-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, Short: is the STATUS=ACTION mechanism in nsswitch.conf works as intended? Long: I'm trying to configure a NIS client so that it would allow local account logins via the 'files' database and network account login via 'nis' database in the nsswitch.conf file. So I've setup my nsswitch.conf like that: passwd: files [success=return] nis group: files [success=return] nis shadow: files [success=return] nis the rule [success=return] is superfluous since 'return' is the default action on 'succes' (according to nsswitch.conf man page). But I want to enforce the 'return on success' behaviour just in case. It works, local and network users can login but I notice this behaviour. Whenever a local user tries to login, NIS kicks in and several messages pass between the NIS client and server. Why does this happen? Local account logins are checked against the 'files' database in nsswitch.conf and since the default action (AND the [success=return] behaviour) is 'return', there shouldn't be any NIS lookups. Why do I want to implement such a authentication behaviour? For conversation's sake assume that no NIS user is allowed to login in the NIS client and only local users are allowed (pam_localuser etc,etc). The problem arises when I try to install a firewall on that NIS client. Local logins (ssh'ing actually) fail because, instead of returning from a successful local 'files' lookup - just as 'files [success=return] nis' implies, the auth process continues with a NIS lookup. And at that point the firewall blocks it (I haven't setup rules for NIS yet, I just allow ssh). Any answers are welcomed since I'm banging my head on this for quite some time. thx, vassilis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGyxPXgUWLzP4xLCERAv14AKCW1vjmvw7rGILG4Ehs2SHfBSbZGgCaA7Co 6mYuFHynwoQmYKg+1lIJev8= =+wOQ -----END PGP SIGNATURE----- _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
