You are not logged in.

#1 2022-09-07 10:30:47

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,932
Website

[SOLVED] Cannot change password of local users

I just stumbled over this:

$ LANG=C passwd surcam
passwd: User not known to the underlying authentication module
passwd: password unchanged

I created the user like so:

# useradd -mUrG sftponly surcam

On the machine I also use OpenLDAP for user authentication:

$ cat /etc/nsswitch.conf
# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.

passwd: files ldap mymachines systemd
group: files ldap mymachines systemd
shadow: files ldap

publickey: files

hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

Is there a way to tell passwd to use the shadow database?
I tried

# LANG=C passwd surcam -r shadow
passwd: repository shadow not supported

and

# LANG=C passwd surcam -r /etc/shadow
passwd: repository /etc/shadow not supported

to no avail.
The user is there:

$ cat /etc/passwd
root:x:0:0::/root:/bin/bash
bin:x:1:1::/:/sbin/nologin
daemon:x:2:2::/:/sbin/nologin
mail:x:8:12::/var/spool/mail:/sbin/nologin
ftp:x:14:11::/srv/ftp:/sbin/nologin
http:x:33:33::/srv/http:/sbin/nologin
nobody:x:65534:65534:Nobody:/:/sbin/nologin
dbus:x:81:81:System Message Bus:/:/sbin/nologin
systemd-journal-remote:x:982:982:systemd Journal Remote:/:/sbin/nologin
systemd-network:x:981:981:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:980:980:systemd Resolver:/:/sbin/nologin
systemd-timesync:x:979:979:systemd Time Synchronization:/:/sbin/nologin
systemd-coredump:x:978:978:systemd Core Dumper:/:/sbin/nologin
uuidd:x:68:68::/:/sbin/nologin
dnsmasq:x:977:977:dnsmasq daemon:/:/sbin/nologin
ldap:x:439:439:LDAP Server:/var/lib/openldap:/sbin/nologin
macreg:x:976:976:MAC address registering web application user:/:/sbin/nologin
nslcd:x:146:146::/var/run/nslcd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
mysql:x:974:974:MariaDB:/var/lib/mysql:/sbin/nologin
phpmyadmin:x:973:972::/:/bin/bash
minecraft:x:972:971::/srv/minecraft:/bin/bash
umurmur:x:970:970::/:/usr/bin/nologin
ddnss:x:969:969::/home/ddnss:/bin/bash
git:x:968:968:git daemon user:/:/usr/bin/git-shell
ntp:x:87:87:Network Time Protocol:/var/lib/ntp:/bin/false
cacti:x:967:967:Cacti user:/:/usr/bin/nologin
radiusd:x:966:966:radius daemon:/var/lib/radiusd:/usr/bin/nologin
omada:x:965:965:Omada Controller user:/var/lib/omada-controller:/usr/bin/nologin
postfix:x:73:73::/var/spool/postfix:/usr/bin/nologin
avahi:x:963:963:Avahi mDNS/DNS-SD daemon:/:/usr/bin/nologin
polkitd:x:102:102:PolicyKit daemon:/:/usr/bin/nologin
tss:x:962:962:tss user for tpm2:/:/usr/bin/nologin
clamav:x:64:64:Clam AntiVirus:/:/usr/bin/nologin
named:x:40:40:BIND DNS Server:/:/usr/bin/nologin
colord:x:961:961:Color management daemon:/var/lib/colord:/usr/bin/nologin
systemd-oom:x:959:959:systemd Userspace OOM Killer:/:/usr/bin/nologin
mongodb:x:958:958::/var/lib/mongodb:/usr/bin/nologin
rpcuser:x:34:34:RPC Service User:/var/lib/nfs:/usr/bin/nologin
surcam:x:1000:1000::/home/surcam:/bin/bash
$ grep surcam /etc/shadow
surcam:!:19242:0:99999:7:::

I also tried

$ ldappasswd surcam
SASL/SCRAM-SHA-512 authentication started
Please enter your password: 
ldap_sasl_interactive_bind: Invalid credentials (49)
	additional info: SASL(-13): user not found: no secret in database

which is to be expected, as it is not an LDAP user.
There is also no UID clash between the LDAP and passwd users, as the LDAP users start at UID 2000.

