Bug #9224 “Can't use NIS with 'password' feature of pam_unix” : Bugs : pam package : Ubuntu

Revision history for this message

Scott Dier (sdier) wrote on 2004-10-18:

#1

This regression happened between 0.75-1 and 0.75-2 -- tried all the binaries
from snapshot.debian.net.

Revision history for this message

Matt Zimmerman (mdz) wrote on 2004-10-18:

#2

pam (0.75-2) experimental; urgency=low
[...]
  * Patch from Martin Schwenke <email address hidden> to only change
    passwords in pam_unix when they exist in the password file; hopefully
    does not break NIS, closes: #135990
[...]
-- Sam Hartman <email address hidden> Sat, 8 Jun 2002 18:04:40 -0400

Revision history for this message

Matt Zimmerman (mdz) wrote on 2004-10-18:

#3

I sent email to Sam Hartman regarding this bug.

Revision history for this message

Scott Dier (sdier) wrote on 2004-10-18:

#4

I think this is related to #135990.

Revision history for this message

Scott Dier (sdier) wrote on 2005-08-31:

#5

Potental patch for nis passwd issue in pam Edit (12.7 KiB, text/plain)

Created an attachment (id=3478)
Potental patch for nis passwd issue in pam

This patch seems to work for me. I've also placed it in the upstream debian
bug. Its mostly cut-and-paste from newer versions of pam.

Revision history for this message

Matt Zimmerman (mdz) wrote on 2006-03-31:

#6

This bug is very old; does the problem still exist in Dapper?

Changed in pam:
assignee:	nobody → dsilvers

Revision history for this message

Christina Zeeh (bugzilla-tuxtina-deactivatedaccount) wrote on 2006-03-31:

#7

Yes, it still exists in Dapper (tested today with Flight 5 + all current updates). Same symptoms as the original poster.

Last fall, I looked at the pam_unix code that was available upstream then, and it seemed that changing a NIS password through pam_unix could not work properly in any version released until then. Though every version seemed to be broken in a new and different way ;-) In the end I gave up and locally patched the version that comes with Breezy (0.76 iirc).

I haven't looked at the very newest versions available upstream, but I assume that such a big version jump isn't possible anyway? If help with a patch for the version included in Dapper is needed, I'd be willing to try to patch it (or test patches, if there's already something available). Is 0.79 likely to be the version that will ship with Dapper?

Revision history for this message

Daniel Silverstone (dsilvers) wrote on 2006-04-03:

#8

Currently 0.79-3ubuntu10 is the one which will ship with dapper (modulo any fixes we make for this)

You're sure that the bug manifests in the same way as the original reporter says Christina? Because 0.79 contains the code which Scott backported in an earlier comment.

What patch were you using if it wasn't the one attached above?

Thanks,
D.

Revision history for this message

Scott Dier (sdier) wrote on 2006-04-03:

#9

I'll try to find some time this week to setup a dapper nis client here at work and test this issue. I need to cut my teeth on dapper in the environment here anyhow.

Revision history for this message

Christina Zeeh (bugzilla-tuxtina-deactivatedaccount) wrote on 2006-04-03:

#10

I wrote my own patch. Will digg it out tomorrow or Wednesday, and also investigate what exactly is going wrong with 0.79-3ubuntu10, just haven't found the time to do this until now.

Revision history for this message

Christina Zeeh (bugzilla-tuxtina-deactivatedaccount) wrote on 2006-04-07: Old patch

#11

Old patch Edit (960 bytes, text/plain)

This is the patch I made for Breezy. I have no idea what I'm doing, so you better don't use it ...

Revision history for this message

Christina Zeeh (bugzilla-tuxtina-deactivatedaccount) wrote on 2006-04-07:

#12

I didn't manage to do more testing with 0.79 this week, and I won't be able to do anything next week => back in 2 weeks. Sorry :(

Revision history for this message

Scott Dier (sdier) wrote on 2006-05-02:

#13

I'm still seeing this issue. Hopefully I'll get time this week to debug the problem.

