On Thu, Jul 12, 2007 at 11:14:45PM -0400, Matt Hyclak wrote:
On Thu, Jul 12, 2007 at 11:13:08PM -0400, Stephen Harris enlightened us:
'getent passwd' should be portable across any account storage accessible through pam.
You said the magic word that makes things infinitely more complicated ("PAM") and that renders your answer incorrect. "getent" uses naming services (nsswitch.conf). PAM doesn't. An account visible via getent may not be valid on a box.
Yes, I should have said nss, not pam. Thanks for correcting that. That ought to teach me to answer questions late at night :-)
*grin*
It's actually not a trivial point and is something I ask people about in interviews. Naming services, authentication, authorisation are actually seperate systems. Historically they've all been /etc/passwd /etc/shadow. Modern unixes using PAM mean they need not be the same, and this can lead to some interesting edge cases. Just because an accounts shows on the system (eg via getent) doesn't mean that user can log in!