We were able to use Samba and NIS on Samba 3.0.8 on Solaris 10 U5. When we update system to Solaris 10 U11, samba version became 3.6.12. And we are unable to authenticate like old style. I did not include some parameters on below(create directory mask,etc...) Old smb.conf [global] workgroup = WORKGROUPNAME server string = Samba Server security = SERVER password server = dc6n, dc7n username map = /etc/sfw/username.map local master = No dns proxy = No wins server = dc6n, dc7n kernel oplocks = No host msdfs = No map archive = No oplocks = No level2 oplocks = No old nsswitch.conf passwd files nis hosts files nis We try to set same configuration to Samba 3.6.12, but it did not work. So I decided to use security = ADS with Kerberos. This is worked but the way we did not want. Because, only windows domain users were able to login and NIS users not. New /etc/smb.conf workgroup = WORKGROUPNAME realm = domain.com security = ADS password server = dc6n.domain.com utmp = Yes idmap config *:backend = tdb idmap config *:range = 5000-9999 idmap config NETADM:backend = tdb idmap config NETADM:range = 10000-90000 idmap uid = 100000-500000 idmap gid = 100000-500000 template homedir = /home/%U template shell = /bin/tcsh winbind cache time = 1800 winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind separator = / create krb5 conf = No local master = yes domain login = yes domain master = yes preferred master = yes New /etc/nsswitch.conf passwd files winbind nis hosts files winbind nis New /etc/krb5.conf [libdefaults] domain.com = domain.com dns_lookup_kdc = true [realms] symantec.local = { kdc = dc6n.domain.com admin_server = dc6n.domain.com } [domain_realm] .domain.com = domain.com I am able to get users info from AD and NIS with wbinfo and genent commands. How can we authenticate like old style again?

I am trying to set up a ypmaster. Step 1 cd /var/yp At the start this was an EMPTY directory (important later) Step 2, type: "/usr/lib64/yp/ypinit -m Now this directory has lots of files. Step 3 I try to setup some files. Step 4 Meaning: customize (Edit the files) Step 5 - unsure at this stage Goal was: I wanted to disable YPPASSWD - we use AD I wanted to disable YPGROUPs again we use AD I do not want to use YP for these things. Step 6 - intention was to Just erase and make that directory empty again. Then re-run: ypinit -m again? And this is where I am stuck. It does not create the "Makefile" or the other files/directories. I want to "reset" or "force" ypinit. Since ypinit is a shellscript other potential issues may arise. I do not see where the Makefile came from. Any suggestions?

I'm trying to set up an NFS share with a new ZFS dataset (pool/data) and trying to share using an existing netgroup (foogroup). Running Ubuntu 20.04 on both the NFS server side and client side, it works fine if I specify a host or IP subnet, but it fails silently if I try to use a netgroup. I know the underlying netgroup is working if I use /etc/exports instead of sharenfs. I used showmount -e to verify both methods /etc/exports (it correctly shows the netgroup) and sharenfs (does not show the netgroup). Works:

cat /etc/exports
/export/ftp @foogroup(sync,rw)

# showmount -e
Export list for nfs_server:
/export/ftp @foogroup

Doesn't work w/ sharenfs (/etc/exports contents commented out):

# zfs set sharenfs="rw=@foogroup" pool/data
# showmount -e
Export list for nfs_server:

I did confirm pool/data has mountpoint property set to /export/ftp. I did also confirm if I use IP subnet or hostname syntax works:

# zfs set sharenfs="rw=@10.10.10.0/24" pool/data

Hostname works too:

# zfs set sharenfs="rw=client" pool/data
# showmount -e 
Export list for nfs_server:
/export/ftp client

Am I doing something wrong with the sharenfs syntax? Or is this a bug with ZFS on Linux's implementation of sharenfs? Thanks! UPDATE: I stumbled upon an openzfs bug report () that provided an example of using a netgroup and the syntax is different. The exports man page just says to use netgroups, the syntax is "@group", but the bug report used "@@group" syntax. That worked!

The cluster master and computing nodes are using CentOS Linux release 7.5.1804 (Core). File /etc/nsswitch.conf contains

passwd: files nis sss
shadow: files nis sss
group: files nis sss

The output of getent passwd -s nis includes

u2:$1$GE2edQgf$UyXuGspuf5uwbp.zK91aH0:9002:9002::/data/home/geou2:/bin/csh
u3:$1$Ddytc7s0$5yPBahgmfVyaqC0.Bur1.1:9003:9003::/data/home/geou3:/bin/csh
u1:$1$3Z52ZIDu$Od.rfOebsXRxI.nrBut1G1:9001:9001::/data/home/geou1:/bin/csh

The output of ypcat passwd also includes

u2:$1$GE2edQgf$UyXuGspuf5uwbp.zK91aH0:9002:9002::/data/home/geou2:/bin/csh
u3:$1$Ddytc7s0$5yPBahgmfVyaqC0.Bur1.1:9003:9003::/data/home/geou3:/bin/csh
u1:$1$3Z52ZIDu$Od.rfOebsXRxI.nrBut1G1:9001:9001::/data/home/geou1:/bin/csh

I can use su to switch into these users:

$su u1
Password.
mkdir: cannot create directory '/data': Permission denied
Attempting to create directory /data/home/u1/perl5
mkdir /data: Permission denied at /usr/share/perl5/vendor_perl/local/lib.pm line 269.
BEGIN failed--compilation aborted.
[u1@mu01 /]$

But deleting and creating a user with the same name results in the following error:

# userdel u1
userdel: Unable to remove u1 from /etc/passwd 
# useradd u1
useradd: user u1 already exists

There are no such users in /etc/{passwd, shadow}. (There are some corresponding groups where this is also the case) The computing nodes can't log in to the above users:

[user@cu01 ~]$ su u1
su: user u1 does not exist

Executing:

makedbm -u passwd.byname
makedbm -u passwd.byuid
makedbm -u group.byname
makedbm -u group.byuid

None of the above users (groups) appear. Since I need to install some commercial software, the user name and group name must be preset. How can I delete these users and groups? Thanks for your help! Tried cd /var/yp/; make, no luck.