Changed in pam:
status:	Unconfirmed → Confirmed

Revision history for this message

Christina Zeeh (bugzilla-tuxtina-deactivatedaccount) wrote on 2006-06-10:

#14

It seems a workaround (if no other reasons require you to stick with pam_unix.sso) is to use pam_unix2.so from the libpam-unix2 package in universe.

Revision history for this message

Scott Dier (sdier) wrote on 2006-07-25:

#15

patch to fix issue in pam 0.79 with nis and passwd Edit (1.0 KiB, text/plain)

Fixed in this patch. Using the pre-existing flag is a style option, but I think it makes sense. The issue is that some nis networks will not have shadow maps, so shadow works for local users but not NIS users.

Daniel Silverstone (dsilvers) on 2006-08-03

Changed in pam:
assignee:	dsilvers → nobody

Revision history for this message

Giulio Fidente (gfidente) wrote on 2007-11-08:

#16

I'm still having the same problem using

ii libpam-modules 0.79-3ubuntu14 Pluggable Authentication Modules for PAM

has the patch ever been committed?

Revision history for this message

Brent Newland (brent-newland) wrote on 2008-04-05:

#17

Seems 0.79 has been replaced with 0.99 since Gutsy. Can anyone confirm if this is still an issue?

Revision history for this message

André Carezia (carezia) wrote on 2008-04-10:

#18

Seems to be, at least in Debian:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469635

I have a NIS setup here (clients running Debian etch or Ubuntu gutsy, server running Debian etch) and can confirm this: passwd can't change NIS passwords.

Bug Watch Updater (bug-watch-updater) on 2008-07-05

Changed in pam:
status:	Unknown → New

Steve Langasek (vorlon) on 2008-07-26

Changed in pam:
status:	Confirmed → In Progress

Bug Watch Updater (bug-watch-updater) on 2008-07-27

Changed in pam:
status:	New → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-07-29:

#19

Download full text (8.6 KiB)

This bug was fixed in the package pam - 1.0.1-1ubuntu1

---------------
pam (1.0.1-1ubuntu1) intrepid; urgency=low

  * Merge from Debian unstable
  * Dropped changes:
    - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage
      is 2 years newer than Debian's, contains a number of character escaping
      fixes plus content updates
    - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to
      correctly support seusers (backported from changes in PAM 0.99.8).
    - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
      The nis package handles overriding this as necessary.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Bound RLIMIT_NICE
      from below as well as from above. Fix off-by-one error when converting
      RLIMIT_NICE to the range of values used by the kernel.
  * Remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf. (should send to Debian).
    - debian/libpam-runtime.postinst,
      debian/local/common-{auth,password}{,.md5sums}:
      Use the new 'missingok' option by default for pam_smbpass in case
      libpam-smbpass is not installed (LP: #216990); must use "requisite"
      rather than "required" to prevent "pam_smbpass migrate" from firing in
      the event of an auth failure; md5sums updated accordingly.
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
      module option 'missingok' which will suppress logging of errors by
      libpam if the module is not found.
    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
      password on bad username.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
  * Refresh patch ubuntu-no-error-if-missingok for the new upstream version.
  * Change Vcs-Bzr to point at the new Ubuntu branch.

pam (1.0.1-1) unstable; urgency=low

  * New upstream version.
    - pam_limits: bound RLIMIT_NICE from below. Closes: #403718.
    - pam_mail: set the MAIL variable even when .hushlogin is set.
      Closes: #421010.
    - new minclass option introduced for pam_cracklib. Closes: #454237.
    - fix a failure to check the string length when matching usernames in
      pam_group. Closes: #444427.
    - fix setting shell security context in pam_selinux. Closes: #451722.
    - use --disable-audit, to avoid libaudit being linked in
      accidentally
    - pam_unix now supports SHA-256 and SHA-512 password hashes.
      Closes: #484249, LP: #245786.
    - pam_rhosts_auth is dropped upstream (closes...

