[Bug 740873] New: PAM ( it seems ) prevents all log in after initial install

older
[Bug 703981] New: Weird session...

bugzilla_noreply＠novell.com

11 Jan 2012 11 Jan '12

21:10

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c0 Summary: PAM ( it seems ) prevents all log in after initial install Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: Pemberton.John.M@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=470804) --> (http://bugzilla.novell.com/attachment.cgi?id=470804) BZIP2'd tar, for ISO(md5sum,isoinfo -d ), all hwinfo, /var/log/* contents. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 Firefox/9.0 Downloaded 12.1 GA image. Verified md5sum. Burned DVD with full verify of burned data. Did not use "automatic configuration", but only so I could specify basic things such as host name, etc. Did new install selecting KDE. Neither root nor any standard User can login, either with graphic login or plain text login prompts, after several attempts. Mounted 12.1 drive on working 11.4 system. Discovered all sorts of highly unexpected complaints from PAM in logs, which appeared to lead to rejection of any log in attempts. It's almost as if the default configuration of PAM, as installed, is faulty. I'll be attaching a BZIP2'd tar, with the "md5sum" output for the ".iso", the "isoinfo -d" output for the ".iso", the complete output of "hwinfo", and the complete contents of all levels of the /var/log directory hierarchy from the installed 12.1 system. Reproducible: Always Steps to Reproduce: 1. Install 12.1 as described on identical hardware 2. Try to log in several times for each of root and ordinary User. 3. You can even try using another running system, to remove or alter passwords in /etc/shadow, result is the same. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

12 Jan 12 Jan

01:52

New subject: [Bug 740873] PAM ( it seems ) prevents all log in after initial install

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c1 --- Comment #1 from John Pemberton 2012-01-12 01:52:45 UTC --- Created an attachment (id=470825) --> (http://bugzilla.novell.com/attachment.cgi?id=470825) Original versions of /etc/pam.d/*-pc files in BZIP2'd tar file. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

01:54

New subject: [Bug 740873] PAM ( it seems ) prevents all log in after initial install

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c2 --- Comment #2 from John Pemberton 2012-01-12 01:54:11 UTC --- Since I don't know how PAM is integrated into openSUSE, I poked around a bit, on an empirical basis, found /etc/pam.d. Discovered that some of the *-pc files in 12.1 were either written like .INI files on MS-Windows, that is comments began with semi-colons, and/or were file fragments, and other mysterious things, rather than anything similar to what I find in the directory of the same name, on an 11.4 system. Since one file was identical to that on an 11.4 sys., and what appeared to be a version identifier in the file matched, I copied the *-pc files from the 11.4 sys. to the 12.1 sys. That appears to have worked around the problem, at least at a high level for now. Both root and ordinary users can log in to the 12.1 sys. Please advise if I can expect any problems with that temp. fix. This still doesn't explain how the problem occurred in the first place. I've created a BZIP2'd tar file containing the *-pc files. I'll attach it to this ticket. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15:55

New subject: [Bug 740873] PAM ( it seems ) prevents all log in after initial install

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com Component|Security |Installation AssignedTo|security-team@suse.de |bnc-team-screening@forge.pr | |ovo.novell.com QAContact|qa@suse.de |jsrain@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

21 Jan 21 Jan

08:36

New subject: [Bug 740873] PAM ( it seems ) prevents all log in after initial install

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c zj jia changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zjjia@suse.com AssignedTo|bnc-team-screening@forge.pr |mc@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

23 Jan 23 Jan

10:31

New subject: [Bug 740873] PAM ( it seems ) prevents all log in after initial install

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c3 Michael Calmer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |Pemberton.John.M@gmail.com --- Comment #3 from Michael Calmer 2012-01-23 10:31:01 UTC --- It looks like the files common-account-pc, common-passwd-pc and common-session-pc contains random data or data from other files. Please try the following now. Check, if there are still symbolic links in /etc/pam.d/ from common-* to common-*-pc. If yes, please try to execute: $> pam-config -a --pam-debug Now check, if the common-*-pc files still contains a valid pam configuration or if there is again something broken. You can disable pam-debug with $> pam-config -d --pam-debug This command is used to configure pam and enabling/disabling debug is to let pam-config re-write the *-pc files again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

24 Jan 24 Jan

03:06

New subject: [Bug 740873] PAM ( it seems ) prevents all log in after initial install

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c4 John Pemberton changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|Pemberton.John.M@gmail.com | --- Comment #4 from John Pemberton 2012-01-24 03:06:56 UTC --- pam_config when run manually, as indicated, seems to produce "reasonable" *-pc files. The modtime of those files suggests they have been written. Before I ran the command, saved a copy of the existing files. Diffed them with the version of the *-pc files after the command was run, they are the same. There were these complaints in /var/log/messages: Jan 23 20:56:05 red-one su: PAM unable to dlopen(/lib64/security/pam_apparmor.so): /lib64/security/pam_apparmor.so: cannot open shared object file: No such file or directory Jan 23 20:56:05 red-one su: PAM adding faulty module: /lib64/security/pam_apparmor.so -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