We have to implement Password Aging in our environment. I know that it is very much possible using chage and shadow file. But since our Passwords are handeled by NIS, we can not use chage method in order to implement password ageing. I just wonder if I can write a script which checks the passwd file periodically(daily) in order to findout who all users have NOT changed their passwords since lets say 180 Days and I get a mail notification. So that I can inform the users and ask them to change their passwords. Some sort of Password ageing. I know it will not be a perfect case but we have to go with this workaround. We only have 55 UNIX Users so far. Since I am not into programming, I would request you all to provide me some hints as to how to do it. I have given a try but is not worth it. ###Here the script will change the difference in two password files passwd.2 and passwd.11 and if there are differences then record them(only Usernames) in the file Table #!/bin/bash #set -x if [[ "$(diff passwd.2 passwd.11 )" != "" ]]; then ( date ; echo FileChanged ) >> Status2 ( diff passwd.2 passwd.11 ) >> Status2 diff --unchanged-line-format="" --old-line-format="" --new-line-format=":%dn: %L" passwd.2 passwd.11 |awk -F: '{print $3}' >> Table tail -15 Status2 tail -15 Table else ( date ; echo NOFileChanged ) >> Status2 fi A sample password file is given below. passwd: t1:$2y$05$lFZBPdAihnWxJPwfHeoI8WBdhzZGtcVJXXXXXXXXXXXXXXXXX:10954:20000:Test User temporary:/home/t1:/bin/bash fdl:Nologin*:499:20190:fdl,Application User:/home/fdl:/bin/csh v1:$2y$05$lPdAihnWXXXXXXXXXXXXXXXXXcPwfHeoI8WBdhzZGtcVJXXXXXXXXXXXXXXXXX:10955:20000:Test User temporary:/home/v1:/bin/bash v2:$2y$05BPdAihnWxJeXXXXXXXXXXXXXXXXXoI8WBdhzZGXXXXXXXXXXXXXXXXX:10956:20000:Test User temporary:/home/v2:/bin/bash v3:$2y$05$lFZBPdAiXXXXXXXXXXXXXXXXXoI8WBdhzZGXXXXXXXXXXXXXXXXX:10957:20000:Test User temporary:/home/v3:/bin/bash v4:$2y$05$lFZBPdAXXXXXXXXXXXXXXXXXfHeoI8WBdhzXXXXXXXXXXXXXXXXX:10958:20000:Test User temporary:/home/v4:/bin/bash

I have a NIS client machine which has many users. Some of them were local (created on that machine), some of them were NIS users (created on NIS server, ever logged in and created home directories). How can I just list all local users?

I'm a Software Engineer with some system admin experience currently trying to setup some Linux infrastructure at a new workplace which previously only had Windows infrastucture. For Political reasons I can't simply integrate with the current Active Directory setup and have to start from scratch. I am using Debian. I'm currently trying to setup kerbos, ldap, nfs and nis. I believe I've set up the server correctly and that everything is working there as I've tested logging in with kerberos and the nis client has been talking to the server also I can mount the NFS drives. Since installing nis on the client I am no longer able to login not even with the root account unless I launch in recovery mode. I have been trying to fix this for a day and a half and I'm out of ideas. Here is what I think the issue is as pam is outputting to /var/log/auth.log

lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
systemd-logind: New session c1 of user lightdm.
systemd: PAM (other) illegal module type: passwd:
systemd: PAM pam_parse: expecting return value; [...compat]
systemd: PAM (other) illegal module type: group:
systemd: PAM pam_parse: expecting return value; [...compat]
systemd: PAM (other) illegal module type: shadow:
systemd: PAM pam_parse: expecting return value; [...compat]
systemd: PAM (other) illegal module type: gshadow:
systemd: PAM pam_parse: expecting return value; [...files]
systemd: PAM (other) no module name supplied
systemd: PAM (other) illegal module type: hosts:
systemd: PAM pam_parse: expecting return value; [...files]
systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0)
lightdm: PAM (lightdm) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) no module name supplied
lightdm: PAM (lightdm) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) no module name supplied
lightdm: PAM (lightdm) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: pam_krb5(lightdm:auth): user billy authenticated as billy@PROPACK
lightdm: PAM (lightdm) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) no module name supplied
lightdm: PAM (lightdm) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]

I'm not quite sure why this is. It all started after installing the nis package on the client however I don't think nis is the issue as it is talking to the server fine judging by the output from systemctl status nis

systemd: Starting LSB: Start NIS client and server daemons....
nis: Setting NIS domainname to: domain.
nis: Starting NIS services: ypbind.
systemd: Started LSB: Start NIS client and server daemons..

I also uninstalled nis (Since installing nis was when this started), rebooted and the problem still exists. I've checked the dependencies for nis and I can't see why any of them would have caused this to happen. I believe that pam is parsing my /etc/nsswitch.conf file which you can see below if needed.

passwd:         compat files systemd nis
group:          compat files systemd nis
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Please let me know if there is any other information you need to help debug this issue. Edit: /etc/pam.d/other contents:

#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron  specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used.  If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.

# We fall back to the system default in /etc/pam.d/common-*
# 

@include common-auth
@include common-account
@include common-password
@include common-session

/etc/pam.d/lightdm contents:

#%PAM-1.0

# Block login if they are globally disabled
auth      requisite pam_nologin.so

# Load environment from /etc/environment and ~/.pam_environment
session      required pam_env.so readenv=1
session      required pam_env.so readenv=1 envfile=/etc/default/locale

@include common-auth

-auth  optional pam_gnome_keyring.so

@include common-account

# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without out this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

session  required        pam_limits.so
session  required        pam_loginuid.so
@include common-session

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)

-session optional        pam_gnome_keyring.so auto_start

@include common-password

/etc/pam.d/common-session As requested

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session	[default=1]			pam_permit.so
# here's the fallback if no module succeeds
session	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
session	optional			pam_krb5.so minimum_uid=1000
session	required	pam_unix.so 
session	optional			pam_sss.so 
session	optional			pam_ldap.so 
session	optional	pam_systemd.so 
# end of pam-auth-update config

passwd:         compat systemd nis
group:          compat systemd nis
shadow:         compat nis
gshadow:        files

hosts:          files dns nis

**Update** I have switched to sssd as suggested by @Michael Ströder however this has not changed anything.

#OUTFILE=out.xml prefix='EDSAD150' password="asdf1234" pass=$(perl -e 'print crypt($ARGV, "asdf1234")' $password) for i in {01..02};do usname=$prefix""$i yes $pass | yppasswd $usname done I want to change the password of the users but when I run this script I have to give the server password every time because I am usingyppasswd command . But when I used passwd command the NIS files won't change.

Red Hat has a sample script to migrate users from NIS to FreeIPA. nis-user.sh looks like this: #!/bin/sh # $1 is the NIS domain, $2 is the NIS master server ypcat -d $1 -h $2 passwd > /dev/shm/nis-map.passwd 2>&1 IFS=$'\n' for line in $(cat /dev/shm/nis-map.passwd) ; do IFS=' ' username=$(echo $line | cut -f1 -d:) # Not collecting encrypted password because we need cleartext password # to create kerberos key uid=$(echo $line | cut -f3 -d:) gid=$(echo $line | cut -f4 -d:) gecos=$(echo $line | cut -f5 -d:) homedir=$(echo $line | cut -f6 -d:) shell=$(echo $line | cut -f7 -d:) # Now create this entry echo passw0rd1 | ipa user-add $username --first=NIS --last=USER \ --password --gidnumber=$gid --uid=$uid --gecos='$gecos' --homedir=$homedir \ --shell=$shell ipa user-show $username done This just sets the First name to NIS and last name to USER. Our /etc/passwd files has users that look like the following: juser:x:4841:200:Jane Q. User:/home/juser:/bin/tcsh kuser:x:5761:200:User, K.:/home/kuser:/bin/bash So that of course complicates things. I got a suggestion that the following could extract the first and last names, and if they were reversed and comma separated (like kuser) it would catch most the names. first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}' last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}' How can I use $first and $last? To test I tried to pipe the results of the $gecos variable to awk: first=$(echo $line | cut -f5 -d: | awk '{print $1}':) awk: cmd. line:1: {print $1}: awk: cmd. line:1: ^ syntax error Same error is I try adding just the following line (after the gecos= line): first=$(echo $gecos | awk '{print $1}':) EDIT: ahhh the colon placement did me in. This works: first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}') last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}') So now on to the next part... And then I want to take this suggestion , to import the passwords that use the CRYPT hash as demonstrated: userpassword='{CRYPT}$6$blahblah$moregibberish' testuser I followed Rob C's previous tips from here and here . Not sure it matters but in /etc/libuser.conf, crypt_style = sha512 In the script I added: password1=$(echo $line | cut -f2 -d:) and in the **Now create this entry** section: --setattr "userpassword='{CRYPT}$password1'" Here's what gets logged when debug is turned on: [Tue Feb 02 22:08:52.541857 2021] [wsgi:error] [pid 16097:tid 16365] [remote x.x.x.x:59726] ipa: INFO: [jsonserver_session] admin@OURDOMAIN.EDU: user_add/1('john', givenname='John', sn='Smith', homedirectory='/home/smith', gecos="'John Smith'", loginshell='/bin/tcsh', uidnumber=5319, gidnumber=150, setattr=("userpassword='{CRYPT}the-actual-hash-of-the-password'",), version='2.239'): SUCCESS So does that appear that {CRYPT} is not being interpreted? I also added some debug: echo "Password hash value is $password1" And what prints is the original hash, sans {CRYPT}. So to test this outside of the script I added a test user: ipa user-add --first=test --last=user --setattr userpassword='{CRYPT} the-actual-hash-of-the-password' testuser Then I ran the following and the password worked: ldapsearch -x -D 'uid=testuser,cn=users,cn=accountsdc=ourdomain,dc=edu' -W # testuser, users, accounts, ourdomain.edu dn: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc=edu givenName: test sn: user uid: testuser cn: test user displayName: test user initials: tu gecos: test user krbPrincipalName: testuser@OURDOMAIN.EDU objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: fasuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh homeDirectory: /home/testuser mail: testuser@ourdomain.edu krbCanonicalName: testuser@OURDOMAIN.EDU ipaUniqueID: 34ee1f48-65d2-11eb-8c33-001ec9ab7ef0 uidNumber: 1520800007 gidNumber: 1520800007 memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ourdomain,dc=edu krbLastPwdChange: 20210203034524Z krbPasswordExpiration: 20210504034524Z # testuser, groups, accounts, ourdomain.edu dn: cn=testuser,cn=groups,cn=accounts,dc=ourdomain,dc=edu objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top cn: testuser gidNumber: 1520800007 description: User private group for testuser mepManagedBy: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc =edu ipaUniqueID: 34f39b4e-65d2-11eb-8c33-001ec9ab7ef0 # search result search: 2 result: 0 Success Is it still possible to do this in the current versions?

On centos 7 I have the following pam config: cat /etc/pam.d/passwd #%PAM-1.0 auth include system-auth account include system-auth password substack system-auth -password optional pam_gnome_keyring.so use_authtok password substack postlogin and cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow nis password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so account required pam_slurm.so but when I run "passwd" as a user it asks me for the current passwd, new password and retype and then fails with passwd Changing password for user test. Changing password for test. (current) UNIX password: New password: Retype new password: passwd: Authentication token manipulation error And ideas how to fix or debug this? Note: yppasswd works fine, just passwd fails Update: I tried the same config with a different server and there it works. So I figure the problem is server side, not client. Still no idea how debug this properly.

I have very bizarre problem. I have CentOS server 6.10 and ZFS storage. Now storage is configured long time ago by someone, and I found out that for certain user there is a quota set. when I check on the filesystem I get output this zfs# zfs get quota volume/local/default/users NAME PROPERTY VALUE SOURCE volume/local/default/users quota none default so from this I can see that on parent folder there is no quota set, but when I check particular user by using this command: zfs# quota -v user Disk quotas for user (uid 1000): Filesystem usage quota limit timeleft files quota limit timeleft /export/mail 930552 10485760 10485760 - - - - - /export/users 2147483646 31457280 31457280 NOT STARTED - - - - so I can see that user > user has set quota. Now, this ZFS has been mounted on CentOS 6.10 with this values in /etc/fstab: zfs.mydomain.com:/export/users /users nfs defaults,_netdev 0 0 and I can access /users folder. The problem starts when I want to use chown command: chown -R test:grp /home/user/mnt/child_fldr Please note that the "test" user is NIS user which I also tested with ypcat passwd, if I can get list of all users from NIS. (and I do), so this is not a problem. The output of the error is: > chown: changing ownership of `/home/user/mnt/child_fldr/temp': Disk quota exceeded Now to be even more confused, when I try to change an ownership by using local user account, I have no problem of changing it, but using NIS user, I get some dumb Disk quota exceeded message. For the test, I have tried to remove "quotas" file in the parent directory of child_fldr, and remount drive, with no success. Also on ZSF I tried to completely remove quota for testing by using quotaoff -a command, again still no progress. How can I solve my problem to be able again to change ownership of the directory?

