There is a shadow password file for the groups file (/etc/gshadow) as well as for the password file. The clue for me was that the password field in /etc/group is an 'x' just like in the password file. The default on my vanilla 8.0 box appears to lock the group password entries. So you were being kept out for not having the correct group password. When you changed the 'x' to '*' you removed the group shadow lookup. I suspect that removing the 'x' and leaving the field empty would have worked as well. I am a little hazy as to why the '*' would work. That string is supposed to be impossible to match with the crypt() call which I would have expected to lock the group also. Here is where I got most clues: http://www.todo.co.nz/howto/Shadow-Password-HOWTO.html#ss7.4 This document says that the gshadow password value should be '!' but on my system it isn't that way. I think Redhat has made some custom changes to the package. Hattie Rouge > -----Original Message----- > From: pam-list-admin@xxxxxxxxxx > [mailto:pam-list-admin@xxxxxxxxxx] On Behalf Of ahoward > Sent: Tuesday, May 20, 2003 11:12 AM > To: pam-list@xxxxxxxxxx > Subject: [FIXED] Re: [BUG?] RE: chmod 444 /etc/shadow > > > On Tue, 20 May 2003, ahoward wrote: > > if one changes the entry in /etc/group from > > shadow:x:4002:root,postgres > > to > > shadow:*:4002:root,postgres > > it all works. i have no idea what, or what a '*' password > means, but this seems like the ticket. > > -a > > > > > wtf? > > > > anyone got ideas? > > > > -a > > > > > > > > > > > > > Hattie Rouge > > > > > > > > > > -----Original Message----- > > > > From: pam-list-admin@xxxxxxxxxx > [mailto:pam-list-admin@xxxxxxxxxx] > > > > On Behalf Of ahoward > > > > Sent: Tuesday, May 20, 2003 10:20 AM > > > > To: pam-list@xxxxxxxxxx > > > > Subject: RE: chmod 444 /etc/shadow > > > > > > > > > > > > On Mon, 19 May 2003, Hattie Rouge wrote: > > > > > > > > > Have you run strace to see what it is doing when it reports > > > > the error? > > > > > > > > yes - wasn't alot of help: > > > > > > > > waiting for a connection... > > > > one came in, sent pasword prompt... > > > > > > > > --- SIGSTOP (Stopped (signal)) --- > > > > ) = 1 (in [3], left {251, 760000}) > > > > rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT > > > > SYS], NULL, 8) = 0 > > > > accept(3, {sin_family=AF_INET, sin_port=htons(53949), > > > > sin_addr=inet_addr("137.75.132.144")}}, [16]) = 8 > > > > getsockname(8, {sin_family=AF_INET, sin_port=htons(5432), > > > > sin_addr=inet_addr("137.75.129.65")}}, [16]) = 0 > > > > setsockopt(8, SOL_TCP, TCP_NODELAY, [1], 4) = 0 > > > > setsockopt(8, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 > > > > fork() = 11197 > > > > close(8) = 0 > > > > time(NULL) = 1053450868 > > > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > > > select(5, [3 4], [], NULL, {246, 0}) = ? ERESTARTNOHAND > > > > (To be restarted) > > > > --- SIGCHLD (Child exited) --- > > > > > > > > > > > > this after password has been sent, strange that it > doesn't seem to > > > > do much? > > > > > > > > rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT > > > > SYS], NULL, 8) = 0 > > > > wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 0], WNOHANG, > > > > NULL) = 11197 > > > > send(5, "\2\0\0\0\30\0\0\0\0\0\0\0\275+\0\0\0\0\0\0\0\0\0\0", > > > > 24, 0) = 24 > > > > wait4(-1, 0xbffff06c, WNOHANG, NULL) = 0 > > > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > > > sigreturn() = ? (mask now []) > > > > rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT > > > > SYS], NULL, 8) = 0 > > > > time(NULL) = 1053450868 > > > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > > > select(5, [3 4], [], NULL, {246, 0}) = 1 (in [3], left > > > > {233, 800000}) > > > > rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT > > > > SYS], NULL, 8) = 0 > > > > accept(3, {sin_family=AF_INET, sin_port=htons(53950), > > > > sin_addr=inet_addr("137.75.132.144")}}, [16]) = 8 > > > > getsockname(8, {sin_family=AF_INET, sin_port=htons(5432), > > > > sin_addr=inet_addr("137.75.129.65")}}, [16]) = 0 > > > > setsockopt(8, SOL_TCP, TCP_NODELAY, [1], 4) = 0 > > > > setsockopt(8, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 > > > > fork() = 11198 > > > > close(8) = 0 > > > > time(NULL) = 1053450880 > > > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > > > select(5, [3 4], [], NULL, {234, 0}) = ? ERESTARTNOHAND > > > > (To be restarted) > > > > --- SIGCHLD (Child exited) --- > > > > > > > > waiting for another connection... > > > > > > > > rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT > > > > SYS], NULL, 8) = 0 > > > > wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 0], WNOHANG, > > > > NULL) = 11198 > > > > send(5, "\2\0\0\0\30\0\0\0\0\0\0\0\276+\0\0\0\0\0\0\0\0\0\0", > > > > 24, 0) = 24 > > > > wait4(-1, 0xbffff06c, WNOHANG, NULL) = 0 > > > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > > > sigreturn() = ? (mask now []) > > > > rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT > > > > SYS], NULL, 8) = 0 > > > > time(NULL) = 1053450883 > > > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > > > select(5, [3 4], [], NULL, {231, 0} > > > > > > > > -a > > > > > > > > -- > > > > ==================================== > > > > | Ara Howard > > > > | NOAA Forecast Systems Laboratory > > > > | Information and Technology Services > > > > | Data Systems Group > > > > | R/FST 325 Broadway > > > > | Boulder, CO 80305-3328 > > > > | Email: ara.t.howard@xxxxxxxxxxxx > > > > | Phone: 303-497-7238 > > > > | Fax: 303-497-7259 > > > > ==================================== > > > > > > > > > > > > _______________________________________________ > > > > > > > > Pam-list@xxxxxxxxxx > > > > https://www.redhat.com/mailman/listinfo/pam-list > > > > > > > > > > > > > _______________________________________________ > > > > > > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-> list > > > > > > > -- > > > ==================================== > > > | Ara Howard > > | NOAA Forecast Systems Laboratory > > | Information and Technology Services > > | Data Systems Group > > | R/FST 325 Broadway > > | Boulder, CO 80305-3328 > > | Email: ara.t.howard@xxxxxxxxxxxx > > | Phone: 303-497-7238 > > | Fax: 303-497-7259 > > ==================================== > > > > > > _______________________________________________ > > > > Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list > > > > -- > ==================================== > | Ara Howard > | NOAA Forecast Systems Laboratory > | Information and Technology Services > | Data Systems Group > | R/FST 325 Broadway > | Boulder, CO 80305-3328 > | Email: ara.t.howard@xxxxxxxxxxxx > | Phone: 303-497-7238 > | Fax: 303-497-7259 > ==================================== > > > _______________________________________________ > > Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list > _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
