How to use passwd to change password of a non-local/NIS user

X

Xylene

I would like to change the password of a non-local or nis user using the passwd binary. When I attempt to change the user I get:

passwd: Sorry, `passwd' can only change passwords for local or NIS users.

I haven't seen passwd complain like this since the early AIX days. Is there a approved way of doing this without having to overwrite the passwd binary with a home grown script like I have seen for ldap users?
 
In this particular case the users all reside in Active Directory. What doesn't make sense is that passwd is supposed to be pam aware, yet it puts a restriction on what the user source must be. Isn't the purpose of being pam aware is to allow the end user to configure their pam stack according to their needs?
 
I think you should read passwd(1) a bit more thoroughly because it explains quite a bit about the process. It makes it quite clear that passwd is focused on locally stored passwords:

Code: 
     The passwd utility has built-in support for NIS.  If a user exists in the
     NIS password database but does not exist locally, passwd automatically
     switches into yppasswd mode.  If the specified user does not exist in
     either the local password database or the NIS password maps, passwd
     returns an error.
Which makes me conclude that passwd definitely has its limitations. This is also illustrated in the section which explains Kerberos:
Code: 
     To change another user's Kerberos password, one must first run kinit(1)
     followed by passwd.  The super-user is not required to provide a user's
     current password if only the local password is modified.

Xylene said:
What doesn't make sense is that passwd is supposed to be pam aware, yet it puts a restriction on what the user source must be.
Click to expand...
To my understanding PAM is all about authentication, not necessarily password management. This is strongly hinted at if you read pam(3) and pam.conf(5).

passwd is capable of using the PAM framework to make sure that the user has the required privileges it needs to utilize it, but it doesn't use that framework to actually manage the password database(s). See also /etc/pam.d/passwd:

Code: 
# passwd(1) does not use the auth, account or session services.

# password
#password       requisite       pam_passwdqc.so         enforce=users
password        required        pam_unix.so             no_warn try_first_pass n
ullok

Xylene said:
Isn't the purpose of being pam aware is to allow the end user to configure their pam stack according to their needs?
Click to expand...
I'm definitely not an expert on PAM but if I check
Code: 
   Password Management
     The pam_chauthtok() function allows the server to change the user's
     password, either at the user's request or because the password has
     expired.
If you then look into pam_chauthtok(3) you'll see that this routine only seems to be used to make sure that the user authentication remains in sync with the framework, no where does it mention anything about actually performing the change in password.

It clearly states that it the server which changes the password, but never mentions that this operation is performed through the PAM framework, making me conclude that it is the server which changes the password and then has to ensure that PAM is aware and the session stays valid.

This is backed up by pam(3) which states that the definition for 'the server' is:

Code: 
     In PAM parlance, the application that uses PAM to authenticate a user is
     the server, and is identified for configuration purposes by a service
     name, which is often (but not necessarily) the program name.
(3) manual page" href="https://man.freebsd.org/cgi/man.cgi?query=pam[/man then I come across this:

Code: 
   Password Management
     The pam_chauthtok() function allows the server to change the user's
     password, either at the user's request or because the password has
     expired.
If you then look into pam_chauthtok(3) you'll see that this routine only seems to be used to make sure that the user authentication remains in sync with the framework, no where does it mention anything about actually performing the change in password.

It clearly states that it the server which changes the password, but never mentions that this operation is performed through the PAM framework, making me conclude that it is the server which changes the password and then has to ensure that PAM is aware and the session stays valid.

This is backed up by pam(3) which states that the definition for 'the server' is:

Code: 
     In PAM parlance, the application that uses PAM to authenticate a user is
     the server, and is identified for configuration purposes by a service
     name, which is often (but not necessarily) the program name.
&sektion=3&manpath=freebsd-release-ports">pam[/man then I come across this:

Code: 
   Password Management
     The pam_chauthtok() function allows the server to change the user's
     password, either at the user's request or because the password has
     expired.
If you then look into pam_chauthtok(3) you'll see that this routine only seems to be used to make sure that the user authentication remains in sync with the framework, no where does it mention anything about actually performing the change in password.

It clearly states that it the server which changes the password, but never mentions that this operation is performed through the PAM framework, making me conclude that it is the server which changes the password and then has to ensure that PAM is aware and the session stays valid.

This is backed up by pam(3) which states that the definition for 'the server' is:

Code: 
     In PAM parlance, the application that uses PAM to authenticate a user is
     the server, and is identified for configuration purposes by a service
     name, which is often (but not necessarily) the program name.
(3)
 
You must log in or register to reply here.
Back
Top