[lug] NIS hang
Daniel Webb
lists at danielwebb.us
Mon Jan 15 16:12:55 MST 2007
On Sat, Jan 13, 2007 at 12:59:36PM -0600, Hugh Brown wrote:
> Yep, that's why sysadmins have jobs and no hair. I don't know the
> calling order of the resolver libraries and pam. I do know that even
> with files listed first (and with nis or ldap listed second), that pam
> can mess things up. So I'd try and make sure pam is straightened out
> pam has always felt like voodoo which can be poked and made to work, but
> I've often worried that I'm exposing myself unnecessarily and that if I
> really understood pam, that I could do amazing things.
I tracked this down further with a strace of "su" as a normal user. When
nsswitch has "files" only, it looks for /etc/shadow, gets permission denied,
then goes ahead and asks for the password. When nsswitch has "files nis", it
looks for /etc/shadow, gets permission denied, then does a NIS lookup for the
shadow password. I'm not sure what's happening to ignore the failed open of
/etc/shadow in the no-NIS case. I don't even know if this is correct
behavior. I have found that it actually does give me root eventually, the
timeout is several minutes.
More information about the LUG
mailing list