nixos/pam: move pam_unix to the end of the account chain

author: Netali <me@netali.de> 2022-07-31 23:37:33 +0200
committer: Netali <me@netali.de> 2022-08-06 19:43:28 +0200
commit: 1a35b5aacb88c0fe3160c78e2ef43430eac42252 (patch)
tree: f4d17f3d2d103a8f0a77b3b6f1547f53b5fe5357 /nixos/modules/security/pam.nix
parent: f23a1e6a54bb78d4aaec085964205899a5f0e83e (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 091af120dfd68..c8fb42718d7cf 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -452,7 +452,6 @@ let
         (
           ''
             # Account management.
-            account required pam_unix.so
           '' +
           optionalString use_ldap ''
             account sufficient ${pam_ldap}/lib/security/pam_ldap.so
@@ -473,7 +472,11 @@ let
             account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
             account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
           '' +
+          # The required pam_unix.so module has to come after all the sufficient modules
+          # because otherwise, the account lookup will fail if the user does not exist
+          # locally, for example with MySQL- or LDAP-auth.
           ''
+            account required pam_unix.so
 
             # Authentication management.
           '' +
author	Netali <me@netali.de>	2022-07-31 23:37:33 +0200
committer	Netali <me@netali.de>	2022-08-06 19:43:28 +0200
commit	1a35b5aacb88c0fe3160c78e2ef43430eac42252 (patch)
tree	f4d17f3d2d103a8f0a77b3b6f1547f53b5fe5357 /nixos/modules/security/pam.nix
parent	f23a1e6a54bb78d4aaec085964205899a5f0e83e (diff)