Also:

# LANG=C passwd surcam -r files
passwd: User not known to the underlying authentication module
passwd: password unchanged

PAM config:

$ grep -r . /etc/pam.d/ 
/etc/pam.d/system-local-login:#%PAM-1.0
/etc/pam.d/system-local-login:auth      include   system-login
/etc/pam.d/system-local-login:account   include   system-login
/etc/pam.d/system-local-login:password  include   system-login
/etc/pam.d/system-local-login:session   include   system-login
/etc/pam.d/system-login:#%PAM-1.0
/etc/pam.d/system-login:auth       required   pam_shells.so
/etc/pam.d/system-login:auth       requisite  pam_nologin.so
/etc/pam.d/system-login:auth       include    system-auth
/etc/pam.d/system-login:account    required   pam_access.so
/etc/pam.d/system-login:account    required   pam_nologin.so
/etc/pam.d/system-login:account    include    system-auth
/etc/pam.d/system-login:password   include    system-auth
/etc/pam.d/system-login:session    optional   pam_loginuid.so
/etc/pam.d/system-login:session    optional   pam_keyinit.so       force revoke
/etc/pam.d/system-login:session    include    system-auth
/etc/pam.d/system-login:session    optional   pam_motd.so
/etc/pam.d/system-login:session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
/etc/pam.d/system-login:-session   optional   pam_systemd.so
/etc/pam.d/system-login:session    required   pam_env.so           user_readenv=1
/etc/pam.d/other:#%PAM-1.0
/etc/pam.d/other:auth      required   pam_deny.so
/etc/pam.d/other:auth      required   pam_warn.so
/etc/pam.d/other:account   required   pam_deny.so
/etc/pam.d/other:account   required   pam_warn.so
/etc/pam.d/other:password  required   pam_deny.so
/etc/pam.d/other:password  required   pam_warn.so
/etc/pam.d/other:session   required   pam_deny.so
/etc/pam.d/other:session   required   pam_warn.so
/etc/pam.d/su:#%PAM-1.0
/etc/pam.d/su:auth            sufficient      pam_rootok.so
/etc/pam.d/su:# Uncomment the following line to implicitly trust users in the "wheel" group.
/etc/pam.d/su:#auth           sufficient      pam_wheel.so trust use_uid
/etc/pam.d/su:# Uncomment the following line to require a user to be in the "wheel" group.
/etc/pam.d/su:#auth           required        pam_wheel.so use_uid
/etc/pam.d/su:auth            required        pam_unix.so
/etc/pam.d/su:account         required        pam_unix.so
/etc/pam.d/su:session	        required        pam_unix.so
/etc/pam.d/su:password        include         system-auth
/etc/pam.d/userdel:#%PAM-1.0
/etc/pam.d/userdel:auth		sufficient	pam_rootok.so
/etc/pam.d/userdel:auth		required	pam_unix.so
/etc/pam.d/userdel:account		required	pam_unix.so
/etc/pam.d/userdel:session		required	pam_unix.so
/etc/pam.d/userdel:password	required	pam_permit.so
/etc/pam.d/useradd:#%PAM-1.0
/etc/pam.d/useradd:auth		sufficient	pam_rootok.so
/etc/pam.d/useradd:auth		required	pam_unix.so
/etc/pam.d/useradd:account		required	pam_unix.so
/etc/pam.d/useradd:session		required	pam_unix.so
/etc/pam.d/useradd:password	required	pam_permit.so
/etc/pam.d/chfn:#%PAM-1.0
/etc/pam.d/chfn:auth            sufficient      pam_rootok.so
/etc/pam.d/chfn:auth            required        pam_unix.so
/etc/pam.d/chfn:account         required        pam_unix.so
/etc/pam.d/chfn:session         required        pam_unix.so
/etc/pam.d/chfn:password        required        pam_permit.so
/etc/pam.d/sshd:#%PAM-1.0
/etc/pam.d/sshd:#auth     required  pam_securetty.so     #disable remote root
/etc/pam.d/sshd:auth      include   system-remote-login
/etc/pam.d/sshd:account   include   system-remote-login
/etc/pam.d/sshd:password  include   system-remote-login
/etc/pam.d/sshd:session   include   system-remote-login
/etc/pam.d/shadow:#%PAM-1.0
/etc/pam.d/shadow:auth		sufficient	pam_rootok.so
/etc/pam.d/shadow:auth		required	pam_unix.so
/etc/pam.d/shadow:account		required	pam_unix.so
/etc/pam.d/shadow:session		required	pam_unix.so
