57954 – Upgrade to 5.2 - issues with libpam-modules and activated auth/faillog

Bug 57954 - Upgrade to 5.2 - issues with libpam-modules and activated auth/faillog

Summary: Upgrade to 5.2 - issues with libpam-modules and activated auth/faillog

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Update - univention-updater
Version:	UCS 5.2
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 5.2-0-errata
Assignee:	Christian Castens
QA Contact:	Arvid Requate

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:	57955
	Show dependency tree / graph

Reported:	2025-02-12 09:19 CET by Christian Castens
Modified:	2025-02-17 18:33 CET (History)
CC List:	1 user (show)

See Also:	56547
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Workaround is available
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christian Castens

2025-02-12 09:19:14 CET

Making use of the UCR variable `auth/faillog` adds the pam_tally module to the PAM configuration on 5.0 systems. The pam_tally and pam_tally2 modules have been removed on 5.2. Upgrades from 5.0 to 5.2 fail if there are references to these modules in the PAM configuration. They have to be removed before upgrading.

Solution:
There is a pre-update check that fails if auth/faillog is true

Comment 1 Jan-Luca Kiok

2025-02-12 11:02:55 CET

For clarification: This is about providing a diagnostic check that tells you to disable auth/faillog, fixing the underlying issue is done via Bug 57955

Comment 2 Arvid Requate

2025-02-13 15:10:21 CET

Ok, adjusted

* download/univention-update-checks/pre-update-checks-5.1-0{,.gpg}
* download/univention-update-checks/pre-update-checks-5.2-0{,.gpg}
* dists/ucs510/preup.sh{,.gpg}
* dists/ucs520/preup.sh{,.gpg}

On all repos (mirror/{ftp,testing} & test_mirror/ftp) and synced to public mirrors.