[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#566844: libc6 causing "Authentication service cannot retrieve authentication info"

On Fri, Feb 12, 2010 at 09:21:59AM -0500, root wrote:
> On Fri, 12 Feb 2010, Aurelien Jarno wrote:
>
>> root a écrit :
>>> Is more information needed from me?  Or is there anything I can do to
>>> expedite this bug fix?  I've got 138 machines in an unstable state because
>>> I can't do updates on them because of this libc6 issue.  If there is
>>> anything that I can do, please let me know.
>>>
>>
>> I have to say I am out of idea. I am only able to reproduce the
>> behaviour you observed when using adjunct passwords (this is actually
>> what the security issue fixed), but at the same time you told me you are
>> not using adjunct passwords.
>
> Well, I decided to do some searching around in hopes of coming up with  
> some new ideas. I've never used adjunct passwords before, so I never  
> really knew what they were.  After doing some research online, do adjunct 
> passwords mean that you put a "##username" in the passwd file for each of 
> the users?  If so, I think that might be the problem.  We use a custom  
> PAM authentication module that we wrote to do a special type of kerberos  
> authentication.  And our passwd file contains the special kerberos  
> principal in the "password field", so for instance, our users would have  
> passwd entries like this:
>   username1:##ABC12:123:100:Name:/home/dir1:/bin/tcsh
>   username2:##CAB21:124:100:Name:/home/dir2:/bin/tcsh
>   username3:##I#XYZ12:125:100:Name:/home/dir3:/bin/tcsh
>   username4:##E#ZYX21:125:100:Name:/home/dir4:/bin/tcsh
> We use the "##" to determine whether or not we should use our  
> authentication module or not.  Is the new libc6 just looking for the "##" 
> in the beginning and using that to determine whether or not the passwd  
> file is using adjunct passwords or not?  If so, is there any other way to 
> determine adjunct passwords because I'm guessing that, that must be  
> causing the problem.  In other words, the new libc6 is seeing our special 
> password entries and simply removing them.
>

Yes, the new glibc only looks for the "##" at the beginning of the 
passwd entry to detect the adjunct passwords. Actually this part hasn't
changed in the new glibc, it's only the corresponding action that has
changed. Before it was doing a new query to the NIS server to get the 
adjunct password and merge it. With the new version merges a 'x' 
instead, as the real merge is now done in the shadow part.

So even before it seems your system was doing a lot of useless NIS
requests to the server, even though it harms less than in the current
status.

I will look if the adjunct password detection can be improved.

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net
Reply to: