cancel
Showing results for 
Search instead for 
Did you mean: 

NIS password change issues

NIS password change issues

Yesterday it was brought to my attention that my users can no longer change their passwords. This is obviously a "bad thing"(tm).

When I try to change my password on a workstation (normal user account) I get this:

mezz@daisy:~$ passwd
Changing password for mezz on NIS server
Old NIS password:
New password:
Re-enter new password:
pam_chauthtok: System error
mezz@daisy:~$


if I use yppasswd the output is the same except the pam line is not there.

Even though `yppasswd` isn't throwing an error, it still isn't working. I've done everything I can think of short of rebooting the server. Perhaps if the labs clear out sometime today I will try that too.

help!

-paul
21 REPLIES
Jeff Machols
Esteemed Contributor

Re: NIS password change issues

couple things, first make sure there are no "commented" fields in the passwd file. You can't do this

user1:dldld:101:101
#user2:dkldsjf:201:101

also, check permissions of /etc/NIS/passwd and make sure its -rw-r--r--

Re: NIS password change issues

I sent a copy of this by mistake to the DB category, I am re-posting this to the SA category too. (at least it can be argued that it is a DB issue being an NIS problem :)

sorry guys.
Sanjay_6
Honored Contributor

Re: NIS password change issues

Hi,

Create a /etc/shells file. Use "man shells" for more info. you should have all the shells with their absolute pathnames specified in this file.

Hope this helps.

Regds

Re: NIS password change issues

Jeff:

Nothing commented out (just checked to be sure)
passwd was set to 444 so I 644'd it and the problem remains.

Sanjay:

It is all set up like that (I use "/usr/local/bin/bash" for my users)


Thanks for the try guys.. any other ideas?

-paul
Sanjay_6
Honored Contributor

Re: NIS password change issues

Hi,

Here is another try,

http://us-support.external.hp.com/cki/bin/doc.pl/sid=5a2f36d315945a4a74/screen=ckiDisplayDocument?docId=200000024613880

I would say the 2nd option is more probable,

quote //

2. Make sure /etc/ptmp does not exist. (This is a lockfile used by rpc.yppasswdd BEFORE it will do a ypmake, if it exists already no ypmake will occur.)

//unquote

Hope this helps.

Regds

Re: NIS password change issues

Shiju: I did some google searches yesterday when this issue first came to my attention and I did get that page back as a hit.

I'm not very pam savvy. I have no real idea how it works. The error I'm getting isn't listed or even mentioned on that page (or any other pages I can find).

I wish I got something like "PAM_TRY_AGAIN" so I would at least know the error was pam.conf. Of course I get the errors that don't get any google hits. :)

hmmm, that page says that pam_chauthtok "performs a preliminary check before attempting to update passwords".

Does anyone know what these checks are? Perhaps I have some sort of system service tied down too tight so its failing a check. (but then according to the www page it would reply with try_again and not a system error)

::sigh::
-paul

Re: NIS password change issues

Sanjay:

/etc/ptmp does not exist. Real bummer too because that would be a great solution :)

You did make me think of one interesting thing. I use `make` and not `ypmake` to manually push my map changes out. If memory serves the previous sysadmin modified make so it would push out auto.direct along with auto.master. If I try `ypmake` after an auto.direct change it does not push that map (or even acknowlege it). I have no idea if this is even relevent to my problem, but the makes came up so I decided it is worth a shot to mention.

-paul
Jeff Machols
Esteemed Contributor

Re: NIS password change issues

one of the checks is to make sure the login is in wtmp, thats why you can't do a passwd from remsh, because it doesn't put an entry in wtmp. You have to be able to do who and see your terminal (/dev/ttyX) for that login
Helen French
Honored Contributor

Re: NIS password change issues

Hi,

Did you check 'man pam.conf' ? Can you post your /etc/pam.conf file ?

HTH,
Shiju
Life is a promise, fulfill it!
Sanjay_6
Honored Contributor

Re: NIS password change issues

Re: NIS password change issues

Jeff:

I'm not sure if this is or is not an issue when the users are setting their first initial password. It won't let me change my password either so I don't think its an issue (I show up in `who`).