/etc/pam.d/shadow:password	required	pam_permit.so
/etc/pam.d/passwd:#%PAM-1.0
/etc/pam.d/passwd:password	sufficent	pam_ldap.so
/etc/pam.d/passwd:#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
/etc/pam.d/passwd:#password	required	pam_unix.so sha512 shadow use_authtok
/etc/pam.d/passwd:password	required	pam_unix.so sha512 shadow nullok
/etc/pam.d/vlock:#%PAM-1.0
/etc/pam.d/vlock:auth required pam_unix.so
/etc/pam.d/vlock:account required pam_unix.so
/etc/pam.d/vlock:password required pam_unix.so
/etc/pam.d/vlock:session required pam_unix.so
/etc/pam.d/newusers:#%PAM-1.0
/etc/pam.d/newusers:auth		sufficient	pam_rootok.so
/etc/pam.d/newusers:auth		required	pam_unix.so
/etc/pam.d/newusers:account		required	pam_unix.so
/etc/pam.d/newusers:session		required	pam_unix.so
/etc/pam.d/newusers:password 	required 	pam_unix.so sha512 shadow
/etc/pam.d/chpasswd:#%PAM-1.0
/etc/pam.d/chpasswd:auth		sufficient	pam_rootok.so
/etc/pam.d/chpasswd:auth		required	pam_unix.so
/etc/pam.d/chpasswd:account		required	pam_unix.so
/etc/pam.d/chpasswd:session		required	pam_unix.so
/etc/pam.d/chpasswd:password 	required 	pam_unix.so sha512 shadow
/etc/pam.d/su-l:#%PAM-1.0
/etc/pam.d/su-l:auth            sufficient      pam_rootok.so
/etc/pam.d/su-l:# Uncomment the following line to implicitly trust users in the "wheel" group.
/etc/pam.d/su-l:#auth           sufficient      pam_wheel.so trust use_uid
/etc/pam.d/su-l:# Uncomment the following line to require a user to be in the "wheel" group.
/etc/pam.d/su-l:#auth           required        pam_wheel.so use_uid
/etc/pam.d/su-l:auth            required        pam_unix.so
/etc/pam.d/su-l:account         required        pam_unix.so
/etc/pam.d/su-l:session	        required        pam_unix.so
/etc/pam.d/su-l:password        include         system-auth
/etc/pam.d/polkit-1:#%PAM-1.0
/etc/pam.d/polkit-1:auth       include      system-auth
/etc/pam.d/polkit-1:account    include      system-auth
/etc/pam.d/polkit-1:password   include      system-auth
/etc/pam.d/polkit-1:session    include      system-auth
/etc/pam.d/usermod:#%PAM-1.0
/etc/pam.d/usermod:auth		sufficient	pam_rootok.so
/etc/pam.d/usermod:auth		required	pam_unix.so
/etc/pam.d/usermod:account		required	pam_unix.so
/etc/pam.d/usermod:session		required	pam_unix.so
/etc/pam.d/usermod:password	required	pam_permit.so
/etc/pam.d/system-auth:#%PAM-1.0
/etc/pam.d/system-auth:auth       required                    pam_faillock.so      preauth
/etc/pam.d/system-auth:# Optionally use requisite above if you do not want to prompt for the password
/etc/pam.d/system-auth:# on locked accounts.
/etc/pam.d/system-auth:-auth      [success=2 default=ignore]  pam_systemd_home.so
/etc/pam.d/system-auth:auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
/etc/pam.d/system-auth:auth       [default=die]               pam_faillock.so      authfail
/etc/pam.d/system-auth:auth       optional                    pam_permit.so
/etc/pam.d/system-auth:auth       required                    pam_env.so
/etc/pam.d/system-auth:auth       required                    pam_faillock.so      authsucc
/etc/pam.d/system-auth:# If you drop the above call to pam_faillock.so the lock will be done also
/etc/pam.d/system-auth:# on non-consecutive authentication failures.
/etc/pam.d/system-auth:-account   [success=1 default=ignore]  pam_systemd_home.so
/etc/pam.d/system-auth:account    required                    pam_unix.so
/etc/pam.d/system-auth:account    optional                    pam_permit.so
/etc/pam.d/system-auth:account    required                    pam_time.so
/etc/pam.d/system-auth:-password  [success=1 default=ignore]  pam_systemd_home.so
/etc/pam.d/system-auth:password   required                    pam_unix.so          try_first_pass nullok shadow sha512
/etc/pam.d/system-auth:password   optional                    pam_permit.so
/etc/pam.d/system-auth:-session   optional                    pam_systemd_home.so
