Univention Bugzilla – Bug 38510
univention-system-setup-boot calls pam-auth-update
Last modified: 2015-05-15 07:52:36 CEST
I've installed a UCS 4.0-2 system with the Nagios service and I'm unable to authenticate as user Administrator. ==> /var/log/auth.log <== May 12 07:25:34 master681 apache2: pam_krb5(nagios:auth): pam_sm_authenticate: entry (nonull) May 12 07:25:34 master681 apache2: pam_krb5(nagios:auth): (user Administrator) attempting authentication as Administrator@DEADLOCK68.INTRANET May 12 07:25:34 master681 apache2: pam_krb5(nagios:auth): user Administrator authenticated as Administrator@DEADLOCK68.INTRANET May 12 07:25:34 master681 apache2: pam_krb5(nagios:auth): (user Administrator) temporarily storing credentials in /tmp/krb5cc_pam_cZ2Dzt May 12 07:25:34 master681 apache2: pam_krb5(nagios:auth): pam_sm_authenticate: exit (success) May 12 07:25:34 master681 unix_chkpwd[9149]: could not obtain user info (Administrator) ==> /var/log/apache2/error.log <== [Tue May 12 07:25:34 2015] [error] [client 10.205.1.178] PAM: user 'Administrator' - invalid account: Authentication failure
pam-auth-update has written the common-account pam configuration: root@ucs-8547:~# ls -la /etc/pam.d/common-* -rw-r--r-- 1 root root 1304 May 12 00:28 /etc/pam.d/common-account -rw-r--r-- 1 root root 1304 May 12 00:11 /etc/pam.d/common-account.debian -rw-r--r-- 1 root root 935 May 12 00:28 /etc/pam.d/common-account.pam-old -rw-r--r-- 1 root root 1356 May 12 00:28 /etc/pam.d/common-auth -rw-r--r-- 1 root root 1371 May 12 00:11 /etc/pam.d/common-auth.debian -rw-r--r-- 1 root root 964 May 12 00:28 /etc/pam.d/common-auth-nowrite -rw-r--r-- 1 root root 1522 May 12 00:28 /etc/pam.d/common-auth.pam-old -rw-r--r-- 1 root root 1713 May 12 00:28 /etc/pam.d/common-password -rw-r--r-- 1 root root 1713 May 12 00:11 /etc/pam.d/common-password.debian -rw-r--r-- 1 root root 978 May 12 00:28 /etc/pam.d/common-password.pam-old -rw-r--r-- 1 root root 1139 May 12 00:28 /etc/pam.d/common-session -rw-r--r-- 1 root root 1309 May 12 00:11 /etc/pam.d/common-session.debian -rw-r--r-- 1 root root 1234 May 12 00:28 /etc/pam.d/common-session-noninteractive -rw-r--r-- 1 root root 1307 May 12 00:28 /etc/pam.d/common-session-noninteractive.pam-old -rw-r--r-- 1 root root 1139 May 12 00:28 /etc/pam.d/common-session.pam-old root@ucs-8547:~# cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config root@ucs-8547:~#
This is explicit done by the prerm script of univention-system-setup-boot: pam-auth-update --force --package --remove univention-system-setup-boot
There was already the following call: ucr commit /etc/pam.d/common-session For this hotfix, I've changed it to: ucr commit /etc/pam.d/* I would rather see, that we don't use pam-auth-update at all. I've also add a 'ucr commit' to the postinst. I'm not complete sure but I think it is possible that univention-system-setup-boot is installed on a productive server. In this case a package upgrade would break the PAM configuration.
OK: r60642 + r60644 pam config is always updated and thus not broken. OK: r60643 changelog ->Verified
UCS 4.0-2 has been released: http://docs.univention.de/release-notes-4.0-2-en.html http://docs.univention.de/release-notes-4.0-2-de.html If this error occurs again, please use "Clone This Bug".