[opensuse] /etc/passwd compulsory fields
Hi Apart from the obvious, passwd (5) doesn't say which fields are compulsory. I see that my local login is: lynn:x:1000:100::/home/lynn:/bin/bash and my login to AD is: lynn2:*:3000023:20513:lynn2:/home/users/lynn2:/bin/bash I need a domain user like a squashed root on NFS, so I made a user with just uidNumber and gidNumber: cifsuser:*:3000020:20513 It seems to work fine. cifsuser cannot authenticate but I see that ALL the entries in /etc/passwd on 12.3 installs have home directory and login shell populated. Question Is there anything I've overlooked? _Should_ I specify the 12.3 fields for cifsuser too? Thanks L -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 19 Aug 2013 10:48:00 +0200 lynn <lynn@steve-ss.com> wrote:
Hi
Apart from the obvious, passwd (5) doesn't say which fields are compulsory.
They are all compulsory. Some of them can be empty, but they need to be there. Some software will be confused if it finds lines with the wrong number of ":" characters. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 2013-08-19 at 12:19 -0500, Neil Rickert wrote:
On Mon, 19 Aug 2013 10:48:00 +0200 lynn <lynn@steve-ss.com> wrote:
Hi
Apart from the obvious, passwd (5) doesn't say which fields are compulsory.
They are all compulsory.
Some of them can be empty, but they need to be there. Some software will be confused if it finds lines with the wrong number of ":" characters.
Hi OK. It's not the file itself, more what I'm passing to the operating system. I'm using sssd, which seems to copy username to gecos and have / as the default home directory even if those attributes are not populated in AD. It will however allow me to leave login shell blank. getent then gives me this: cifsuser:*:3000020:20513:cifsuser:/: which gives the correct number of ":". I'm not sure whether it's sssd or AD which decides on the defaults. Anyway, a bit better. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 19 Aug 2013 22:58:10 +0200 lynn <lynn@steve-ss.com> wrote:
OK. It's not the file itself, more what I'm passing to the operating system. I'm using sssd, which seems to copy username to gecos and have / as the default home directory even if those attributes are not populated in AD. It will however allow me to leave login shell blank. getent then gives me this: cifsuser:*:3000020:20513:cifsuser:/: which gives the correct number of ":". I'm not sure whether it's sssd or AD which decides on the defaults. Anyway, a bit better.
A blank login shell is interpreted as "/bin/sh". If logins are never to be allowed for this user, I would typically set the shell to "/noshell", which does not have a special meaning, but will deny login as long as "/noshell" does not exist in the file system. Any non-existent file path would do the same thing. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Neil Rickert said the following on 08/19/2013 09:32 PM:
On Mon, 19 Aug 2013 22:58:10 +0200 lynn <lynn@steve-ss.com> wrote:
OK. It's not the file itself, more what I'm passing to the operating system. I'm using sssd, which seems to copy username to gecos and have / as the default home directory even if those attributes are not populated in AD. It will however allow me to leave login shell blank. getent then gives me this: cifsuser:*:3000020:20513:cifsuser:/: which gives the correct number of ":". I'm not sure whether it's sssd or AD which decides on the defaults. Anyway, a bit better.
A blank login shell is interpreted as "/bin/sh". If logins are never to be allowed for this user, I would typically set the shell to "/noshell", which does not have a special meaning, but will deny login as long as "/noshell" does not exist in the file system. Any non-existent file path would do the same thing.
Please see "man nologin" for the 'polite' way to do this :-) Perhaps PolicyKit might be relevant. I know constraints about time and location can be applied; see man access.conf and various PAM modules. -- How long did the whining go on when KDE2 went on KDE3? The only universal constant is change. If a species can not adapt it goes extinct. That's the law of the universe, adapt or die. -- Billie Walsh, May 18 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 2013-08-20 at 07:57 -0400, Anton Aylward wrote:
Neil Rickert said the following on 08/19/2013 09:32 PM:
On Mon, 19 Aug 2013 22:58:10 +0200 lynn <lynn@steve-ss.com> wrote:
OK. It's not the file itself, more what I'm passing to the operating system. I'm using sssd, which seems to copy username to gecos and have / as the default home directory even if those attributes are not populated in AD. It will however allow me to leave login shell blank. getent then gives me this: cifsuser:*:3000020:20513:cifsuser:/: which gives the correct number of ":". I'm not sure whether it's sssd or AD which decides on the defaults. Anyway, a bit better.
A blank login shell is interpreted as "/bin/sh". If logins are never to be allowed for this user, I would typically set the shell to "/noshell", which does not have a special meaning, but will deny login as long as "/noshell" does not exist in the file system. Any non-existent file path would do the same thing.
Please see "man nologin" for the 'polite' way to do this :-)
Hi I can't get it polite: hh16:/tmo # nologin This account is currently not available. works OK but it's not polite: hh16:/tmp # su cifsuser Password: su: /noshell: No such file or directory This is what I have in the directory: cn: cifsuser objectClass: posixAccount uidNumber: 3000020 gidNumber: 20513 loginShell: /noshell Note that unixHomeDirectory and gecos are not set but still appear: hh16:/tmp # getent passwd cifsuser cifsuser:*:3000020:20513:cifsuser:/:/noshell Here is /etc/pam.d/common-auth auth required pam_env.so auth optional pam_gnome_keyring.so auth sufficient pam_unix.so try_first_pass auth required pam_sss.so use_first_pass sssd is up and is OK as all domain users with a loginShell can authenticate and are correctly placed in their home directory. 1. How do I get the polite message? 2. How do I enter a blank gecos 3. how do I enter a blank home directory? 4. Is it possible that cifsuser never be prompted for a password? Thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 08/20/2013 10:23 AM:
On Tue, 2013-08-20 at 07:57 -0400, Anton Aylward wrote:
Neil Rickert said the following on 08/19/2013 09:32 PM:
On Mon, 19 Aug 2013 22:58:10 +0200 lynn <lynn@steve-ss.com> wrote:
OK. It's not the file itself, more what I'm passing to the operating system. I'm using sssd, which seems to copy username to gecos and have / as the default home directory even if those attributes are not populated in AD. It will however allow me to leave login shell blank. getent then gives me this: cifsuser:*:3000020:20513:cifsuser:/: which gives the correct number of ":". I'm not sure whether it's sssd or AD which decides on the defaults. Anyway, a bit better.