This bug was fixed in the package pam - 1.0.1-1ubuntu1

---------------
pam (1.0.1-1ubuntu1) intrepid; urgency=low

* Merge from Debian unstable
  * Dropped changes:
    - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage
      is 2 years newer than Debian's, contains a number of character escaping
      fixes plus content updates
    - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to
      correctly support seusers (backported from changes in PAM 0.99.8).
    - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
      The nis package handles overriding this as necessary.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Bound RLIMIT_NICE
      from below as well as from above. Fix off-by-one error when converting
      RLIMIT_NICE to the range of values used by the kernel.
  * Remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf. (should send to Debian).
    - debian/libpam-runtime.postinst,
      debian/local/common-{auth,password}{,.md5sums}:
      Use the new 'missingok' option by default for pam_smbpass in case
      libpam-smbpass is not installed (LP: #216990); must use "requisite"
      rather than "required" to prevent "pam_smbpass migrate" from firing in
      the event of an auth failure; md5sums updated accordingly.
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
      module option 'missingok' which will suppress logging of errors by
      libpam if the module is not found.
    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
      password on bad username.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
  * Refresh patch ubuntu-no-error-if-missingok for the new upstream version.
  * Change Vcs-Bzr to point at the new Ubuntu branch.

pam (1.0.1-1) unstable; urgency=low

* New upstream version.
    - pam_limits: bound RLIMIT_NICE from below. Closes: #403718.
    - pam_mail: set the MAIL variable even when .hushlogin is set.
      Closes: #421010.
    - new minclass option introduced for pam_cracklib.  Closes: #454237.
    - fix a failure to check the string length when matching usernames in
      pam_group.  Closes: #444427.
    - fix setting shell security context in pam_selinux.  Closes: #451722.
    - use --disable-audit, to avoid libaudit being linked in
      accidentally
    - pam_unix now supports SHA-256 and SHA-512 password hashes.
      Closes: #484249, LP: #245786.
    - pam_rhosts_auth is dropped upstream (closes: #382987); add a compat
      symlink to pam_rhosts to support upgrades for a release, and give a
      warning in NEWS.Debian.
    - new symbol in libpam.so.0, pam_modutil_audit_write; shlibs bump, and
      do another round of service restarts on upgrade.
    - pam_unix helper is now called whenever an unprivileged process
      tries and fails to query a user's account status.  Closes: #367834.
  * Drop patches 006_docs_cleanup, 015_hurd_portability,
    019_pam_listfile_quiet, 024_debian_cracklib_dict_path, 038_support_hurd,
    043_pam_unix_unknown_user_not_alert, 046_pam_group_example,
    no_pthread_mutexes, limits_wrong_strncpy, misc_conv_allow_sigint.patch,
    pam_tally_audit.patch, 057_pam_unix_passwd_OOM_check, and
    065_pam_unix_cracklib_disable which have been merged upstream.
  * Patch 022_pam_unix_group_time_miscfixes: partially merged upstream;
    now is really just "pam_group_miscfixes".
  * Patch 007_modules_pam_unix partially superseded upstream; stripping
    hpux-style expiry information off of password fields is now supported.
  * New patch pam_unix_thread-safe_save_old_password.patch, to make sure all
    our getpwnam() use in pam_unix is thread-safe (fixes an upstream
    regression)
  * New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream
    regression which prevents sgid shadow apps from being able to authenticate
    any more because the module forces use of the helper and the helper won't
    allow authentication of arbitrary users.  This change does mean we're
    going to be noisier for the time being in an SELinux environment, which
    should be addressed but is not a regression on Debian.
  * New patch pam_unix_dont_trust_chkpwd_caller.patch, rolling back an
    upstream change that causes unix_chkpwd to assume that setuid(getuid())
    is sufficient to drop permissions and attempt any authentication on
    behalf of the user.
  * The password-changing helper functionality for SELinux systems has been
    split out into a separate unix_update binary, so at long last we can
    change unix_chkpwd to be sgid shadow instead of suid root.
    Closes: #155583.
    - Update the lintian override to match.
  * Install the new unix_update helper into libpam-modules.
  * Use a pristine upstream tarball instead of repacking; requires various
    changes to debian/rules and debhelper files.
  * Replace the Vcs-Svn field with a Vcs-Bzr field; jumping ship from svn,
    and how!
  * Debconf translations:
    - Romanian, thanks to Igor Stirbu <igor.stirbu@gmail.com>
      (closes: #491821)
  * Add libpam0g.symbols, for finer-grained package dependencies with
    dpkg-gensymbols.
  * Fix debian/copyright to list the known copyright holders
  * Fix up the doc-base sections for the libpam-doc documentation, "Apps"
    should not be part of the section name
  * Also fix up whitespace issues in the doc-base abstracts
  * Fix a typo in the libpam0g-dev description.
  * 027_pam_limits_better_init_allow_explicit_root: RLIM_INFINITY is also
    invalid for RLIMIT_NOFILE, so when resetting the limits for a new session,
    use the kernel default of 1024 instead.  Closes: #404836.
  * Create /etc/environment on initial install of libpam-modules (or on
    upgrade from an old version), to quell warnings in the logs about it
    being missing.  Closes: #442049.
  * 026_pam_unix_passwd_unknown_user: drop a redundant, and broken, check for
    the NSS source of our user; this was preventing password changes for NIS
    users, which otherwise should have worked.  Closes: #203222, LP: #9224.
  * New patch do_not_check_nis_accidentally: respect the 'nis' option
    (set or unset) when looking up the user's password entry for password
    changes.  Thanks to Quentin Godfroy <godfroy@clipper.ens.fr> for the
    patch.  Closes: #469635.
  * Drop patch 049_pam_unix_sane_locking, which upon review is not needed;
    it reduces the length of time we hold the lock, but at the expense of
    being able to enforce minimum times between password changes.
  * debian/watch: upstream has hit 1.0, so we're no longer in a "pre"
    directory.  Fix up the regex for uscan.
  * Fix the libpam0g-dev examples directory to not include a gratuitous
    .cvsignore file.
  * New patch, pam.d-manpage-section, to fix the manpage references to
    point to section 5 instead of section 8.
  * Update patch PAM-manpage-section to fix the references to pam(7) from
    other manpages.  Closes: #470137.
  * Add debian/README.source documenting that this package uses quilt.
  * Bump Standards-Version to 3.8.0.
  * Fix a bug in the uid-restoring code in the hurd_no_setfsuid patch; thanks
    to Tomas Mraz <tmraz@redhat.com> for indirectly bringing this to my
    attention