/etc/pam.d/system-auth:session    required                    pam_limits.so
/etc/pam.d/system-auth:session    required                    pam_unix.so
/etc/pam.d/system-auth:session    optional                    pam_permit.so
/etc/pam.d/system-remote-login:#%PAM-1.0
/etc/pam.d/system-remote-login:auth      include   system-login
/etc/pam.d/system-remote-login:account   include   system-login
/etc/pam.d/system-remote-login:password  include   system-login
/etc/pam.d/system-remote-login:session   include   system-login
/etc/pam.d/chgpasswd:#%PAM-1.0
/etc/pam.d/chgpasswd:auth		sufficient	pam_rootok.so
/etc/pam.d/chgpasswd:account		required	pam_permit.so
/etc/pam.d/chgpasswd:password	include		system-auth
/etc/pam.d/chage:#%PAM-1.0
/etc/pam.d/chage:auth		sufficient	pam_rootok.so
/etc/pam.d/chage:auth		required	pam_unix.so
/etc/pam.d/chage:account		required	pam_unix.so
/etc/pam.d/chage:session		required	pam_unix.so
/etc/pam.d/chage:password	required	pam_permit.so
/etc/pam.d/sudo:#%PAM-1.0
/etc/pam.d/sudo:auth		include		system-auth
/etc/pam.d/sudo:account		include		system-auth
/etc/pam.d/sudo:session		include		system-auth
/etc/pam.d/groupmems:#%PAM-1.0
/etc/pam.d/groupmems:auth		sufficient	pam_rootok.so
/etc/pam.d/groupmems:account		required	pam_permit.so
/etc/pam.d/groupmems:password	include		system-auth
/etc/pam.d/runuser-l:#%PAM-1.0
/etc/pam.d/runuser-l:auth    sufficient      pam_rootok.so
/etc/pam.d/runuser-l:session include         system-login
/etc/pam.d/groupmod:#%PAM-1.0
/etc/pam.d/groupmod:auth		sufficient	pam_rootok.so
/etc/pam.d/groupmod:auth		required	pam_unix.so
/etc/pam.d/groupmod:account		required	pam_unix.so
/etc/pam.d/groupmod:session		required	pam_unix.so
/etc/pam.d/groupmod:password	required	pam_permit.so
/etc/pam.d/system-services:#%PAM-1.0
/etc/pam.d/system-services:auth      sufficient  pam_permit.so
/etc/pam.d/system-services:account   include     system-auth
/etc/pam.d/system-services:session   optional    pam_loginuid.so
/etc/pam.d/system-services:session   required    pam_limits.so
/etc/pam.d/system-services:session   required    pam_unix.so
/etc/pam.d/system-services:session   optional    pam_permit.so
/etc/pam.d/system-services:session   required    pam_env.so
/etc/pam.d/runuser:#%PAM-1.0
/etc/pam.d/runuser:auth    sufficient      pam_rootok.so
/etc/pam.d/runuser:session include         system-login
/etc/pam.d/login:#%PAM-1.0
/etc/pam.d/login:auth       required     pam_securetty.so
/etc/pam.d/login:auth       requisite    pam_nologin.so
/etc/pam.d/login:auth       include      system-local-login
/etc/pam.d/login:account    include      system-local-login
/etc/pam.d/login:session    include      system-local-login
/etc/pam.d/login:password   include      system-local-login
/etc/pam.d/systemd-user:# Used by systemd --user instances.
/etc/pam.d/systemd-user:account  include system-login
/etc/pam.d/systemd-user:session  required pam_loginuid.so
/etc/pam.d/systemd-user:session  include system-login
/etc/pam.d/groupdel:#%PAM-1.0
/etc/pam.d/groupdel:auth		sufficient	pam_rootok.so
/etc/pam.d/groupdel:auth		required	pam_unix.so
/etc/pam.d/groupdel:account		required	pam_unix.so
/etc/pam.d/groupdel:session		required	pam_unix.so
/etc/pam.d/groupdel:password	required	pam_permit.so
/etc/pam.d/chsh:#%PAM-1.0
/etc/pam.d/chsh:auth            sufficient      pam_rootok.so
/etc/pam.d/chsh:auth            required        pam_unix.so
/etc/pam.d/chsh:account         required        pam_unix.so
/etc/pam.d/chsh:session         required        pam_unix.so
/etc/pam.d/chsh:password        required        pam_permit.so
/etc/pam.d/groupadd:#%PAM-1.0
/etc/pam.d/groupadd:auth		sufficient	pam_rootok.so
/etc/pam.d/groupadd:auth		required	pam_unix.so
/etc/pam.d/groupadd:account		required	pam_unix.so
/etc/pam.d/groupadd:session		required	pam_unix.so
/etc/pam.d/groupadd:password	required	pam_permit.so

