UPDATE: PART SUMMARY: cannot change user password (fwd)

From: Ryan A. Krenzischek <krenzischek_at_Encompasserve.org>
Date: Wed Jun 30 2004 - 15:46:04 EDT
For those who did not get my email the first time....

To: Barry Deevey
Cc: sunmanagers@sunmanagers.org
Subject: RE: PART SUMMARY: cannot change user password



Barry,

Yes, most certainly....in particular the lines that end with

"/usr/lib/security/$ISA/pam_unix.so.1"

$ISA is going to determine the configuration of the kernel.  ie. which
mode you're running (32/64-bit).  This most likely gets executed in the
postinstall script, which is broken in this particular pam patch.

I'm assuming that the script looks at isainfo -kv (or is it isacfg?).  If
it finds sparcv9, it will replace $ISA with sparcv9.  If not, it removes
"$ISA/" from the absolute path.

So the lines should read....

*running a 32-bit kernel*

/usr/lib/security/pam_unix.so.1

*running a 64-bit kernel*

/usr/lib/security/sparcv9/pam_unix.so.1

As always, absolute pathnames are obviously more secure in any
configuration file.  So maybe Sun was trying to fix-up the pam.conf file
for security purposes.  Last I checked there weren't any subdirectories in
/usr/lib/security other than "sparcv9" for 64-bit solaris.

If you look at the PAM modules in

/usr/lib/security, they are:

ELF 32-bit MSB dynamic lib SPARC Version 1, dynamically linked, not
stripped

/usr/lib/security/sparcv9, they are:

ELF 64-bit MSB dynamic lib SPARCV9 Version 1, dynamically linked, not
stripped

Hope this helps!

Ryan

On Wed, 30 Jun 2004, Barry Deevey wrote:

