I was wrong at #402 (comment) : on top of the lack of NSS support, we're also unable to parse the ubuntu pam files.
We paired with @jfroche and stared at the strace output of the failing passwd invocation. We realized the nix-provided pam parser is unable to parse an @import statement. Turns out, Debian (and ubuntu) are patching pam to add this syntax :/
Reading nix-community/home-manager#7027 has been particularly enlightening. It seems like people are adopting two approches:
- Rewrite the host pam modules to remove the
@import special syntax.
- Replace the Nixpkgs linux_pam with pam_shim. That's a small shim that uses the host system pam shared libraries.
I personally prefer the approach 2.
I was wrong at #402 (comment) : on top of the lack of NSS support, we're also unable to parse the ubuntu pam files.
We paired with @jfroche and stared at the strace output of the failing passwd invocation. We realized the nix-provided pam parser is unable to parse an
@importstatement. Turns out, Debian (and ubuntu) are patching pam to add this syntax :/Reading nix-community/home-manager#7027 has been particularly enlightening. It seems like people are adopting two approches:
@importspecial syntax.I personally prefer the approach 2.