UPDATE: PART SUMMARY: cannot change user password (fwd)

From: Ryan A. Krenzischek (krenzischek@Encompasserve.org)
Date: Wed Jun 30 2004 - 15:46:04 EDT

For those who did not get my email the first time....

To: Barry Deevey
Cc: sunmanagers@sunmanagers.org
Subject: RE: PART SUMMARY: cannot change user password

Barry,

Yes, most certainly....in particular the lines that end with

"/usr/lib/security/$ISA/pam_unix.so.1"

$ISA is going to determine the configuration of the kernel. ie. which
mode you're running (32/64-bit). This most likely gets executed in the
postinstall script, which is broken in this particular pam patch.

I'm assuming that the script looks at isainfo -kv (or is it isacfg?). If
it finds sparcv9, it will replace $ISA with sparcv9. If not, it removes
"$ISA/" from the absolute path.

So the lines should read....

*running a 32-bit kernel*

/usr/lib/security/pam_unix.so.1

*running a 64-bit kernel*

/usr/lib/security/sparcv9/pam_unix.so.1

As always, absolute pathnames are obviously more secure in any
configuration file. So maybe Sun was trying to fix-up the pam.conf file
for security purposes. Last I checked there weren't any subdirectories in
/usr/lib/security other than "sparcv9" for 64-bit solaris.

If you look at the PAM modules in

/usr/lib/security, they are:

ELF 32-bit MSB dynamic lib SPARC Version 1, dynamically linked, not
stripped

/usr/lib/security/sparcv9, they are:

ELF 64-bit MSB dynamic lib SPARCV9 Version 1, dynamically linked, not
stripped

Hope this helps!

Ryan

On Wed, 30 Jun 2004, Barry Deevey wrote:

