[lug] NIS hang

Daniel Webb lists at danielwebb.us
Mon Jan 15 16:12:55 MST 2007

On Sat, Jan 13, 2007 at 12:59:36PM -0600, Hugh Brown wrote:

> Yep, that's why sysadmins have jobs and no hair.  I don't know the 
> calling order of the resolver libraries and pam.  I do know that even 
> with files listed first (and with nis or ldap listed second), that pam 
> can mess things up.  So I'd try and make sure pam is straightened out 
> pam has always felt like voodoo which can be poked and made to work, but 
> I've often worried that I'm exposing myself unnecessarily and that if I 
> really understood pam, that I could do amazing things.

I tracked this down further with a strace of "su" as a normal user.  When
nsswitch has "files" only, it looks for /etc/shadow, gets permission denied,
then goes ahead and asks for the password.  When nsswitch has "files nis", it
looks for /etc/shadow, gets permission denied, then does a NIS lookup for the
shadow password.  I'm not sure what's happening to ignore the failed open of
/etc/shadow in the no-NIS case.  I don't even know if this is correct
behavior.  I have found that it actually does give me root eventually, the
timeout is several minutes.

More information about the LUG mailing list