I have recently upgraded the workstations from Debian 9 to Debian 10. With the old version people have been able to mount USB drives and play and record sound (for video conferences). After the update neither of it works. # Remote user accounts There have been some peculiarities with the user accounts, so perhaps that is the source of the issue. We use NIS and NFS to provide user accounts and home directories on all the machines. After the upgrade to Debian 10 I needed to add a NIS to /etc/nsswitch.conf because they were on compat before and now only had files. Also ypbind was not running because it no longer used -broadcast as a default startup option. I added a new systemd file at /etc/systemd/system/ypbind.service:

[Unit]
Description=ypbind
Wants=network-online.target nis.service
After=network-online.target nis.service

[Service]
Type=simple
ExecStart=/usr/sbin/ypbind -broadcast -foreground

[Install]
WantedBy=multi-user.target

With that the user accounts were there and the home directories as well. On the command line I could also log in. But the LightDM display manager was still not letting the users in. So in /etc/lightdm/lightdm.conf in section [LightDM] I added the option greeter-show-manual-login = True and from then on the remote users could log in. Some machines still had GDM as their default display manager, there the logins showed the same behavior that LightDM did before I changed the configuration. The password check passed, the screen might turn black for a brief moment and then the login screen is shown again. The same occurs when users have exceeded their quota and the files needed to establish the session (.Xauthority?) could not be created. The peculiar thing is that when I am logged in via SSH and also on the actual screen, these sessions show up properly with who: $ who ueding pts/0 2019-08-26 12:42 (131.220.226.20) ueding tty7 2019-08-26 12:43 (:0) But then at the same time the session is not listed with loginctl: $ loginctl No sessions. When I do the same on my personal Fedora 30 laptop with local user accounts I have this output of who: $ who mu tty1 2019-08-25 10:33 (:0) mu pts/0 2019-08-25 10:34 (:0) mu pts/1 2019-08-26 12:08 (:0) mu pts/2 2019-08-26 12:14 (:0) mu pts/3 2019-08-26 12:42 (:0) mu pts/4 2019-08-26 12:38 (:0) mu pts/5 2019-08-26 12:55 (:0) And also loginctl shows something sensible: $ loginctl SESSION UID USER SEAT TTY 1 1000 mu seat0 1 sessions listed. I have created a new *local* user account with UID 50000 on one of the Debian 10 workstations and found that I can log in, have the session show up in loginctl and also the removable media and sound issues described below are not there, sound and removable media works. So this *definitely* is an issue with the users coming from NIS. The one thing that has hit me a few times so far is that for historical reasons the user ids that we have given out start with 500. But my user ueding has uid 1085, so even if that was a problem with accounts not being listed, this account should be fine because the default starting values for user ids which are not considered system users is 1000. I do not have sufficient experience but I just have the *feeling* that somehow the user accounts are not fully in the system, that there is just something still missing. One user with uid 536 had to enter his GNOME keychain password after login. I am not sure whether he has different passwords there, but it could as well be that it was not unlocked during startup. This might not mean anything, though. ## auth.log With the current state this is everything that shows up in /var/log/auth.log since booting the machine, connecting as root via SSH to retrieve the log and logging in on the machine itself with my NIS user. Also the monitoring user has logged in via SSH to retrieve some information for my monitoring system.

