Paul Nicholas Faure wrote: > > I setup NIS on a few systems, with one NIS server. Everything works fine > except for passwords that expire. > On the server (does not use NIS), passwords expire properly, users can > not longer login. > On the clients, users can login after there password has expired. > > I was told that this sounds like a PAM problem. > Here is my /etc/pam.d/login file: > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_pwdb.so shadow nullok > auth required /lib/security/pam_nologin.so > account required /lib/security/pam_unix.so > password required /lib/security/pam_cracklib.so > password required /lib/security/pam_pwdb.so shadow nullok > session required /lib/security/pam_pwdb.so > session optional /lib/security/pam_console.so > > Documentation tells me that 'account' is the pam type that does password > aging. I have tried to replace /lib/security/pam_unix.so with > /lib/security/pam_unix_acct.so and /lib/security/pam_pwdb.so with no > luck. Expiration time is stored in /etc/shadow not /etc/passwd. The problem of exporting/rebuilding /etc/shadow over NIS that shadow itself has no UID record, in the end all records must be exported including root's! The default setting ypserver of RH 6.x is to "merge" /etc/passwd fields + /etc/shadow password field only. But even after exporting shadows over NIS; the /lib/libpwdb does not seem to check the expire time field in NIS shadow. -- +---| Netscape Communicator 4.x |---| Powered by Linux 2.2.x |---+ |/v\ Agus Budy Wuysang MIS Department | | | Phone: +62-21-344-1316 ext 317 GSM: +62-816-1972-051 | +--------| http://www.rad.net.id/users/personal/s/supes |--------+