> Hi Ryan,
>
> The differences aren't huge, so I've listed them below:
>
> [root] ls -l pam*
> -rw-r--r-- 1 root sys 2410 Jun 30 16:15 pam.conf
> -rw------- 1 root other 2410 Jun 30 16:05 pam.conf.300604
> -rw-r--r-- 1 root sys 2072 Jan 5 2001
pam.conf.pre108993-36
> [root] diff pam.conf pam.conf.pre108993-36
> 11,14c11,12
> < login auth requisite pam_authtok_get.so.1
> < login auth required pam_dhkeys.so.1
> < login auth required pam_unix_auth.so.1
> < login auth required pam_dial_auth.so.1
> ---
> > login auth required /usr/lib/security/$ISA/pam_unix.so.1
> > login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1
> 16,19c14,15
> < rlogin auth sufficient pam_rhosts_auth.so.1
> < rlogin auth requisite pam_authtok_get.so.1
> < rlogin auth required pam_dhkeys.so.1
> < rlogin auth required pam_unix_auth.so.1
> ---
> > rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> > rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1
> 21,23c17
> < dtlogin auth requisite pam_authtok_get.so.1
> < dtlogin auth required pam_dhkeys.so.1
> < dtlogin auth required pam_unix_auth.so.1
> ---
> > dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1
> 25,29c19,20
> < rsh auth sufficient pam_rhosts_auth.so.1
> < rsh auth required pam_unix_auth.so.1
> < other auth requisite pam_authtok_get.so.1
> < other auth required pam_dhkeys.so.1
> < other auth required pam_unix_auth.so.1
> ---
> > rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> > other auth required /usr/lib/security/$ISA/pam_unix.so.1
> 33,35c24,26
> < login account requisite pam_roles.so.1
> < login account required pam_projects.so.1
> < login account required pam_unix_account.so.1
> ---
> > login account requisite /usr/lib/security/$ISA/pam_roles.so.1
> > login account required /usr/lib/security/$ISA/pam_projects.so.1
> > login account required /usr/lib/security/$ISA/pam_unix.so.1
> 37,39c28,30
> < dtlogin account requisite pam_roles.so.1
> < dtlogin account required pam_projects.so.1
> < dtlogin account required pam_unix_account.so.1
> ---
> > dtlogin account requisite
> /usr/lib/security/$ISA/pam_roles.so.1
> > dtlogin account required
> /usr/lib/security/$ISA/pam_projects.so.1
> > dtlogin account required
/usr/lib/security/$ISA/pam_unix.so.1
> 41,43c32,34
> < other account requisite pam_roles.so.1
> < other account required pam_projects.so.1
> < other account required pam_unix_account.so.1
> ---
> > other account requisite /usr/lib/security/$ISA/pam_roles.so.1
> > other account required /usr/lib/security/$ISA/pam_projects.so.1
> > other account required /usr/lib/security/$ISA/pam_unix.so.1
> 47c38
> < other session required pam_unix_session.so.1
> ---
> > other session required /usr/lib/security/$ISA/pam_unix.so.1
> 51,57c42,43
> < other password required pam_dhkeys.so.1
> < other password requisite pam_authtok_get.so.1
> < other password requisite pam_authtok_check.so.1
> < other password required pam_authtok_store.so.1
> < dtsession auth requisite pam_authtok_get.so.1
> < dtsession auth required pam_dhkeys.so.1
> < dtsession auth required pam_unix_auth.so.1
> ---
> > other password required /usr/lib/security/$ISA/pam_unix.so.1
> > dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
> 61,75c47,54
> < #rlogin auth optional pam_krb5.so.1 try_first_pass
> < #login auth optional pam_krb5.so.1 try_first_pass
> < #dtlogin auth optional pam_krb5.so.1 try_first_pass
> < #other auth optional pam_krb5.so.1 try_first_pass
> < #dtlogin account optional pam_krb5.so.1
> < #other account optional pam_krb5.so.1
> < #other session optional pam_krb5.so.1
> < #other password optional pam_krb5.so.1 try_first_pass
> < passwd auth required pam_passwd_auth.so.1
> < ppp auth requisite pam_authtok_get.so.1
> < ppp auth required pam_dhkeys.so.1
> < ppp auth required pam_unix_auth.so.1
> < ppp auth required pam_dial_auth.so.1
> < cron account required pam_unix_account.so.1
> < #cron account optional pam_krb5.so.1
> ---
> > #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_s
> > #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_s
> > #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_s
> > #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_s
> > #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
> > #other account optional /usr/lib/security/$ISA/pam_krb5.so.1
> > #other session optional /usr/lib/security/$ISA/pam_krb5.so.1
> > #other password optional /usr/lib/security/$ISA/pam_krb5.so.1
> try_firss
> [root]
>
> Can you spot anything obvious?
>
> -----Original Message-----
> From: krenzischek@Encompasserve.org
> [mailto:krenzischek@Encompasserve.org]
> Sent: 30 June 2004 16:47
> To: Barry Deevey
> Subject: Re: PART SUMMARY: cannot change user password
>
>
>
> Barry,
>
> What did the diffs look like from the pam.conf files? I'm curious as to
> what change caused the problem.
>
> Regards,
>
> Ryan
>
> On Wed, 30 Jun 2004, Barry Deevey wrote:
>
> > Thanks to Alan Fox who replied to say that he had the same thing
happened
> > after applying the latest patch cluster and the fix was to put the
> original
> > pam.conf file back. This resolved the problem, but he did note that
> Casper
> > would probably not approve of the fix and that I should investigate it
> > further. I'll do this when I get a little more time.
> >
> > Thanks again for all your help, its much appreciated.
> >
> > Cheers,
> > Barry.
> >
> > p.s. Apologies to Lars for spelling his surname wrong!
> >
> >
> > -----Original Message-----
> > From: sunmanagers-bounces@sunmanagers.org
> > [mailto:sunmanagers-bounces@sunmanagers.org]On Behalf Of Barry Deevey
> > Sent: 30 June 2004 15:49
> > To: sunmanagers@sunmanagers.org
> > Subject: PART SUMMARY: cannot change user password
> >
> >
> > Hi all,
> >
> > Many thanks to Vinnie German, Angelos Kanellopoulos, Lars Heckling,
Jordan
> > Klein, Rob McDonnell, G Hackett & Saran Nanjappan for their (extremely
> > quick!) replies.
> >
> > I'm not running NIS or rpc.yppasswd, but from the various suggestions I
> was
> > sent the only thing that worked was to use
> > 'passwd -r files "user_account"' as root, and then run pwconv. This
> allowed
> > me to change the password for the user.
> >
> > As I tried out the other suggestions I noticed that the problem was
> > happening with all users (including root) and the above was the only way
I
> > could change the password for any accounts.
> >
> > I think even though my initial problem has been resolved, there may
still
> be
> > an underlying issue as passwd <user> still does not work.
> >
> > Thanks again.
> >
> > Barry.
> >
> > -----Original Message-----
> > From: sunmanagers-bounces@sunmanagers.org
> > [mailto:sunmanagers-bounces@sunmanagers.org]On Behalf Of Barry Deevey
> > Sent: 30 June 2004 15:16
> > To: sunmanagers@sunmanagers.org
> > Subject: cannot change user password
> >
> >
> > Hi all,
> >
> > I'm running solaris 8 patched up to the latest recommended cluster on a
> > Sunfire V120. I've added a user:
> >
> > useradd -u 615 -g 101 -d /home/myuser -s /usr/bin/bash myuser
> >
> > But I cannot change the password as root or myuser as it just returns
> > permission denied.
> >
> > I've removed the *LK* from /etc/shadow but it made no difference.
> >
> > I've tested this on another V120 and it works fine, but I cannot see any
> > obvious difference between the two servers.
> >
> > Apologies for this post, but I've googled and searched through sun docs
> and
> > they all seem to refer to LDAP, which we're not running.
> >
> > Any replies are much appreciated.
> >
> > Thanks,
> > Barry.
> > _______________________________________________
> > sunmanagers mailing list
> > sunmanagers@sunmanagers.org
> > http://www.sunmanagers.org/mailman/listinfo/sunmanagers
> > _______________________________________________
> > sunmanagers mailing list
> > sunmanagers@sunmanagers.org
> > http://www.sunmanagers.org/mailman/listinfo/sunmanagers
> > _______________________________________________
> > sunmanagers mailing list
> > sunmanagers@sunmanagers.org
> > http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:58 EDT