resolved – passwd permission denied even for root on solaris
When I tried resetting a local user's password on a solaris host, I met the following error message:
root@doxer # passwd <username>
Re-enter new Password:
This was very weird as I was logged on as root when doing this operation:
root@doxer # id
After some searching I found that this was caused by passwd by default will try to reset LDAP password if the host is using ldap for authentication. Here's excerpt from /etc/nsswitch.conf:
To resolve this, you need designate which authentication mechanism you want to use for resetting a password(here we should use files as this user was local one):
passwd -r files <username>
Here's more about NIS passwd map:<from book Managing NFS and NIS>
Earlier, we introduced the concept of replaced files and appended files. Now, we'll discuss how to work with these files. First, let's review: these are important concepts, so repetition is helpful. If a map replaces the local file, the file is ignored once NIS is running. Aside from making sure that misplaced optimism doesn't lead you to delete the files that were distributed with your system, there's nothing interesting that you can do with these replaced files. We won't have anything further to say about them.
Conversely, local files that are appended to by NIS maps are always consulted first, even if NIS is running. The password file is a good example of a file augmented by NIS. You may want to give some users access to one or two machines, and not include them in the NIS password map. The solution to this problem is to put these users into the local passwd file, but not into the master passwd file on the master server. The local password file is always read before getpwuid( ) goes to an NIS server. Password-file reading routines find locally defined users as well as those in the NIS map, and the search order of "local, then NIS" allows local password file entries to override values in the NIS map. Similarly, the local aliases file can be used to override entries in the NIS mail aliases map, setting up machine-specific expansion of one or more aliases.