For those who did not get my email the first time.... To: Barry Deevey Cc: sunmanagers@sunmanagers.org Subject: RE: PART SUMMARY: cannot change user password Barry, Yes, most certainly....in particular the lines that end with "/usr/lib/security/$ISA/pam_unix.so.1" $ISA is going to determine the configuration of the kernel. ie. which mode you're running (32/64-bit). This most likely gets executed in the postinstall script, which is broken in this particular pam patch. I'm assuming that the script looks at isainfo -kv (or is it isacfg?). If it finds sparcv9, it will replace $ISA with sparcv9. If not, it removes "$ISA/" from the absolute path. So the lines should read.... *running a 32-bit kernel* /usr/lib/security/pam_unix.so.1 *running a 64-bit kernel* /usr/lib/security/sparcv9/pam_unix.so.1 As always, absolute pathnames are obviously more secure in any configuration file. So maybe Sun was trying to fix-up the pam.conf file for security purposes. Last I checked there weren't any subdirectories in /usr/lib/security other than "sparcv9" for 64-bit solaris. If you look at the PAM modules in /usr/lib/security, they are: ELF 32-bit MSB dynamic lib SPARC Version 1, dynamically linked, not stripped /usr/lib/security/sparcv9, they are: ELF 64-bit MSB dynamic lib SPARCV9 Version 1, dynamically linked, not stripped Hope this helps! Ryan On Wed, 30 Jun 2004, Barry Deevey wrote: > Hi Ryan, > > The differences aren't huge, so I've listed them below: > > [root] ls -l pam* > -rw-r--r-- 1 root sys 2410 Jun 30 16:15 pam.conf > -rw------- 1 root other 2410 Jun 30 16:05 pam.conf.300604 > -rw-r--r-- 1 root sys 2072 Jan 5 2001 pam.conf.pre108993-36 > [root] diff pam.conf pam.conf.pre108993-36 > 11,14c11,12 > < login auth requisite pam_authtok_get.so.1 > < login auth required pam_dhkeys.so.1 > < login auth required pam_unix_auth.so.1 > < login auth required pam_dial_auth.so.1 > --- > > login auth required /usr/lib/security/$ISA/pam_unix.so.1 > > login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 > 16,19c14,15 > < rlogin auth sufficient pam_rhosts_auth.so.1 > < rlogin auth requisite pam_authtok_get.so.1 > < rlogin auth required pam_dhkeys.so.1 > < rlogin auth required pam_unix_auth.so.1 > --- > > rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 > > rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 > 21,23c17 > < dtlogin auth requisite pam_authtok_get.so.1 > < dtlogin auth required pam_dhkeys.so.1 > < dtlogin auth required pam_unix_auth.so.1 > --- > > dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 > 25,29c19,20 > < rsh auth sufficient pam_rhosts_auth.so.1 > < rsh auth required pam_unix_auth.so.1 > < other auth requisite pam_authtok_get.so.1 > < other auth required pam_dhkeys.so.1 > < other auth required pam_unix_auth.so.1 > --- > > rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 > > other auth required /usr/lib/security/$ISA/pam_unix.so.1 > 33,35c24,26 > < login account requisite pam_roles.so.1 > < login account required pam_projects.so.1 > < login account required pam_unix_account.so.1 > --- > > login account requisite /usr/lib/security/$ISA/pam_roles.so.1 > > login account required /usr/lib/security/$ISA/pam_projects.so.1 > > login account required /usr/lib/security/$ISA/pam_unix.so.1 > 37,39c28,30 > < dtlogin account requisite pam_roles.so.1 > < dtlogin account required pam_projects.so.1 > < dtlogin account required pam_unix_account.so.1 > --- > > dtlogin account requisite > /usr/lib/security/$ISA/pam_roles.so.1 > > dtlogin account required > /usr/lib/security/$ISA/pam_projects.so.1 > > dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 > 41,43c32,34 > < other account requisite pam_roles.so.1 > < other account required pam_projects.so.1 > < other account required pam_unix_account.so.1 > --- > > other account requisite /usr/lib/security/$ISA/pam_roles.so.1 > > other account required /usr/lib/security/$ISA/pam_projects.so.1 > > other account required /usr/lib/security/$ISA/pam_unix.so.1 > 47c38 > < other session required pam_unix_session.so.1 > --- > > other session required /usr/lib/security/$ISA/pam_unix.so.1 > 51,57c42,43 > < other password required pam_dhkeys.so.1 > < other password requisite pam_authtok_get.so.1 > < other password requisite pam_authtok_check.so.1 > < other password required pam_authtok_store.so.1 > < dtsession auth requisite pam_authtok_get.so.1 > < dtsession auth required pam_dhkeys.so.1 > < dtsession auth required pam_unix_auth.so.1 > --- > > other password required /usr/lib/security/$ISA/pam_unix.so.1 > > dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 > 61,75c47,54 > < #rlogin auth optional pam_krb5.so.1 try_first_pass > < #login auth optional pam_krb5.so.1 try_first_pass > < #dtlogin auth optional pam_krb5.so.1 try_first_pass > < #other auth