> Hi Ryan,
>
> The differences aren't huge, so I've listed them below:
>
> [root] ls -l pam*
> -rw-r--r--   1 root     sys         2410 Jun 30 16:15 pam.conf
> -rw-------   1 root     other       2410 Jun 30 16:05 pam.conf.300604
> -rw-r--r--   1 root     sys         2072 Jan  5  2001
pam.conf.pre108993-36
> [root] diff pam.conf pam.conf.pre108993-36
> 11,14c11,12
> < login auth requisite          pam_authtok_get.so.1
> < login auth required           pam_dhkeys.so.1
> < login auth required           pam_unix_auth.so.1
> < login auth required           pam_dial_auth.so.1
> ---
> > login auth required   /usr/lib/security/$ISA/pam_unix.so.1
> > login auth required   /usr/lib/security/$ISA/pam_dial_auth.so.1
> 16,19c14,15
> < rlogin  auth sufficient       pam_rhosts_auth.so.1
> < rlogin        auth requisite          pam_authtok_get.so.1
> < rlogin        auth required           pam_dhkeys.so.1
> < rlogin        auth required           pam_unix_auth.so.1
> ---
> > rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> > rlogin        auth required   /usr/lib/security/$ISA/pam_unix.so.1
> 21,23c17
> < dtlogin       auth requisite          pam_authtok_get.so.1
> < dtlogin       auth required           pam_dhkeys.so.1
> < dtlogin       auth required           pam_unix_auth.so.1
> ---
> > dtlogin       auth required   /usr/lib/security/$ISA/pam_unix.so.1
> 25,29c19,20
> < rsh   auth sufficient         pam_rhosts_auth.so.1
> < rsh   auth required           pam_unix_auth.so.1
> < other auth requisite          pam_authtok_get.so.1
> < other auth required           pam_dhkeys.so.1
> < other auth required           pam_unix_auth.so.1
> ---
> > rsh   auth required   /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> > other auth required   /usr/lib/security/$ISA/pam_unix.so.1
> 33,35c24,26
> < login account requisite               pam_roles.so.1
> < login account required                pam_projects.so.1
> < login account required                pam_unix_account.so.1
> ---
> > login account requisite       /usr/lib/security/$ISA/pam_roles.so.1
> > login account required        /usr/lib/security/$ISA/pam_projects.so.1
> > login account required        /usr/lib/security/$ISA/pam_unix.so.1
> 37,39c28,30
> < dtlogin       account requisite               pam_roles.so.1
> < dtlogin       account required                pam_projects.so.1
> < dtlogin       account required                pam_unix_account.so.1
> ---
> > dtlogin       account requisite
> /usr/lib/security/$ISA/pam_roles.so.1
> > dtlogin       account required
> /usr/lib/security/$ISA/pam_projects.so.1
> > dtlogin       account required
/usr/lib/security/$ISA/pam_unix.so.1
> 41,43c32,34
> < other account requisite               pam_roles.so.1
> < other account required                pam_projects.so.1
> < other account required                pam_unix_account.so.1
> ---
> > other account requisite       /usr/lib/security/$ISA/pam_roles.so.1
> > other account required        /usr/lib/security/$ISA/pam_projects.so.1
> > other account required        /usr/lib/security/$ISA/pam_unix.so.1
> 47c38
> < other session required                pam_unix_session.so.1
> ---
> > other session required        /usr/lib/security/$ISA/pam_unix.so.1
> 51,57c42,43
> < other password required               pam_dhkeys.so.1
> < other password requisite              pam_authtok_get.so.1
> < other password requisite              pam_authtok_check.so.1
> < other password required               pam_authtok_store.so.1
> < dtsession     auth requisite          pam_authtok_get.so.1
> < dtsession     auth required           pam_dhkeys.so.1
> < dtsession     auth required           pam_unix_auth.so.1
> ---
> > other password required       /usr/lib/security/$ISA/pam_unix.so.1
> > dtsession auth required       /usr/lib/security/$ISA/pam_unix.so.1
> 61,75c47,54
> < #rlogin       auth optional           pam_krb5.so.1 try_first_pass
> < #login        auth optional           pam_krb5.so.1 try_first_pass
> < #dtlogin      auth optional           pam_krb5.so.1 try_first_pass
> < #other        auth optional           pam_krb5.so.1 try_first_pass
> < #dtlogin      account optional        pam_krb5.so.1
> < #other        account optional        pam_krb5.so.1
> < #other        session optional        pam_krb5.so.1
> < #other        password optional       pam_krb5.so.1 try_first_pass
> < passwd        auth required           pam_passwd_auth.so.1
> < ppp   auth requisite          pam_authtok_get.so.1
> < ppp   auth required           pam_dhkeys.so.1
> < ppp   auth required           pam_unix_auth.so.1
> < ppp   auth required           pam_dial_auth.so.1
> < cron  account required                pam_unix_account.so.1
> < #cron account optional                pam_krb5.so.1
> ---
> > #rlogin       auth optional   /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_s
> > #login        auth optional   /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_s
> > #dtlogin      auth optional   /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_s
> > #other        auth optional   /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_s
> > #dtlogin      account optional /usr/lib/security/$ISA/pam_krb5.so.1
> > #other        account optional /usr/lib/security/$ISA/pam_krb5.so.1
> > #other        session optional /usr/lib/security/$ISA/pam_krb5.so.1
> > #other        password optional /usr/lib/security/$ISA/pam_krb5.so.1
> try_firss
> [root]
>
> Can you spot anything obvious?
>
> -----Original Message-----
> From: krenzischek@Encompasserve.org
> [mailto:krenzischek@Encompasserve.org]
> Sent: 30 June 2004 16:47
> To: Barry Deevey
> Subject: Re: PART SUMMARY: cannot change user password
>
>
>
> Barry,
>
> What did the diffs look like from the pam.conf files?  I'm curious as to
> what change caused the problem.
>
> Regards,
>
> Ryan
>
> On Wed, 30 Jun 2004, Barry Deevey wrote:
>
> > Thanks to Alan Fox who replied to say that he had the same thing
happened
> > after applying the latest patch cluster and the fix was to put the
> original
> > pam.conf file back.  This resolved the problem, but he did note that
> Casper
> > would probably not approve of the fix and that I should investigate it
> > further.  I'll do this when I get a little more time.
> >
> > Thanks again for all your help, its much appreciated.
> >
> > Cheers,
> > Barry.
> >
> > p.s. Apologies to Lars for spelling his surname wrong!
> >
> >
> > -----Original Message-----
> > From: sunmanagers-bounces@sunmanagers.org
> > [mailto:sunmanagers-bounces@sunmanagers.org]On Behalf Of Barry Deevey
> > Sent: 30 June 2004 15:49
> > To: sunmanagers@sunmanagers.org
> > Subject: PART SUMMARY: cannot change user password
> >
> >
> > Hi all,
> >
> > Many thanks to Vinnie German, Angelos Kanellopoulos, Lars Heckling,
Jordan
> > Klein, Rob McDonnell, G Hackett & Saran Nanjappan for their (extremely
> > quick!) replies.
> >
> > I'm not running NIS or rpc.yppasswd, but from the various suggestions I
> was
> > sent the only thing that worked was to use
> > 'passwd -r files "user_account"' as root, and then run pwconv.  This
> allowed
> > me to change the password for the user.
> >
> > As I tried out the other suggestions I noticed that the problem was
> > happening with all users (including root) and the above was the only way
I
> > could change the password for any accounts.
> >
> > I think even though my initial problem has been resolved, there may
still
> be
> > an underlying issue as passwd <user> still does not work.
> >
> > Thanks again.
> >
> > Barry.
> >
> > -----Original Message-----
> > From: sunmanagers-bounces@sunmanagers.org
> > [mailto:sunmanagers-bounces@sunmanagers.org]On Behalf Of Barry Deevey
> > Sent: 30 June 2004 15:16
> > To: sunmanagers@sunmanagers.org
> > Subject: cannot change user password
> >
> >
> > Hi all,
> >
> > I'm running solaris 8 patched up to the latest recommended cluster on a
> > Sunfire V120.  I've added a user:
> >
> > useradd -u 615 -g 101 -d /home/myuser -s /usr/bin/bash myuser
> >
> > But I cannot change the password as root or myuser as it just returns
> > permission denied.
> >
> > I've removed the *LK* from /etc/shadow but it made no difference.
> >
> > I've tested this on another V120 and it works fine, but I cannot see any
> > obvious difference between the two servers.
> >
> > Apologies for this post, but I've googled and searched through sun docs
> and
> > they all seem to refer to LDAP, which we're not running.
> >
> > Any replies are much appreciated.
> >
> > Thanks,
> > Barry.
> > _______________________________________________
> > sunmanagers mailing list
> > sunmanagers@sunmanagers.org
> > http://www.sunmanagers.org/mailman/listinfo/sunmanagers
> > _______________________________________________
> > sunmanagers mailing list
> > sunmanagers@sunmanagers.org
> > http://www.sunmanagers.org/mailman/listinfo/sunmanagers
> > _______________________________________________
> > sunmanagers mailing list
> > sunmanagers@sunmanagers.org
> > http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Jun 30 15:46:31 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:34 EST