests under 7.2. All boxes run 7.2 + all updates.

The file /etc/pam.d/system-auth contains:
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow nis

If I run ypbind on the server, I get on the server:
------------------------------------------------------
[root@keen root]# passwd gt
Changing password for user gt
New password:
Retype new password:
RPC: Can't encode arguments
The password has not been changed on keen.esi.ac.at.
passwd: Failed preliminary check by password service
[root@keen root]# su - gt
[gt@keen gt]$ passwd
Changing password for gt
(current) UNIX password:
New password:
Retype new password:
RPC: Timed out
The password has not been changed on keen.esi.ac.at.
passwd: Failed preliminary check by password service
--------------------------------------------------------
Changing the password on the client works fine.

If I stop ypbind on the server I can change the password on the server,
but the NIS data base is not updated. If I change it on the client
the NIS data base is updated.
Comment 6 Raja 2002-05-10 12:37:56 EDT
I have the sane issue.
I have a local account defined in /etc/passwd with the same login name
and uid as a NIS account, passwd won't change the password of either
account.  

Paswd needs to change the local password in this situation  according to the 
priority in
/etc/nsswitch.conf:

   passwd:    files nis

However I get the error
RPC: Server can't decode arguments
   The password has not been changed on <server>
   passwd: Authentication token manipulation 

Please provide a fix for this soon. This one is a serious problem
Comment 7 Raja 2002-05-10 12:40:15 EDT
Well , I mean't to say "same issue". -Raja
Please increase the priority on this as I have this issue long going at our 
Client's site here.
regards
-Raja
Comment 8 Orion Poplawski 2004-04-15 12:20:42 EDT
I have the same issue on RedHat 9.  When logging in, passwords are
checked against the local /etc/shadow first, but when changing them
with passwd, the NIS password is changed, not the local one.  This
makes it very hard to change the local password or to fixed expired
passwords.

Nothing on this since 2002-05?  Yeesh.
Comment 9 Tomas Mraz 2005-03-24 13:27:11 EST
The current PAM (in FC3 updates) is changed so that in case of same accounts in
the local /etc/passwd and and NIS, it changes only the local account password,
not the remote one in the NIS server. Use yppasswd for changing the remote password.
Comment 10 Tomas Mraz 2005-03-24 13:45:21 EST
*** Bug 55383 has been marked as a duplicate of this bug. ***
Comment 11 Tomas Mraz 2005-03-24 14:30:50 EST
*** Bug 73778 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.