optional pam_krb5.so.1 try_first_pass > < #dtlogin account optional pam_krb5.so.1 > < #other account optional pam_krb5.so.1 > < #other session optional pam_krb5.so.1 > < #other password optional pam_krb5.so.1 try_first_pass > < passwd auth required pam_passwd_auth.so.1 > < ppp auth requisite pam_authtok_get.so.1 > < ppp auth required pam_dhkeys.so.1 > < ppp auth required pam_unix_auth.so.1 > < ppp auth required pam_dial_auth.so.1 > < cron account required pam_unix_account.so.1 > < #cron account optional pam_krb5.so.1 > --- > > #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 > try_first_s > > #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 > try_first_s > > #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 > try_first_s > > #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 > try_first_s > > #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 > > #other account optional /usr/lib/security/$ISA/pam_krb5.so.1 > > #other session optional /usr/lib/security/$ISA/pam_krb5.so.1 > > #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 > try_firss > [root] > > Can you spot anything obvious? > > -----Original Message----- > From: krenzischek@Encompasserve.org > [mailto:krenzischek@Encompasserve.org] > Sent: 30 June 2004 16:47 > To: Barry Deevey > Subject: Re: PART SUMMARY: cannot change user password > > > > Barry, > > What did the diffs look like from the pam.conf files? I'm curious as to > what change caused the problem. > > Regards, > > Ryan > > On Wed, 30 Jun 2004, Barry Deevey wrote: > > > Thanks to Alan Fox who replied to say that he had the same thing happened > > after applying the latest patch cluster and the fix was to put the > original > > pam.conf file back. This resolved the problem, but he did note that > Casper > > would probably not approve of the fix and that I should investigate it > > further. I'll do this when I get a little more time. > > > > Thanks again for all your help, its much appreciated. > > > > Cheers, > > Barry. > > > > p.s. Apologies to Lars for spelling his surname wrong! > > > > > > -----Original Message----- > > From: sunmanagers-bounces@sunmanagers.org > > [mailto:sunmanagers-bounces@sunmanagers.org]On Behalf Of Barry Deevey > > Sent: 30 June 2004 15:49 > > To: sunmanagers@sunmanagers.org > > Subject: PART SUMMARY: cannot change user password > > > > > > Hi all, > > > > Many thanks to Vinnie German, Angelos Kanellopoulos, Lars Heckling, Jordan > > Klein, Rob McDonnell, G Hackett & Saran Nanjappan for their (extremely > > quick!) replies. > > > > I'm not running NIS or rpc.yppasswd, but from the various suggestions I > was > > sent the only thing that worked was to use > > 'passwd -r files "user_account"' as root, and then run pwconv. This > allowed > > me to change the password for the user. > > > > As I tried out the other suggestions I noticed that the problem was > > happening with all users (including root) and the above was the only way I > > could change the password for any accounts. > > > > I think even though my initial problem has been resolved, there may still > be > > an underlying issue as passwd <user> still does not work. > > > > Thanks again. > > > > Barry. > > > > -----Original Message----- > > From: sunmanagers-bounces@sunmanagers.org > > [mailto:sunmanagers-bounces@sunmanagers.org]On Behalf Of Barry Deevey > > Sent: 30 June 2004 15:16 > > To: sunmanagers@sunmanagers.org > > Subject: cannot change user password > > > > > > Hi all, > > > > I'm running solaris 8 patched up to the latest recommended cluster on a > > Sunfire V120. I've added a user: > > > > useradd -u 615 -g 101 -d /home/myuser -s /usr/bin/bash myuser > > > > But I cannot change the password as root or myuser as it just returns > > permission denied. > > > > I've removed the *LK* from /etc/shadow but it made no difference. > > > > I've tested this on another V120 and it works fine, but I cannot see any > > obvious difference between the two servers. > > > > Apologies for this post, but I've googled and searched through sun docs > and > > they all seem to refer to LDAP, which we're not running. > > > > Any replies are much appreciated. > > > > Thanks, > > Barry. > > _______________________________________________ > > sunmanagers mailing list > > sunmanagers@sunmanagers.org > > http://www.sunmanagers.org/mailman/listinfo/sunmanagers > > _______________________________________________ > > sunmanagers mailing list > > sunmanagers@sunmanagers.org > > http://www.sunmanagers.org/mailman/listinfo/sunmanagers > > _______________________________________________ > > sunmanagers mailing list > > sunmanagers@sunmanagers.org > > http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed Jun 30 15:46:31 2004
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:34 EST