Sep  3 12:45:42 helios systemd-logind: New seat seat0.
Sep  3 12:45:42 helios systemd-logind: Watching system buttons on /dev/input/event1 (Power Button)
Sep  3 12:45:42 helios systemd-logind: Watching system buttons on /dev/input/event0 (Power Button)
Sep  3 12:45:42 helios systemd-logind: Watching system buttons on /dev/input/event3 (Cherry USB keyboard)
Sep  3 12:45:42 helios systemd-logind: Watching system buttons on /dev/input/event4 (Cherry USB keyboard System Control)
Sep  3 12:45:46 helios sshd: Server listening on 0.0.0.0 port 22.
Sep  3 12:45:46 helios sshd: Server listening on :: port 22.
Sep  3 12:45:57 helios lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Sep  3 12:45:57 helios systemd-logind: New session c1 of user lightdm.
Sep  3 12:45:57 helios systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0)
Sep  3 12:47:08 helios sshd: rexec line 16: Deprecated option UsePrivilegeSeparation
Sep  3 12:47:08 helios sshd: rexec line 19: Deprecated option KeyRegenerationInterval
Sep  3 12:47:08 helios sshd: rexec line 20: Deprecated option ServerKeyBits
Sep  3 12:47:08 helios sshd: rexec line 31: Deprecated option RSAAuthentication
Sep  3 12:47:08 helios sshd: rexec line 38: Deprecated option RhostsRSAAuthentication
Sep  3 12:47:08 helios sshd: Connection closed by 131.220.226.3 port 39932 [preauth]
Sep  3 12:47:16 helios sshd: rexec line 16: Deprecated option UsePrivilegeSeparation
Sep  3 12:47:16 helios sshd: rexec line 19: Deprecated option KeyRegenerationInterval
Sep  3 12:47:16 helios sshd: rexec line 20: Deprecated option ServerKeyBits
Sep  3 12:47:16 helios sshd: rexec line 31: Deprecated option RSAAuthentication
Sep  3 12:47:16 helios sshd: rexec line 38: Deprecated option RhostsRSAAuthentication
Sep  3 12:47:16 helios sshd: reprocess config line 31: Deprecated option RSAAuthentication
Sep  3 12:47:16 helios sshd: reprocess config line 38: Deprecated option RhostsRSAAuthentication
Sep  3 12:47:19 helios sshd: Accepted password for root from 131.220.226.160 port 44060 ssh2
Sep  3 12:47:19 helios sshd: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep  3 12:47:19 helios systemd-logind: New session 2 of user root.
Sep  3 12:47:19 helios systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Sep  3 12:47:20 helios sshd: rexec line 16: Deprecated option UsePrivilegeSeparation
Sep  3 12:47:20 helios sshd: rexec line 19: Deprecated option KeyRegenerationInterval
Sep  3 12:47:20 helios sshd: rexec line 20: Deprecated option ServerKeyBits
Sep  3 12:47:20 helios sshd: rexec line 31: Deprecated option RSAAuthentication
Sep  3 12:47:20 helios sshd: rexec line 38: Deprecated option RhostsRSAAuthentication
Sep  3 12:47:20 helios sshd: reprocess config line 31: Deprecated option RSAAuthentication
Sep  3 12:47:20 helios sshd: reprocess config line 38: Deprecated option RhostsRSAAuthentication
Sep  3 12:47:20 helios sshd: Accepted publickey for monitoring from 131.220.226.3 port 39970 ssh2: RSA SHA256:ulxULyONiGRB8VUFctWd/WSBcRxjGX+5Dq/IXyZS+gI
Sep  3 12:47:20 helios sshd: pam_unix(sshd:session): session opened for user monitoring by (uid=0)
Sep  3 12:47:20 helios systemd-logind: New session 4 of user monitoring.
Sep  3 12:47:20 helios systemd: pam_unix(systemd-user:session): session opened for user monitoring by (uid=0)
Sep  3 12:47:20 helios sshd: Received disconnect from 131.220.226.3 port 39970:11: disconnected by user
Sep  3 12:47:20 helios sshd: Disconnected from user monitoring 131.220.226.3 port 39970
Sep  3 12:47:20 helios sshd: pam_unix(sshd:session): session closed for user monitoring
Sep  3 12:47:20 helios systemd-logind: Session 4 logged out. Waiting for processes to exit.
Sep  3 12:47:20 helios systemd-logind: Removed session 4.
Sep  3 12:47:30 helios systemd: pam_unix(systemd-user:session): session closed for user monitoring
Sep  3 12:47:32 helios sshd: rexec line 16: Deprecated option UsePrivilegeSeparation
Sep  3 12:47:32 helios sshd: rexec line 19: Deprecated option KeyRegenerationInterval
Sep  3 12:47:32 helios sshd: rexec line 20: Deprecated option ServerKeyBits
Sep  3 12:47:32 helios sshd: rexec line 31: Deprecated option RSAAuthentication
Sep  3 12:47:32 helios sshd: rexec line 38: Deprecated option RhostsRSAAuthentication
Sep  3 12:47:32 helios sshd: reprocess config line 31: Deprecated option RSAAuthentication
Sep  3 12:47:32 helios sshd: reprocess config line 38: Deprecated option RhostsRSAAuthentication
Sep  3 12:47:32 helios sshd: Accepted publickey for monitoring from 131.220.226.3 port 39992 ssh2: RSA SHA256:ulxULyONiGRB8VUFctWd/WSBcRxjGX+5Dq/IXyZS+gI
Sep  3 12:47:32 helios sshd: pam_unix(sshd:session): session opened for user monitoring by (uid=0)
Sep  3 12:47:32 helios systemd-logind: New session 6 of user monitoring.
Sep  3 12:47:32 helios systemd: pam_unix(systemd-user:session): session opened for user monitoring by (uid=0)
Sep  3 12:47:32 helios sshd: Received disconnect from 131.220.226.3 port 39992:11: disconnected by user
Sep  3 12:47:32 helios sshd: Disconnected from user monitoring 131.220.226.3 port 39992
Sep  3 12:47:32 helios sshd: pam_unix(sshd:session): session closed for user monitoring
Sep  3 12:47:32 helios systemd-logind: Session 6 logged out. Waiting for processes to exit.
Sep  3 12:47:32 helios systemd-logind: Removed session 6.
Sep  3 12:47:42 helios systemd: pam_unix(systemd-user:session): session closed for user monitoring
Sep  3 12:48:14 helios lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Sep  3 12:48:14 helios systemd-logind: Removed session c1.
Sep  3 12:48:14 helios lightdm: pam_unix(lightdm:session): session opened for user ueding by (uid=0)
Sep  3 12:48:14 helios lightdm: pam_systemd(lightdm:session): Failed to create session: No such file or directory
Sep  3 12:48:24 helios systemd: pam_unix(systemd-user:session): session closed for user lightdm

I guess the second last line is the really interesting one. ## Accompanying syslog

