http://bugzilla.suse.com/show_bug.cgi?id=1077729 Gob Gob changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xpert200@yahoo.fr Target Milestone|--- |Leap 42.3 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1077729 http://bugzilla.suse.com/show_bug.cgi?id=1077729#c1 Reinhard Max changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(xpert200@yahoo.fr | |) --- Comment #1 from Reinhard Max --- Looks like you not only upgraded the openvpn package, but the whole distro since 2.3.8-7.1 shipped with 42.2 and 2.3.8-14.1 is the latest update for 42.3. As a quick check whether the problem is being caused by the pacth you are suspecting, I've prepared a test package with that patch disabled. Once the build has succeeded you'll find the package here: https://download.opensuse.org/repositories/home:/rmax:/branches:/OBS_Maintai... Please try it out and report back whether it fixes the failure. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1077729 http://bugzilla.suse.com/show_bug.cgi?id=1077729#c3 Gob Gob changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS Flags|needinfo?(xpert200@yahoo.fr | |) | --- Comment #3 from Gob Gob --- Hello Reinhard, Thank you for your reply! Yes, you right! Fist I was installing the last updates on 42.2 and I detect the issue. I then tried to upgrade to 42.3 but unfortunately, I get the same issue. I roll back to 42.2 (snapshot). Today, I upgrade again to 42.3 and reproduce the issue. After that I installed the packaged you provided (openvpn-2.3.8-17.1.x86_64.rpm and openvpn-auth-pam-plugin-2.3.8-17.1.x86_64.rpm) and the PAM authentication is now working! :) So, you localized the issue! What next, will the package be published in the release? Thanks a lot for your help! Best regards Gob -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1077729 http://bugzilla.suse.com/show_bug.cgi?id=1077729#c5 Reinhard Max changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(xpert200@yahoo.fr | |) --- Comment #5 from Reinhard Max --- I just had a look at your logs together with the author of the problematic patch, but the logs end at the point where it gets interesting, i.e. we don't see the actual failure of openvpn authentication. Can you please provide a log of the failing case that shows all messages up to the end of the connection attempt? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1077729 http://bugzilla.suse.com/show_bug.cgi?id=1077729#c7 --- Comment #7 from Gob Gob --- Created attachment 778029 --> http://bugzilla.suse.com/attachment.cgi?id=778029&action=edit Openvpn and PAM logs -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1077729 http://bugzilla.suse.com/show_bug.cgi?id=1077729#c9 Gob Gob changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(xpert200@yahoo.fr | |) | --- Comment #9 from Gob Gob --- Created attachment 778147 --> http://bugzilla.suse.com/attachment.cgi?id=778147&action=edit Opne VPN logs with debug patch Hello Reinhard, I generate logs with the debug patch you provided. Gob -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1077729 http://bugzilla.suse.com/show_bug.cgi?id=1077729#c11 --- Comment #11 from Reinhard Max --- Another way of verifying what's going on is to run systemd-tty-ask-password-agent --watch in a root shell on the client before doing the action that triggers the connection attempt to time out (e.g. before restarting the server). If my assumptions are correct you will be prompted for username and password in that shell and after entering them the VPN connection should succeed. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1077729 http://bugzilla.suse.com/show_bug.cgi?id=1077729#c13 --- Comment #13 from Reinhard Max --- (In reply to Gob Gob from comment #12)

I tried to remove the auth-nocache option on the client config but the result is the same. Not sure that the problem is similar as yours.

Sorry, I was drawing wrong conclusions. The fact that PAM succeeds shows that auth-nocache is not the problem. But I think I found the reason why it fails for you: it is the chroot option that you are using in your server config in combination with the deferred PAM authentication that got added by Nirmoy's patch. For deferred authentication, openvpn forks a background process that gets authentication requests through a socket and hands back the result via a temporary file. When the chroot option is being used, only the "worker" process actually chroots to the given directory, but the "authenticator" stays outside. Now the authenticater writes the result to a file under /tmp, but the worker expects it under the /tmp directory relativ to its chroot dir, where it never arrives and hence it times out. As soon as I turn off chroot in a configuration that closely resembles yours or manuall move the result file (openvpn_acf_*.tmp) from /tmp/ to /var/lib/openvpn/jail/tmp/ the connection succeeds. I don't know if that split root operation is intended by upstream or not, and why they use temp files rather than the already existing socket to hand back auth results.

But with the package you provided (https://download.opensuse.org/repositories/home:/rmax:/branches:/ OBS_Maintained:/openvpn/openSUSE_Leap_42.3_Update) it’s work like a charm!

Sure, that one doesn't use deferred authentication, so it doesn't have the background process and file handover. BTW, did you have to copy any PAM and/or RADIUS stuff to your chroot directory in order to get your setup to work initially? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1077729 http://bugzilla.suse.com/show_bug.cgi?id=1077729#c15 --- Comment #15 from Gob Gob --- Hello, Have you any update on this ticket? I upgraded to Leap 15.0 and openvpm PAM is still not working. In the meantime, can you provide me a package where the PrivateTmp feature of systemd is turned off for OpenVPN on LEAP 15? Thanks! Best regards -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1077729 http://bugzilla.suse.com/show_bug.cgi?id=1077729#c17 Tomáš Chvátal changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |WONTFIX --- Comment #17 from Tomáš Chvátal --- This is automated batch bugzilla cleanup. The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such it is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please feel free to reopen this bug against that version (!you must update the "Version" component in the bug fields, do not just reopen please), or alternatively create a new ticket. Thank you for reporting this bug and we are sorry it could not be fixed during the lifetime of the release. [1] https://en.opensuse.org/Lifetime -- You are receiving this mail because: You are on the CC list for the bug.