If at is compiled with USE=pam then users that are listed only in /etc/passwd don't work. Ldap-users do work. Explanation of reasons in
For local users following line is printed into syslog.
[atd] Authentication service cannot retrieve authentication info
Work around is to replace "account" line in /etc/pam.d/atd with following
account required pam_permit.so
pam_deny_uc.so - deny UPPERCASE characters in username (required because of ldap...)
auth requisite pam_deny_uc.so
auth sufficient pam_unix.so try_first_pass nodelay
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_ldap.so ignore_unknown_user
password required pam_passwdqc.so min=disabled,8,8,8,7 passphrase=0 random=0
password sufficient pam_ldap.so use_authtok
password sufficient pam_unix.so md5 shadow use_authtok
password required pam_deny.so
session required pam_unix.so
Please don't CC maintainers/herds yourself. Leave that to the bug-wranglers.
*** This bug has been marked as a duplicate of bug 267438 ***
Lars, okay for the CC (somewhat) but if you read the bug you duped this against, I explicitly asked for this one!
pam team can modify the pam.d file however it sees fit
(In reply to comment #2)
> Lars, okay for the CC (somewhat) but if you read the bug you duped this
> against, I explicitly asked for this one!
Sorry for that. I was in a rush when I wrangled this bug.
This is a bug in at, not in PAM, it shouldn't drop root before calling pam_start… at a minimum it should save the DAC_OVERRIDE cap before doing that.