Aurelien Jarno wrote:
Wouldn't it be possible to also use Kerberos for shadow information, as it is actually where the encrypted passwords are stored?
Kerberos doesn't necessarily have the information in its database, and the protocol provides no way to pass the information around.
If that's the model -- that it's permissible for there not to be shadow data -- then yes, the Hesiod code is okay and this is a pam bug...Other nsswitch modules provide both interfaces, because there is actually a shadow database. Hesiod does not provide a shadow database. The only thing that can be done is to provide functions that will always return an error. Not sure it is really useful.
Ken