Sep 04 14:10:10 helios systemd: session-c3.scope: Killing process 28814 (lightdm) with signal SIGTERM.
Sep 04 14:10:10 helios systemd: session-c3.scope: Killing process 28829 (lightdm-gtk-gre) with signal SIGTERM.
Sep 04 14:10:10 helios systemd: Stopping Session c3 of user lightdm.
Sep 04 14:10:10 helios lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Sep 04 14:10:10 helios systemd: session-c3.scope: Succeeded.
Sep 04 14:10:10 helios systemd: Stopped Session c3 of user lightdm.
Sep 04 14:10:10 helios systemd-logind: Removed session c3.
Sep 04 14:10:10 helios lightdm: pam_unix(lightdm:session): session opened for user ueding by (uid=0)
Sep 04 14:10:10 helios lightdm: pam_systemd(lightdm:session): Failed to create session: No such file or directory
Sep 04 14:10:10 helios lightdm: Failed to open CK session: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.ConsoleKit was not provided by any .service files
Sep 04 14:10:10 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.a11y.Bus' requested by ':1.3' (uid=1085 pid=28933 comm="xfce4-session ")
Sep 04 14:10:10 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.a11y.Bus'
Sep 04 14:10:10 helios org.a11y.Bus: dbus-daemon: Activating service name='org.a11y.atspi.Registry' requested by ':1.0' (uid=1085 pid=28933 comm="xfce4-session ")
Sep 04 14:10:10 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.xfce.Xfconf' requested by ':1.3' (uid=1085 pid=28933 comm="xfce4-session ")
Sep 04 14:10:10 helios org.a11y.Bus: dbus-daemon: Successfully activated service 'org.a11y.atspi.Registry'
Sep 04 14:10:10 helios org.a11y.Bus: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry
Sep 04 14:10:10 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.xfce.Xfconf'
Sep 04 14:10:11 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gtk.vfs.Daemon' requested by ':1.9' (uid=1085 pid=28954 comm="Thunar --sm-client-id 2e9ea3a26-363a-4e06-b723-b6d")
Sep 04 14:10:11 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gtk.vfs.Daemon'
Sep 04 14:10:11 helios org.gtk.vfs.Daemon: fusermount: failed to open mountpoint for reading: Permission denied
Sep 04 14:10:11 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.freedesktop.thumbnails.Thumbnailer1' requested by ':1.16' (uid=1085 pid=28972 comm="xfdesktop --display :0.0 --sm-client-id 24fe00ba0-")
Sep 04 14:10:11 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.freedesktop.Notifications' requested by ':1.20' (uid=1085 pid=28988 comm="xfce4-power-manager --restart --sm-client-id 270b9")
Sep 04 14:10:11 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.freedesktop.Notifications'
Sep 04 14:10:12 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.freedesktop.Tracker1' requested by ':1.28' (uid=1085 pid=29060 comm="gdbus call -e -d org.freedesktop.DBus -o /org/free")
Sep 04 14:10:12 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='ca.desrt.dconf' requested by ':1.29' (uid=1085 pid=29045 comm="light-locker ")
Sep 04 14:10:12 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'ca.desrt.dconf'
Sep 04 14:10:12 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.freedesktop.Tracker1'
Sep 04 14:10:12 helios org.freedesktop.thumbnails.Thumbnailer1: Registered thumbailer /usr/bin/gdk-pixbuf-thumbnailer -s %s %u %o
Sep 04 14:10:12 helios org.freedesktop.thumbnails.Thumbnailer1: Registered thumbailer evince-thumbnailer -s %s %u %o
Sep 04 14:10:12 helios org.freedesktop.thumbnails.Thumbnailer1: Registered thumbailer gnome-thumbnail-font --size %s %u %o
Sep 04 14:10:12 helios org.freedesktop.thumbnails.Thumbnailer1: Registered thumbailer /usr/bin/gdk-pixbuf-thumbnailer -s %s %u %o
Sep 04 14:10:12 helios org.freedesktop.thumbnails.Thumbnailer1: Registered thumbailer atril-thumbnailer -s %s %u %o
Sep 04 14:10:12 helios org.freedesktop.thumbnails.Thumbnailer1: Registered thumbailer /usr/share/blender/scripts/blender-thumbnailer.py %i %o
Sep 04 14:10:12 helios org.freedesktop.thumbnails.Thumbnailer1: Registered thumbailer /usr/bin/totem-video-thumbnailer -s %s %u %o
Sep 04 14:10:12 helios kernel: traps: light-locker trap int3 ip:7f6a78690c75 sp:7ffec8e2fea0 error:0 in libglib-2.0.so.0.5800.3[7f6a78658000+7e000]
Sep 04 14:10:12 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gnome.evolution.dataserver.Sources5' requested by ':1.38' (uid=1085 pid=29044 comm="/usr/lib/evolution/evolution-data-server/evolution")
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gnome.OnlineAccounts' requested by ':1.40' (uid=1085 pid=29094 comm="/usr/lib/evolution/evolution-source-registry ")
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gnome.evolution.dataserver.Sources5'
Sep 04 14:10:13 helios goa-daemon: goa-daemon version 3.30.1 starting
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gnome.Identity' requested by ':1.41' (uid=1085 pid=29107 comm="/usr/lib/gnome-online-accounts/goa-daemon ")
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gnome.OnlineAccounts'
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gnome.Identity'
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gnome.evolution.dataserver.Calendar7' requested by ':1.38' (uid=1085 pid=29044 comm="/usr/lib/evolution/evolution-data-server/evolution")
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gtk.vfs.UDisks2VolumeMonitor' requested by ':1.23' (uid=1085 pid=28986 comm="/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd ")
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gtk.vfs.UDisks2VolumeMonitor'
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gtk.vfs.AfcVolumeMonitor' requested by ':1.23' (uid=1085 pid=28986 comm="/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd ")
Sep 04 14:10:13 helios org.gtk.vfs.AfcVolumeMonitor: Volume monitor alive
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gtk.vfs.AfcVolumeMonitor'
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gnome.evolution.dataserver.Calendar7'
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gnome.evolution.dataserver.AddressBook9' requested by ':1.43' (uid=1085 pid=29125 comm="/usr/lib/evolution/evolution-calendar-factory ")
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gtk.vfs.GoaVolumeMonitor' requested by ':1.23' (uid=1085 pid=28986 comm="/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd ")
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gnome.evolution.dataserver.AddressBook9'
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gtk.vfs.GoaVolumeMonitor'
Sep 04 14:10:13 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gtk.vfs.MTPVolumeMonitor' requested by ':1.23' (uid=1085 pid=28986 comm="/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd ")
Sep 04 14:10:14 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gtk.vfs.MTPVolumeMonitor'
Sep 04 14:10:14 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gtk.vfs.GPhoto2VolumeMonitor' requested by ':1.23' (uid=1085 pid=28986 comm="/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd ")
Sep 04 14:10:14 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gtk.vfs.GPhoto2VolumeMonitor'
Sep 04 14:10:14 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.freedesktop.thumbnails.Thumbnailer1'
Sep 04 14:10:14 helios dbus-daemon: [session uid=1085 pid=28912] Activating service name='org.gtk.vfs.Metadata' requested by ':1.14' (uid=1085 pid=28972 comm="xfdesktop --display :0.0 --sm-client-id 24fe00ba0-")
Sep 04 14:10:14 helios dbus-daemon: [session uid=1085 pid=28912] Successfully activated service 'org.gtk.vfs.Metadata'
Sep 04 14:10:20 helios systemd: Stopping User Manager for UID 116...
Sep 04 14:10:20 helios systemd: Stopping D-Bus User Message Bus...
Sep 04 14:10:20 helios gvfsd: A connection to the bus can't be made
Sep 04 14:10:20 helios systemd: Stopping Accessibility services bus...
Sep 04 14:10:20 helios systemd: Stopping Virtual filesystem service...
Sep 04 14:10:20 helios systemd: Stopped target Default.
Sep 04 14:10:20 helios systemd: gvfs-daemon.service: Main process exited, code=killed, status=15/TERM
Sep 04 14:10:20 helios systemd: at-spi-dbus-bus.service: Succeeded.
Sep 04 14:10:20 helios systemd: Stopped Accessibility services bus.
Sep 04 14:10:20 helios systemd: dbus.service: Succeeded.
Sep 04 14:10:20 helios systemd: Stopped D-Bus User Message Bus.
Sep 04 14:10:20 helios systemd: run-user-116-gvfs.mount: Succeeded.
Sep 04 14:10:20 helios systemd: run-user-116-gvfs.mount: Succeeded.
Sep 04 14:10:20 helios systemd: run-user-116-gvfs.mount: Succeeded.
Sep 04 14:10:20 helios systemd: gvfs-daemon.service: Succeeded.
Sep 04 14:10:20 helios systemd: Stopped Virtual filesystem service.
Sep 04 14:10:20 helios systemd: Stopped target Basic System.
Sep 04 14:10:20 helios systemd: Stopped target Sockets.
Sep 04 14:10:20 helios systemd: gpg-agent-browser.socket: Succeeded.
Sep 04 14:10:20 helios systemd: Closed GnuPG cryptographic agent and passphrase cache (access for web browsers).
Sep 04 14:10:20 helios systemd: gpg-agent.socket: Succeeded.
Sep 04 14:10:20 helios systemd: Closed GnuPG cryptographic agent and passphrase cache.
Sep 04 14:10:20 helios systemd: gpg-agent-ssh.socket: Succeeded.
Sep 04 14:10:20 helios systemd: Closed GnuPG cryptographic agent (ssh-agent emulation).
Sep 04 14:10:20 helios systemd: dirmngr.socket: Succeeded.
Sep 04 14:10:20 helios systemd: Closed GnuPG network certificate management daemon.
Sep 04 14:10:20 helios systemd: gpg-agent-extra.socket: Succeeded.
Sep 04 14:10:20 helios systemd: Closed GnuPG cryptographic agent and passphrase cache (restricted).
Sep 04 14:10:20 helios systemd: pulseaudio.socket: Succeeded.
Sep 04 14:10:20 helios systemd: Closed Sound System.
Sep 04 14:10:20 helios systemd: Stopped target Timers.
Sep 04 14:10:20 helios systemd: Stopped target Paths.
Sep 04 14:10:20 helios systemd: dbus.socket: Succeeded.
Sep 04 14:10:20 helios systemd: Closed D-Bus User Message Bus Socket.
Sep 04 14:10:20 helios systemd: Reached target Shutdown.
Sep 04 14:10:20 helios systemd: systemd-exit.service: Succeeded.
Sep 04 14:10:20 helios systemd: Started Exit the Session.
Sep 04 14:10:20 helios systemd: Reached target Exit the Session.
Sep 04 14:10:20 helios systemd: pam_unix(systemd-user:session): session closed for user lightdm
Sep 04 14:10:20 helios systemd: user@116.service: Succeeded.
Sep 04 14:10:20 helios systemd: Stopped User Manager for UID 116.
Sep 04 14:10:20 helios systemd: Stopping User Runtime Directory /run/user/116...
Sep 04 14:10:20 helios systemd: run-user-116.mount: Succeeded.
Sep 04 14:10:20 helios systemd: run-user-116.mount: Succeeded.
Sep 04 14:10:20 helios systemd: user-runtime-dir@116.service: Succeeded.
Sep 04 14:10:20 helios systemd: Stopped User Runtime Directory /run/user/116.
Sep 04 14:10:20 helios systemd: Removed slice User Slice of UID 116.

