-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tomas Mraz wrote: > On Wed, 2007-08-22 at 12:40 +0300, Vassilis Vatikiotis wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >>>> And the compat option is not for NIS lookups, it works with >>>> every other service, too. >> Right, I didn't know that. Good to know. >> >>>> What you mean is, that the +::::: notation in passwd/shadow files >>>> was used in libc5 without NYS to support NIS, >> Yes you put much better.... my powers of expressiveness in english are >> lacking Im afraid >> >> I was using the compat option with the + notation in my /etc files but I >> was under the impression that since the compat option was "outdated", it >> was a good thing to change it. The "files nis" in nsswitch.conf works, >> meaning that lookups, local and NIS, work but still there is this >> problem. Why, after a successful "files" lookup, the control doesn't >> return to the caller function and goes on initiating a conversation with >> the NIS server? Don't know if that conversation is a lookup or something >> else to be honest. > There might be for example lookup for some group which is non-existant > in local /etc/group. Do you have pam_access.so in the pam configs? Or > pam_limits.so? And if yes what are the contents of access.conf and > limits.conf? > Unfortunately that's not the case. The machine allows only root to ssh to it (via pam_localuser.so), all other system accounts are locked. root belongs only to local group 0 and it's the only account which is allowed to ssh to that machine. No pam_access.so in the pam limits. pam_limits.so is used but the limits.conf is all commented out. pam conf for ssh follows along with the common-* files # PAM configuration for the Secure Shell service auth required pam_env.so # [1] auth required pam_env.so envfile=/etc/default/locale auth required pam_localuser.so @include common-auth account required pam_nologin.so @include common-account @include common-session session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so # NB Everything is commented out in /etc/security/limits.conf (my comment ) @include common-password ===========> common-account file account required pam_warn.so account required pam_unix.so ==============> common-auth file auth required pam_warn.so auth required pam_unix.so nullok_secure debug ===============> common-password file password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok nullok md5 ===============> common-session file session required pam_unix.so ===============> and finally the nsswitch.conf passwd: files [success=return] nis group: files [success=return] nis shadow: files [success=return] nis hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis There are no +/- entries in the NIS client passwd/group/shadow files. PS. SuSE uses pam_unix or pam_unix2? Cause *it seems* that SuSE behaves as I expect (control returns on successful local lookup). I'll fire a VM and test it. thx again vassilis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGzGvvgUWLzP4xLCERAp8CAKCUv+jjkJA6NmJP1rqmuHZhmTB+vwCfSKKj tMrY/xLCVr5QXg5jtUkm9xU= =GZqf -----END PGP SIGNATURE----- _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