A blank login shell is interpreted as "/bin/sh". If logins are never to be allowed for this user, I would typically set the shell to "/noshell", which does not have a special meaning, but will deny login as long as "/noshell" does not exist in the file system. Any non-existent file path would do the same thing.
Please see "man nologin" for the 'polite' way to do this :-)
Hi I can't get it polite: hh16:/tmo # nologin This account is currently not available. works OK but it's not polite: hh16:/tmp # su cifsuser Password: su: /noshell: No such file or directory
Help me here; why is a FAIL polite but a correct execution and sensible message that says nothing about the internals not polite. "Polite" as in 'not abusing the system by relying on a FAIL' The 'nologin' will work even if some idiot sysadmin who isn't in on it were to create "/noshell" thinking it a form of ".nologin" as has been used on some versions of UNIX in the past. Perhaps things would have been clearer if I had said "robust" rather than "polite", but I think that making an ABEND do the job of 'nologin' is a klude and unreliable. -- How long did the whining go on when KDE2 went on KDE3? The only universal constant is change. If a species can not adapt it goes extinct. That's the law of the universe, adapt or die. -- Billie Walsh, May 18 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 08/20/2013 10:23 AM:
1. How do I get the polite message?
That depends. Maybe a variation on /etc/nologin ? According to the man page, if you use what I suggest as the 'polite' method rather than your ABEND method, then If the file /etc/nologin.txt exists, nologin displays its contents to the user instead of the default message.
2. How do I enter a blank gecos 3. how do I enter a blank home directory?
Those are really LDAP questions aren't they? Or possibly database questions for the underlying database.
4. Is it possible that cifsuser never be prompted for a password?
Personally I use ssh and certificates all over the palce so I only ever have to enter my password once for all the machines and IDs on my net (except root). Perhaps if you gave us a little more context about the circstances in which that acount is being used. Oh, and the obvious answer: don't have a password :-) I'm sure there are circumstances where not having a password isn't actually a security violation :-) -- How long did the whining go on when KDE2 went on KDE3? The only universal constant is change. If a species can not adapt it goes extinct. That's the law of the universe, adapt or die. -- Billie Walsh, May 18 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 2013-08-20 at 10:45 -0400, Anton Aylward wrote:
Perhaps if you gave us a little more context about the circstances in which that acount is being used.
Yes, sorry. 12.3 AD DC (ldap to normal people) with 12.3 and w7 clients. Here's an example from a client /etc/fstab //altea/users /home/users cifs nobrl,sec=krb5,username=cifsuser,multiuser 0 0 cifsuser is necessary for the cifs.upcall scan of the keytab. I want to be sure that the smartarses can't authenticate as cifsuser. Kerberos takes care of the rest. Saludos -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 08/20/2013 01:12 PM:
On Tue, 2013-08-20 at 10:45 -0400, Anton Aylward wrote:
Perhaps if you gave us a little more context about the circstances in which that acount is being used.
Yes, sorry.
12.3 AD DC (ldap to normal people) with 12.3 and w7 clients. Here's an example from a client /etc/fstab //altea/users /home/users cifs nobrl,sec=krb5,username=cifsuser,multiuser 0 0
cifsuser is necessary for the cifs.upcall scan of the keytab.
I want to be sure that the smartarses can't authenticate as cifsuser. Kerberos takes care of the rest.
If your issue is AUTHENTICATE then put a "*" in the password field. See "man 5 passwd" which says password This is either the encrypted user password, an asterisk (*), or the letter 'x'. (See pwconv(8) for an explanation of 'x'.) The 'x' means 'use the shadow password file. You want "*" which blocks any AUTHENTICATION for that account. -- How long did the whining go on when KDE2 went on KDE3? The only universal constant is change. If a species can not adapt it goes extinct. That's the law of the universe, adapt or die. -- Billie Walsh, May 18 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon 19 Aug 2013 08:32:17 PM CDT, Neil Rickert wrote:
On Mon, 19 Aug 2013 22:58:10 +0200 lynn <lynn@steve-ss.com> wrote:
OK. It's not the file itself, more what I'm passing to the operating system. I'm using sssd, which seems to copy username to gecos and have / as the default home directory even if those attributes are not populated in AD. It will however allow me to leave login shell blank. getent then gives me this: cifsuser:*:3000020:20513:cifsuser:/: which gives the correct number of ":". I'm not sure whether it's sssd or AD which decides on the defaults. Anyway, a bit better.
A blank login shell is interpreted as "/bin/sh". If logins are never to be allowed for this user, I would typically set the shell to "/noshell", which does not have a special meaning, but will deny login as long as "/noshell" does not exist in the file system. Any non-existent file path would do the same thing.
Hi Wouldn't that be false by adding -s /usr/bin/false to the shell option? -- Cheers Malcolm °¿° (Linux Counter #276890) openSUSE 12.3 (x86_64) Kernel 3.7.10-1.16-desktop up 1:02, 3 users, load average: 0.12, 0.18, 0.15 CPU AMD E2-1800@1.70GHz | GPU Radeon HD 7340 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Anton Aylward -
lynn -
Malcolm -
Neil Rickert