Shiju:

Its the standard hp-ux 11.i pam.conf file but I'll post it anyway. Its small enough that I think a direct cut/paste will work (vs attachment)

#
# PAM Configuration
#
# Account Management
#
dtaction account required /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_unix.1
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_unix.1
#
# Authentication Management
#
dtaction auth required /usr/lib/security/libpam_unix.1
dtlogin auth required /usr/lib/security/libpam_unix.1
ftp auth required /usr/lib/security/libpam_unix.1
login auth required /usr/lib/security/libpam_unix.1
su auth required /usr/lib/security/libpam_unix.1
OTHER auth required /usr/lib/security/libpam_unix.1
#
# Password Management
#
dtaction password required /usr/lib/security/libpam_unix.1
dtlogin password required /usr/lib/security/libpam_unix.1
login password required /usr/lib/security/libpam_unix.1
passwd password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1
#
# Session Management
#
dtaction session required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_unix.1
login session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_unix.1


That is a cut/paste from the server. Interestingly enough the workstations seem to have a different pam.conf file from the server. Here is one from a workstation:

#
# PAM configuration
#
# Authentication management
#
login auth required /usr/lib/security/libpam_unix.1
su auth required /usr/lib/security/libpam_unix.1
dtlogin auth required /usr/lib/security/libpam_unix.1
dtaction auth required /usr/lib/security/libpam_unix.1
ftp auth required /usr/lib/security/libpam_unix.1
OTHER auth required /usr/lib/security/libpam_unix.1
#
# Account management
#
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_unix.1
#
OTHER account required /usr/lib/security/libpam_unix.1
#
# Session management
#
login session required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_unix.1
dtaction session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_unix.1
#
# Password management
#
login password required /usr/lib/security/libpam_unix.1
passwd password required /usr/lib/security/libpam_unix.1
dtlogin password required /usr/lib/security/libpam_unix.1
dtaction password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1




I have no idea if that could cause any issues, but at least I finally found something promising :)

-paul

Re: NIS password change issues

Sanjay:

That is how I've been changing passwords for my users. I'm in an academic environment and I need to change passwords for around 30 people at a time (whenever a class comes in for the first time).

As you can probably guess, thats not much fun. I would love for them to do it themselves (just like the previous quarters) :)

-paul
Sanjay_6
Honored Contributor

Re: NIS password change issues

Hi Paul,

Consider this patch,

http://us-support.external.hp.com/wpsl/bin/doc.pl/screen=wpslDisplayPatch/sid=e558db18020646469a?PACH_NAM=PHCO_25527&HW=s800&OS=11.00

You can also consider patching your system with some other latest patches.

Hope this helps.

Regds
Jeff Machols
Esteemed Contributor

Re: NIS password change issues

run the tty command at the promt and make sure you get a valid tty. if you don't that could be why the who isn't working. If you can't do a who | grep TTY (tty that shows up from the tty command) then you will not be able to run the passwd command
Ajay Sishodia
Frequent Advisor

Re: NIS password change issues

Paul,

what OS version is your master NIS server? Also on the master can you make changes to password map and do a 'make'? see if it pushs the new map out with the change(s).

regards
Ajay

Re: NIS password change issues

Sanjay:

I'll see if that patch does anything.

I've been trying to keep up with all the patches and I think I'm doing a not-so-bad job.

Ajay:

I can make changes on the master and implement/push them sucessfully

Servers are j5000 boxes, clients are either B1000 or C240
everything runs 11.i

Jeff:

tty is valid (/dev/pts/1 for the box I just checked)
Sanjay_6
Honored Contributor

Re: NIS password change issues

Hi Paul,

Was this working earlier ?. If so, do you remeber any changes that you might have made since the last time it worked and now ?.

Regds
Ajay Sishodia
Frequent Advisor

Re: NIS password change issues

Paul,

Did you try stoping/starting nis server and client on the nis master??

# /sbin/init.d/nis.client stop
# /sbin/init.d/nis.master stop

# /sbin/init.d/nis.master start
# /sbin/init.d/nis.client start


Assuming all your clients point to a slave server.

Ajay

Re: NIS password change issues

Sanjay:

It was working around a month ago (known for a fact). Lots of little things have changed and the only thing I can think of that would even semi-relate to this is that I added a slave server and I did various tie-downs of network services to our subnet only.


Ajay:

Yep... tried that, no change :(

Re: NIS password change issues

FIXED!

I decided to bite the bullet and reinstall the master/client combo via SAM on the master server.
That solved all my NIS problems. I'm not sure what bit got flicked but whatever it was, it caused havoc with my NIS setup.

Thanks for the help and great ideas guys.

Now I gotta work on the other problems... ::sigh::

-paul