Hello all, I ran into problems when using the "requisite" keyword with password changing modules. I reduced my problem to a very simple stack which only involves 2 instances of pam_debug, to make it easier to understand: password requisite pam_debug.so prechauthtok=success chauthtok=authtok_err password sufficient pam_debug.so prechauthtok=success chauthtok=success This accurately describes the current situation I am having with two pam modules (pam_krb5 and pam_smbpass). The first module is failing in the change phase because the new password does not satisfy a given policy (similar to cracklib policies). Nevertheless, the output for `passwd` as a user is: decoder@myserver ~ $ passwd prechauthtok=success prechauthtok=success chauthtok=authtok_err chauthtok=success passwd: Authentication token manipulation error As you can see, the second chauthtok is still returning success here, although it shouldn't even get called at all! (because of requisite). This essentially causes my password databases to go out of sync because PAM does not stop although it is told to stop on failure with the requisite keyword. System Information: OS: Gentoo Linux Installed PAM version: pam-0.99.8.1-r1 provided by Gentoo portage If anyone could verify this behavior, and, if this is not a problem on my side, tell me if this is supposed to happen or not, that would help me a lot. Best regards and thanks in advance, Chris _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
