Bug 38510 - univention-system-setup-boot calls pam-auth-update
univention-system-setup-boot calls pam-auth-update
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: PAM
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-2
Assigned To: Stefan Gohmann
Erik Damrose
:
Depends on:
Blocks: 38511
  Show dependency treegraph
 
Reported: 2015-05-12 07:28 CEST by Stefan Gohmann
Modified: 2015-05-15 07:52 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-05-12 07:28:05 CEST
I've installed a UCS 4.0-2 system with the Nagios service and I'm unable to authenticate as user Administrator.

==> /var/log/auth.log <==
May 12 07:25:34 master681 apache2: pam_krb5(nagios:auth): pam_sm_authenticate: entry (nonull)
May 12 07:25:34 master681 apache2: pam_krb5(nagios:auth): (user Administrator) attempting authentication as Administrator@DEADLOCK68.INTRANET
May 12 07:25:34 master681 apache2: pam_krb5(nagios:auth): user Administrator authenticated as Administrator@DEADLOCK68.INTRANET
May 12 07:25:34 master681 apache2: pam_krb5(nagios:auth): (user Administrator) temporarily storing credentials in /tmp/krb5cc_pam_cZ2Dzt
May 12 07:25:34 master681 apache2: pam_krb5(nagios:auth): pam_sm_authenticate: exit (success)
May 12 07:25:34 master681 unix_chkpwd[9149]: could not obtain user info (Administrator)

==> /var/log/apache2/error.log <==
[Tue May 12 07:25:34 2015] [error] [client 10.205.1.178] PAM: user 'Administrator'  - invalid account: Authentication failure
Comment 1 Stefan Gohmann univentionstaff 2015-05-12 07:33:49 CEST
pam-auth-update has written the common-account pam configuration:

root@ucs-8547:~# ls -la /etc/pam.d/common-*
-rw-r--r-- 1 root root 1304 May 12 00:28 /etc/pam.d/common-account
-rw-r--r-- 1 root root 1304 May 12 00:11 /etc/pam.d/common-account.debian
-rw-r--r-- 1 root root  935 May 12 00:28 /etc/pam.d/common-account.pam-old
-rw-r--r-- 1 root root 1356 May 12 00:28 /etc/pam.d/common-auth
-rw-r--r-- 1 root root 1371 May 12 00:11 /etc/pam.d/common-auth.debian
-rw-r--r-- 1 root root  964 May 12 00:28 /etc/pam.d/common-auth-nowrite
-rw-r--r-- 1 root root 1522 May 12 00:28 /etc/pam.d/common-auth.pam-old
-rw-r--r-- 1 root root 1713 May 12 00:28 /etc/pam.d/common-password
-rw-r--r-- 1 root root 1713 May 12 00:11 /etc/pam.d/common-password.debian
-rw-r--r-- 1 root root  978 May 12 00:28 /etc/pam.d/common-password.pam-old
-rw-r--r-- 1 root root 1139 May 12 00:28 /etc/pam.d/common-session
-rw-r--r-- 1 root root 1309 May 12 00:11 /etc/pam.d/common-session.debian
-rw-r--r-- 1 root root 1234 May 12 00:28 /etc/pam.d/common-session-noninteractive
-rw-r--r-- 1 root root 1307 May 12 00:28 /etc/pam.d/common-session-noninteractive.pam-old
-rw-r--r-- 1 root root 1139 May 12 00:28 /etc/pam.d/common-session.pam-old
root@ucs-8547:~# cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
root@ucs-8547:~#
Comment 2 Stefan Gohmann univentionstaff 2015-05-12 07:40:59 CEST
This is explicit done by the prerm script of univention-system-setup-boot:

 pam-auth-update --force --package --remove univention-system-setup-boot
Comment 3 Stefan Gohmann univentionstaff 2015-05-12 08:03:26 CEST
There was already the following call:
 ucr commit /etc/pam.d/common-session

For this hotfix, I've changed it to:
 ucr commit /etc/pam.d/*

I would rather see, that we don't use pam-auth-update at all.

I've also add a 'ucr commit' to the postinst. I'm not complete sure but I think it is possible that univention-system-setup-boot is installed on a productive server. In this case a package upgrade would break the PAM configuration.
Comment 4 Erik Damrose univentionstaff 2015-05-12 09:45:09 CEST
OK: r60642 + r60644 pam config is always updated and thus not broken.
OK: r60643 changelog
->Verified
Comment 5 Stefan Gohmann univentionstaff 2015-05-15 07:52:36 CEST
UCS 4.0-2 has been released:
 http://docs.univention.de/release-notes-4.0-2-en.html
 http://docs.univention.de/release-notes-4.0-2-de.html

If this error occurs again, please use "Clone This Bug".