Background: I was experimenting with small program that uses PAM to check a user's password. I noticed that the pam_authenticate would succeed, but the pam_acct_mgmt call would fail. The reason turned out to be that the pam_authenticate uses the setuid /sbin/unix_chkpwd, but the pam_acct_mgmt doesn't, so when run as a non-root user it fails to read /etc/shadow. Then I noticed that Gentoo's pam contains a patch to work around "broken shadow" systems. I added the broken_shadow option to the appropriate config file, but it didn't work. Reproducible: Always Steps to Reproduce: This is reproducable, but there are quite a few steps. Of course PAM is a rather important subsystem, so before you start messing with it make sure you have a backup, and a couple of spare root shells open. emerge sys-libs/pam wget http://www.pangalactic.org/PyPAM/PyPAM-0.4.2.tar.gz tar xvzf PyPAM-0.4.2.tar.gz cd PyPAM-0.4.2/examples/ gcc -o pamexample -g pamexample.c -lpam -lpam_misc cat > /etc/pam.d/check_user <<EOT auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth EOT Now in /etc/pam.d/system-auth, modify the account line: account required /lib/security/pam_unix.so broken_shadow Now run (with username and password of a system user): ./pamexample myusername Password: mypassword Not Authenticated Actual Results: Not Authenticated Expected Results: Authenticated I debugged it, and the problem is in /var/tmp/portage/pam-0.77/work/pam-0.77-patches/redhat-patches/pam-0.77-unix-brokenshadow.patch. It has: if (ctrl & UNIX_BROKEN_SHADOW) whereas it should have: if (on(UNIX_BROKEN_SHADOW, ctrl)) as you can see from the other patches there. To fix: ebuild /usr/portage/sys-libs/pam/pam-0.77.ebuild compile cd /var/tmp/portage/pam-0.77/work/Linux-PAM-0.77/modules/pam_unix vi pam_unix_acct.c and change the UNIX_BROKEN_SHADOW line 133 as shown above, then: make mv /lib/security/pam_unix.so /lib/security/pam_unix.so.ok cp pam_unix.so /lib/security/pam_unix.so Now re-run the test case, this time it works: ./pamexample myusername Password: Authenticated Of course, for this particular test-case there is an easier workaround: change the /etc/pam.d/check_user file to have: account required /lib/security/pam_permit so that it doesn't use pam_unix in the first place. For completeness, here is my emerge info: Portage 2.0.50-r6 (default-x86-1.4, gcc-3.3.3, glibc-2.3.3_pre20040420-r0, 2.6.5-gentoo-r1) ================================================================= System uname: 2.6.5-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 2.00GHz Gentoo Base System version 1.4.8 distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.58-r1 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -mcpu=i686 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mcpu=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distcc sandbox" GENTOO_MIRRORS="http://www.mirror.ac.uk/sites/www.ibiblio.org/gentoo/ ftp://ftp.easynet.nl/mirror/gentoo// http://ftp.snt.utwente.nl/pub/os/linux/gentoo ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo rsync://ftp.snt.utwente.nl::gentoo ftp://trumpetti.atm.tut.fi/gentoo/ rsync://trumpetti.atm.tut.fi/gentoo/ http://sunsite.cnlab-switch.ch/ftp/mirror/gentoo/ ftp://sunsite.cnlab-switch.ch/mirror/gentoo/" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.nl.gentoo.org/gentoo-portage" USE="X alsa apm arts avi berkdb bonobo cdr crypt cups encode esd foomaticdb gdbm gif gnome gphoto2 gpm gtk gtk2 gtkhtml guile imap imlib java jpeg kde ldap libg++ libwww mad mikmod motif mozilla mpeg mysql ncurses nls nptl oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl slang spell ssl svga tcltk tcpd tiff truetype x86 xml2 xmms xv zlib"
I can't reproduce this problem with 0.77-r1 as your have specified. pamexample does return your expected result of 'Authenticated'.
Is this still an issue ? Tried newer shadow versions maybe?
Please try pam-0.78 and reopen if still an issue.