08:57

New subject: [Bug 740873] PAM ( it seems ) prevents all log in after initial install

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c5 Michael Calmer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |Pemberton.John.M@gmail.com --- Comment #5 from Michael Calmer 2012-01-24 08:57:30 UTC --- Ok. So I would say, the random data looks like a filesystem or hardware problem. The tools seems to work (also yast simply call pam-config). Maybe simply "bad luck". About the pam_apparmor thing: It seems you have configured pam_apparmor but you have not installed the package. Please try to install "zypper in pam_apparmor" (I hope it still exists in 12.1.) or disable it (call "pam-config -d --apparmor"). In my 11.4 pam configuration it is not configured. Have you enabled apparmor somewere? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

25 Jan 25 Jan

05:00

New subject: [Bug 740873] PAM ( it seems ) prevents all log in after initial install

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c6 John Pemberton changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|Pemberton.John.M@gmail.com | --- Comment #6 from John Pemberton 2012-01-25 05:00:27 UTC --- (In reply to comment #5)

...

Ok. So I would say, the random data looks like a filesystem or hardware problem. The tools seems to work (also yast simply call pam-config). Maybe simply "bad luck".

re - random data: AFAIK, the system messages are not reporting any disk I/O errors. Also, S.M.A.R.T. appears to have been automatically enabled, and that's not reporting any issues, either. I was under the impression, that the installation procedure did attempt a kexec after the first phase of the installation, before trying to complete the installation. That failed. After several minutes of the machine seemingly just sitting there doing nothing, I was effectively forced to restart the machine, to allow the installation to continue. I trust that prior to, or in the course of the kexec attempt, something does a "sync", or I wouldn't be surprised to find junk data in place of valid data blocks. re - pam_apparmor: OK, so if I understand you correctly, copying the pam config. files from 11.4, caused the inconsistency? I executed this on 12.1: rpm -q --whatprovides /etc/pam.d/common-account-pc then attempted to re-install the package that seems to contains the proper 12.1 default config. files: zypper in -f pam-config-0.79-5.1.2.x86_64 which didn't appear to complain. Yet, app_armor is still there. How can I go about re-installing the default 12.1 pam config. files? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:32

New subject: [Bug 740873] PAM ( it seems ) prevents all log in after initial install

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c7 --- Comment #7 from Michael Calmer 2012-01-25 10:32:43 UTC --- (In reply to comment #6)

...

(In reply to comment #5)

...

re - pam_apparmor: OK, so if I understand you correctly, copying the pam config. files from 11.4, caused the inconsistency?

yes.

...

I executed this on 12.1:

rpm -q --whatprovides /etc/pam.d/common-account-pc

then attempted to re-install the package that seems to contains the proper 12.1 default config. files:

zypper in -f pam-config-0.79-5.1.2.x86_64

which didn't appear to complain. Yet, app_armor is still there.

How can I go about re-installing the default 12.1 pam config. files?

That's a little bit tricky. The default configuration is in the "pam" package. It package "common-*" files, without the "-pc". If pam-config is installed it called in %post pam-config --debug --initialize or pam-config --debug --update (if /etc/pam.d/common-auth-pc exists) These commands read the common-* files, generate the *-pc files and create links from common-* to common-*-pc So you can find the default config in the pam package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

26 Jan 26 Jan

01:49

New subject: [Bug 740873] PAM ( it seems ) prevents all log in after initial install

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c8 --- Comment #8 from John Pemberton 2012-01-26 01:49:36 UTC --- OK, that got rid of the pam_apparmor config. It also seems to support the idea that the PAM packages are correct. AFAIK, I have no RS232 UART on this machine. I don't know of anyway to use a serial console for "low-level" troubleshooting without one, and I see someone else has run across installation issues at the point of the kexec. So I'm going to hope they will be more able to document what's going on at that point in the installation. I'll close this ticket. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

02:03

New subject: [Bug 740873] PAM ( it seems ) prevents all log in after initial install

https://bugzilla.novell.com/show_bug.cgi?id=740873 https://bugzilla.novell.com/show_bug.cgi?id=740873#c9 John Pemberton changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #9 from John Pemberton 2012-01-26 02:03:51 UTC --- Closing this ticket, marking as resolved, because those "artifacts" of the resulting issue, that are easy to document, were overcome. That's not to say that some underlying problem, was fixed. Please note: https://bugzilla.novell.com/show_bug.cgi?id=733273 sounds like it might be somewhat similar to the kexec issue I had. Only in my case, no activity LED's were flashing, there was no response to a keyboard based attempt to shut the system down gracefully. I can't prove that something relating to the use of kexec during the automated first "phase" of the installation is what led to corrupted blocks on the disk drive, "glitches" are not impossible, but there are no I/O errors reported in the logs, S.M.A.R.T. was apparently enabled and no problems were reported. Yet, if what showed up through the use of PAM, was caused by a different problem, then it's probably more appropriate to investigate and track it under the other designation. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

4476

Age (days ago)

4491

Last active (days ago)

List overview

Download

11 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 740873] New: PAM ( it seems ) prevents all log in after initial install

tags

participants (1)