# Present conclusion I feel that there is something that prevents users from becoming “fully logged in”, in a sense that they do have an Xfce session and can see their home directories, but not enough to be registered with the “fancy” stuff like logind or Pulse Audio. Or perhaps they are missing a special user group. A local user account on of the machines works just as expected, so this definitely is some issue with the user accounts in general and not with one of the symptoms (loginctl output, sound, removable media). I cannot really grasp this and I am not sure where exactly I should look. Pointers or (hopefully) solutions are very much welcome!

I was reading the [BSI Security Guidelines (GERMAN)](https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05018.html;jsessionid=2FB12997650B43C2E61B2039333D3BA1.2_cid351?nn=6604938) , on NIS and it explicitly mentioned that one should prevent the entry +::0:0::: from occuring in the /etc/passwd file of the NIS server. From my research I have garnered, that the + would import the entire NIS list into the passwd file. The solution proposed by the guideline, is to add a * to the password section of the entry, which would make the username be looked up in the shadow file. Is this not somewhat counter productive, as it would essentially make importing the NIS list useless (since these do not have entries in shadow)? Furthermore, what would a legitimate usage of this entry be and how could an attacker exploit the entry (without the *)?

I have a centralized NIS and NFS server on my server. I use this server to control 100 Linux clients, /$home/ directory and authentication are served by the centralized server. The other day in one of my clients unfortunately I disconnected the Ethernet connection (from the top panel), and the whole set-up was collapsed. Now I cannot login to that machine. It shows sort of yp bind error. I'm using ubuntu 12.04 LTS.

We have a really old NIS domain which is mapping some user accounts to UIDs less than 1000. I'm wondering * when did using UIDs greater than or equal to 1000 for human users become 'standard', * why did it become a convention? Are there any practical implications or reasons for this? (i.e. anything similar like the 'convention' of trusting ports below 1000)

i have run an NIS service on Centos7 on a virtual machine. also i installed another Centos7 virtual machine as client. so i want to connect from my client vm to server vm. at client vm 'systemctl status ypbind' returns running. i have added some users at server but it fails to switch user at client. here is what 'yptest' command returns: [root@www ~]# yptest Test 1: domainname Configured domainname is "topipi.jp" Test 2: ypbind Used NIS server: nis.topipi.jp Test 3: yp_match WARNING: No such map in server's domain (Map passwd.byname, key nobody) Test 4: yp_first WARNING: No such map in server's domain (Map passwd.byname) Test 5: yp_next -- skipped -- Test 6: yp_master WARNING: No such map in server's domain (Map passwd.byname) Test 7: yp_order WARNING: No such map in server's domain (Map passwd.byname) Test 8: yp_maplist netid.byname group.bygid group.byname passwd.byuid passwd.byname mail.aliases protocols.byname protocols.bynumber services.byservicename services.byname rpc.bynumber rpc.byname hosts.byaddr hosts.byname ypservers Test 9: yp_all WARNING: No such map in server's domain (Map passwd.byname) 5 tests failed here is the error i get: [root@www ~]# su - Mahan su: user Mahan does not exist where Mahan is already added as a user at server. what should i do? and this is what i get when type 'yptest' at server: [root@nis home]# yptest Test 1: domainname Configured domainname is "topipi.jp" Test 2: ypbind Can't communicate with ypbind

