Bug 371558

Created attachment 202341 [details]
yast2logs from today

Created attachment 202342 [details]
yast2logs from 20080301

I am not sure whom to assign this to. It might be in one of those network services, or it might be in yast2-users. The yast2-users maintainer probably knows best what to look for.

YaST does not directly touch /etc/pam.d/* files, pam-config (which is called from yast) maybe does it. Michael?

(In reply to comment #0 from Casual J. Programmer)
> Configuring Network Services with yast2 under certain conditions corrupts
> /etc/pam.d/common-account-pc, removing the entry
> 
> account sufficient      pam_localuser.so 
> 
> locking out all users, including root.
> 
> Only access possible is through runlevel 1

Please explain a little bit more verbose what happens.

Are you logged-in as a user (maybe root) and you configure with yast a service and after you finished yast the system do an automatic logout and you cannot login anymore?

Or after the configuration with yast _you_ do a logout and cannot login anymore?

If the second is the case, please attach all /etc/pam.d/common-*-pc files to this bug. 

"Are you logged-in as a user (maybe root) and you configure with yast a service
and after you finished yast the system do an automatic logout and you cannot
login anymore?" actually yes, and as stated in comment #0

"Configuring Network Services with yast2 under certain conditions corrupts
/etc/pam.d/common-account-pc, removing the entry

account sufficient      pam_localuser.so 

locking out all users, including root."

As I can't reproduce this at will, we either need to let it rest until the next hit, or else you find something in the yast2 logs provided, that sheds some light on the issue.

Actually just happend again after a fresh install from alpha3 DVD & updating from factory, then setting up everything from scratch.

The last thing I did was /sbin/yast2 samba-client and from there activating NTP Configuration.

After finishing I logged off and was locked out.

Booting to runlevel 1 and editing /etc/pam.d/common-account-pc shows

account requisite pam_unix2.so
account required pam_ldap.so use_first_pass

while the line

account requisite pam_unix2.so 

doesn't look right, changing it to 

account required pam_unix2.so

doesn't help.

only adding 

account sufficient pam_localuser.so

as second line gets me going again.

Created attachment 203981 [details]
yast2logs

Created attachment 203982 [details]
/etc/pam.d/*

Hmm, I think I have an idea what happens.

What else do you have configured on this host. I see pam_ldap configured but not pam_winbind. I think this was not done by the samba-client module. 

Casual: Have you run the ldap-client module before you run samba-client?

Jiri: or does samba-client (or samba-server) configure pam_ldap ?

Actually, after installing and updating I configured LDAP server, LDAP Client, CA Server Certificate and then as per comment #7 ( don't nail me for details, I may have done something in between like installing/deleting/updating software ).
But that is pretty much what I did.

(In reply to comment #10 from Michael Calmer)

> Jiri: or does samba-client (or samba-server) configure pam_ldap ?

Samba-server does not configure authentication at all. Samba-client uses pam-config to configure winbind and possibly for setting mkhomedir option. If there's an Active Directory setup, than it also configures kerberos ("krb5"). No LDAP.

I think you hit the problem if pam-config commands are executed in this order:

pam-config -a --ldap
pam-config -a --winbind
pam-config -d --ldap

The last "-d --ldap" disable also the localuser module, but it is still needed because of winbind is still active. 

I will see how we can fix this.

fix submitted.

Many thanks for the bugreport.