Package: libnss-pgsql2 Version: 1.4.0debian-3 Severity: important I tried upgrading a Debian Lenny server to Squeeze a few weeks ago. Since then all users in the database stopped working. When trying to login via SSH, I saw these lines in the logs:
This got me wondering. It should not be possible to have accounts in the database expire. They have a hard coded value for this field set in the queries in /etc/nss-pgsql-root.conf. The query simply returns the empty string '' as field 8. This has worked fine while running lenny. After upgrading to squeeze, I started getting the error. Having spent hours debugging this, it turned out that 'getent shadow backup001' returns: backup001:*:14551:0:99999:7:0:0:0 and not the expected backup001:*:14551:0:99999:7::: So, it returns 0 instead of empty string. I had to turn on query logging in the database. I noticed that the query did in fact select ''. I tried modifying the query to return 99999 instead of '' and then 'getent shadow backup001' returns: backup001:*:14551:0:99999:7:0:0:99999 And best of all: now login works! So I guess the problem is that libnss-pgsql handles the empty string incorrectly and returns 0 to PAM instead of ''. This has probably also been the case in lenny, however, some semantics in PAM must have changed in squeeze so that it now interprets 0 as 'account expired'. Which is probably correct. I think this is a very severy bug, since this will make login fail for users who upgrade to squeeze. I hope this will be fixed before squeeze is released. -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i586) Kernel: Linux 2.6.32-5-486 Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libnss-pgsql2 depends on: ii libc6 2.11.2-9 Embedded GNU C Library: Shared lib ii libpq5 8.4.5-0squeeze2 PostgreSQL C client library libnss-pgsql2 recommends no packages. Versions of packages libnss-pgsql2 suggests: pn libpam-pgsql <none> (no description available) pn nscd <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