The user accout itself "works":

# su surcam
[surcam@cshsrv root]$ id
uid=1000(surcam) gid=1000(surcam) Gruppen=1000(surcam),973(sftponly)
[surcam@cshsrv root]$ cd
[surcam@cshsrv ~]$ pwd
/home/surcam
[surcam@cshsrv ~]$ ls -la
insgesamt 20
drwx------  2 surcam surcam 4096  7. Sep 12:12 .
drwxr-xr-x 29 root   root   4096  7. Sep 12:12 ..
-rw-r--r--  1 surcam surcam   21  8. Jan 2022  .bash_logout
-rw-r--r--  1 surcam surcam   57  8. Jan 2022  .bash_profile
-rw-r--r--  1 surcam surcam  141  8. Jan 2022  .bashrc
[surcam@cshsrv ~]$ 

Solution
Found the culprit:

/etc/pam.d/passwd wrote:

#%PAM-1.0
password    sufficient    pam_ldap.so
#password    required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password    required    pam_unix.so sha512 shadow use_authtok
password    required    pam_unix.so sha512 shadow nullok

Thanks to vim for code highlighting.
I don't know whether I'd have caught this otherwise.

Last edited by schard (2022-09-07 12:31:57)

Offline

#2 2022-09-14 02:08:41

ectospasm
Member
Registered: 2015-08-28
Posts: 273

Re: [SOLVED] Cannot change password of local users

schard wrote:

Solution
Found the culprit:

/etc/pam.d/passwd wrote:

#%PAM-1.0
password    sufficient    pam_ldap.so
#password    required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password    required    pam_unix.so sha512 shadow use_authtok
password    required    pam_unix.so sha512 shadow nullok

Thanks to vim for code highlighting.
I don't know whether I'd have caught this otherwise.

Yeah, vim syntax highlighting has saved my ass numerous times.  Again, I'd recommend placing the solution at the top of your original post, this one is quite long to slog through with the solution at the bottom.

PS, I'm just replying here so these don't show up in the Unanswered topics section.

Offline

#3 2022-09-14 07:50:20

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,932
Website

Re: [SOLVED] Cannot change password of local users

I don't care what you would to. Usually the solution is found at the end of the thread after a more or less lengthy conversation with other users to troubleshoot the issue.
So the first place that I'd look for a solution is at the end of the thread.
Solved-thread bumpers like you make it harder to find the solution at the end.

Offline

Board footer

Powered by FluxBB