I'm trying to setup NIS on a machine. All instructions always expect /etc/init/nis to exist as at the end of configuration one is expected to restart the service using that. For me it doesn't exist. I did try an apt remove nis; apt install nis, it made no difference. root@vplab030:/var/log# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty root@vplab030:/var/log# root@vplab030:/var/log# apt show nis Package: nis Priority: extra Section: universe/net Installed-Size: 638 kB Maintainer: Ubuntu Developers Original-Maintainer: Mark Brown Version: 3.17-32ubuntu6 Depends: libc6 (>= 2.15), libdbus-1-3 (>= 1.0.2), libdbus-glib-1-2 (>= 0.78), libgdbm3 (>= 1.8.3), libglib2.0-0 (>= 2.12.0), libslp1, netbase, make, rpcbind (>= 0.2.0-6ubuntu1), lsb-base (>= 3.0-6), hostname (>= 2.98), upstart (>= 0.9.7-2) Pre-Depends: debconf (>= 0.5.00) | debconf-2.0 Suggests: nscd Conflicts: netstd (<= 1.26) Download-Size: 152 kB Bugs: https://bugs.launchpad.net/ubuntu/+filebug Origin: Ubuntu APT-Manual-Installed: yes APT-Sources: http://us.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages Description: clients and daemons for the Network Information Service (NIS) This package provides tools for setting up and maintaining a NIS domain. NIS, originally known as Yellow Pages (YP), is mostly used to let several machines in a network share the same account information, such as the password file. root@vplab030:/var/log# ls -l /etc/init.d/ypbind /etc/init.d/nis ls: cannot access /etc/init.d/ypbind: No such file or directory ls: cannot access /etc/init.d/nis: No such file or directory root@vplab030:/var/log# yp.conf: root@vplab030:/var/log# cat /etc/yp.conf # # yp.conf Configuration file for the ypbind process. You can define # NIS servers manually here if they can't be found by # broadcasting on the local net (which is the default). # # See the manual page of ypbind for the syntax of this file. # # IMPORTANT: For the "ypserver", use IP addresses, or make sure that # the host is in /etc/hosts. This file is only interpreted # once, and if DNS isn't reachable yet the ypserver cannot # be resolved and ypbind won't ever bind to the server. # ypserver ypserver.network.com domain dev.domname.com server ds4 domain dev.domname.com server ds2 root@vplab030:/var/log# root@vplab030:/var/log# grep ypbind /var/log/syslog Sep 9 12:49:30 vplab030 ypbind: Host name lookup failure Sep 9 12:49:30 vplab030 kernel: [ 5.630218] init: ypbind main process (830) terminated with status 1 Sep 9 12:49:30 vplab030 kernel: [ 5.630240] init: ypbind main process ended, respawning Sep 9 12:49:35 vplab030 kernel: [ 10.700047] init: wait-for-state (autofsypbind) main process (1126) killed by TERM signal Sep 9 12:49:35 vplab030 kernel: [ 10.700660] init: wait-for-state (lightdmypbind) main process (1134) killed by TERM signal root@vplab030:/var/log# date Tue Sep 9 13:59:11 CDT 2014 root@vplab030:/var/log# root@vplab030:/var/log# service --status-all [ + ] acpid [ - ] anacron [ + ] apparmor [ ? ] apport [ + ] autofs [ + ] avahi-daemon [ + ] bluetooth [ - ] brltty [ ? ] console-setup [ + ] cron [ + ] cups [ + ] cups-browsed [ - ] dbus [ ? ] dns-clean [ + ] friendly-recovery [ - ] grub-common [ ? ] irqbalance [ + ] kerneloops [ ? ] killprocs [ ? ] kmod [ ? ] lightdm [ ? ] networking [ ? ] nxserver [ ? ] ondemand [ ? ] pppd-dns [ - ] procps [ - ] pulseaudio [ ? ] rc.local [ + ] resolvconf [ + ] rpcbind [ - ] rsync [ + ] rsyslog [ + ] saned [ ? ] sendsigs [ ? ] speech-dispatcher [ - ] ssh [ - ] sudo [ + ] udev [ ? ] umountfs [ ? ] umountnfs.sh [ ? ] umountroot [ - ] unattended-upgrades [ - ] urandom [ - ] x11-common root@vplab030:

I am trying to migrate nis server from solaris to redhat(7.5), as per the doc I have exported /etc/passwd and /etc/group from solaris to redhat and made NIS up and running. If my /etc/passwd is e.g.: james:x:554:101::/users/james:/bin/bash kevin:x:723:103::/users/kevin:/usr/bin/bash jerry:x:1130032140:101::/users/jerry:/usr/bin/bash jose:x:1130032178:103::/users/jose:/usr/bin/bash These are my NIS users but if I do ypcat passwd I am able to see only jerry and jose. james and kevin are not listed. If I change the user id to 4 digit (e.g., 5544) after make I am able to see the user. The thing is if the user id is 3 digit ypcat passwd does not list that user.

I am setting up a computing cluster, and have been tasked with setting up a NIS server and client environment. So far I have been successful on every front except for the NIS clients are not mounting the home directory. I have been following the steps in [this article](https://docs.oracle.com/cd/E52668_01/E54669/html/ol7-s13-auth.html) , which has gotten me thus far. I am able to login to the NIS client properly, but when it gets there it throws me to a bash prompt and says Could not chdir to home directory /nethome/cfduser: No such file or directory. When I get to the bash prompt I can confirm that that /nethome directory is there, but it is empty. I am not sure where to go from here. I can supply whatever configuration files are needed and more if needed. Both the client and server are running CentOS 7 b1804 Edit 1: My /etc/auto.master # Sample auto.master file # This is a 'master' automounter map and it has the following format: # mount-point [map-type[,format]:]map [options] # For details of the format look at auto.master(5). # /misc /etc/auto.misc # # NOTE: mounts done from a hosts map will be mounted with the # "nosuid" and "nodev" options unless the "suid" and "dev" # options are explicitly given. # /net -hosts # # Include /etc/auto.master.d/*.autofs # The included files must conform to the format of this file. # +dir:/etc/auto.master.d # # Include central master map if it can be found using # nsswitch sources. # # Note that if there are entries for /net or /misc (as # above) in the included master map any keys that are the # same will not be seen as the first read key seen takes # precedence. # +auto.master /nethome /etc/auto.home My /etc/auto.home * -rw,sync 192.168.1.1:/nethome/&

As part of my assignment I was asked to find a group called + and to write in brief what I think of it. This group in /etc/group is shown as +:x:: which means it has no Gid and No users. But what does that means? what does having no Gid does to a group. I wrote that it might be invalid but apparently that's a wrong answer. I couldn't find the answer in any documentation or tutorial.