pam (0.99.7.1-7) unstable; urgency=medium

* Medium-urgency upload for RC bugfix
  * Debconf translations:
    - Italian, thanks to David Paleino <d.paleino@gmail.com> (closes: #483913)
    - Slovak, thanks to Ivan Masár <helix84@centrum.sk> (closes: #488908)
    - Turkish, thanks to Mert Dirik <mertdirik@gmail.com> (closes: #490880)
    - Basque, thanks to Piarres Beobide <pi+debian@beobide.net>
      (closes: #473975)
  * Drop the 'XS' from Vcs-Svn/Vcs-Browser, since these are now officially
    recognized fields.
  * Add a Homepage field.  Closes: #473338.
  * Drop -DCRACKLIB_DICTS from CFLAGS, since the referenced define is no
    longer provided by cracklib2-dev 2.8 and above.  This requires a
    build-dependency on the corresponding version of libcrack2-dev.
    Closes: #490236.

-- Steve Langasek <steve.langasek@ubuntu.com>   Mon, 28 Jul 2008 20:58:26 +0000

Changed in pam:
status:	In Progress → Fix Released

Bug Watch Updater (bug-watch-updater) on 2008-07-31

Changed in pam:
status:	Fix Committed → Fix Released

Affects		Status	Importance	Assigned to	Milestone
	pam (Debian)	Fix Released	Unknown	debbugs #469635
	pam (Ubuntu)	Fix Released	Medium	Unassigned

Ubuntu
pam package

Can't use NIS with 'password' feature of pam_unix

Bug Description

Other bug subscribers

Patches

Remote bug watches

Ubuntupam package

Can't use NIS with 'password' feature of pam_unix

Bug Description

Other bug subscribers

Patches

Remote bug watches

Ubuntu
pam package