983636 – pam-config 0.91 overwrites valid pam configuration with templates on update

Bug 983636 - pam-config 0.91 overwrites valid pam configuration with templates on update

Summary: pam-config 0.91 overwrites valid pam configuration with templates on update

Status:	RESOLVED WONTFIX
Duplicates (9):	983621 983669 983872 983903 983905 983932 984089 984210 984893 (view as bug list)

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Basesystem (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Major with 1 vote (vote)
Target Milestone:	---
Assignee:	Thorsten Kukuk
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-08 06:10 UTC by Ondřej Súkup
Modified:	2017-01-15 11:10 UTC (History)
CC List:	16 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ondřej Súkup 2016-06-08 06:10:36 UTC

after update to last pam-config-0.91-1.1 isn't gdm able to start

argusek:/etc/pam.d # diff -ru /root/back/ ./
diff -ru /root/back/common-auth ./common-auth
--- /root/back/common-auth	2016-05-19 13:56:15.000000000 +0200
+++ ./common-auth	2016-06-08 07:47:53.335564045 +0200
@@ -12,5 +12,4 @@
 # traditional Unix authentication mechanisms.
 #
 auth	required	pam_env.so	
-auth	optional	pam_gnome_keyring.so
 auth	required	pam_unix.so	try_first_pass 
diff -ru /root/back/common-auth-pc ./common-auth-pc
--- /root/back/common-auth-pc	2016-05-19 13:56:15.000000000 +0200
+++ ./common-auth-pc	2016-06-08 07:47:53.335564045 +0200
@@ -12,5 +12,4 @@
 # traditional Unix authentication mechanisms.
 #
 auth	required	pam_env.so	
-auth	optional	pam_gnome_keyring.so
 auth	required	pam_unix.so	try_first_pass 
Only in ./: common-auth-pc.rpmsave
diff -ru /root/back/common-password ./common-password
--- /root/back/common-password	2016-05-19 13:56:15.000000000 +0200
+++ ./common-password	2016-06-08 07:47:53.335564045 +0200
@@ -10,5 +10,4 @@
 # used to change user passwords.
 #
 password	requisite	pam_cracklib.so	
-password	optional	pam_gnome_keyring.so	use_authtok
 password	required	pam_unix.so	use_authtok nullok shadow try_first_pass 
diff -ru /root/back/common-password-pc ./common-password-pc
--- /root/back/common-password-pc	2016-05-19 13:56:15.000000000 +0200
+++ ./common-password-pc	2016-06-08 07:47:53.335564045 +0200
@@ -10,5 +10,4 @@
 # used to change user passwords.
 #
 password	requisite	pam_cracklib.so	
-password	optional	pam_gnome_keyring.so	use_authtok
 password	required	pam_unix.so	use_authtok nullok shadow try_first_pass 
Only in ./: common-password-pc.rpmsave
diff -ru /root/back/common-session ./common-session
--- /root/back/common-session	2016-05-19 13:56:15.000000000 +0200
+++ ./common-session	2016-06-08 07:47:53.335564045 +0200
@@ -13,6 +13,4 @@
 session	required	pam_limits.so	
 session	required	pam_unix.so	try_first_pass 
 session	optional	pam_umask.so	
-session	optional	pam_systemd.so
-session	optional	pam_gnome_keyring.so	auto_start only_if=gdm,gdm-password,lxdm,lightdm 
 session	optional	pam_env.so	
diff -ru /root/back/common-session-pc ./common-session-pc
--- /root/back/common-session-pc	2016-05-19 13:56:15.000000000 +0200
+++ ./common-session-pc	2016-06-08 07:47:53.335564045 +0200
@@ -13,6 +13,4 @@
 session	required	pam_limits.so	
 session	required	pam_unix.so	try_first_pass 
 session	optional	pam_umask.so	
-session	optional	pam_systemd.so
-session	optional	pam_gnome_keyring.so	auto_start only_if=gdm,gdm-password,lxdm,lightdm 
 session	optional	pam_env.so

Comment 1 Dominique Leuenberger 2016-06-08 08:32:57 UTC

pam-config replaces the common-*-pc files with real files, coming from the previous ghost files, resulting in replacing them with templates.

The fatal part is that pam_systemd is being removed on the go.

Snapshot 20160607 will have pam-config reverted to the previous version, giving the maintainer the opportunity to fix the upgrade path to the new setup

(NOTE: the revert does not automatically fix already broken setups, but it stops falling into the trap for users that skipped 0605)

For users landing here due to bug search, the easiest way to recover is:
> zypper in -f system
and if you have gnome-keyring installed
> zypper in -f gnome-keyring-pam

Comment 2 Dominique Leuenberger 2016-06-08 12:06:06 UTC

*** Bug 983669 has been marked as a duplicate of this bug. ***

Comment 3 Mircea Kitsune 2016-06-08 14:19:07 UTC

Just dropping in to confirm the problem. My system suddenly started experiencing kernel panics, all processes would randomly freeze or crash, and audio devices disappeared! I lost 2 hours trying to understand what was going on, until someone told me to reinstall the systemd package which fixed everything. I really hope this is a lesson the maintainers will learn from, and such issues will not happen again... this was not a fun experience.

Comment 4 Wolfgang Bauer 2016-06-08 15:20:46 UTC

*** Bug 983621 has been marked as a duplicate of this bug. ***

Comment 5 Robby Engelmann 2016-06-08 15:26:51 UTC

The "lesson" is that we are using Tumbleweed, a rolling release distro with heavy quality control before a snapshot will be released. However, it is not possible to test for all imaginable and unimaginable use cases and update paths.
The management of this issue was quite good in my opinion, a workaround was available only hours after snapshot has been released and was informed about in multiple ways.
Despite that I lost my internet due to this issue and decided to install root partition from scatch yesterday evening (yes, I tested the snashot prior its release), I won't complain about.
Thanks Dimstar, maxlin, coolo  and all the others working on Tumbleweed - keep it rolling :-)

Comment 6 Mircea Kitsune 2016-06-08 17:34:53 UTC

(In reply to Robby Engelmann from comment #5)

I agree that the results could have been way worse, and don't doubt the management are doing everything they can. My comment wasn't so much a complaint, but a hope that what caused this problem can be prevented in the future, now that we've seen it happening. Despite contrary belief, Tumbleweed is actually very stable... nothing like this happened since I switched to it, and such major breakages are the exception.

Comment 7 Dominique Leuenberger 2016-06-08 17:50:22 UTC

Please - this is no chat-forum - the person that will have to fix this issue will have to go through all this text (good and bad) to find what is relevant to the issue.

Please bring the discussion either to the forum or mailing lists, where I will gladly join in and discuss the plans to prevent this in the future... but not here

Comment 8 Dominique Leuenberger 2016-06-09 08:30:34 UTC

*** Bug 983903 has been marked as a duplicate of this bug. ***

Comment 9 Dominique Leuenberger 2016-06-09 08:31:15 UTC

*** Bug 983905 has been marked as a duplicate of this bug. ***

Comment 10 Dominique Leuenberger 2016-06-09 10:40:47 UTC

*** Bug 983932 has been marked as a duplicate of this bug. ***

Comment 11 Wolfgang Bauer 2016-06-09 11:51:28 UTC

*** Bug 983872 has been marked as a duplicate of this bug. ***

Comment 12 Sebastian Kuhne 2016-06-09 13:03:12 UTC

I am sorry but the workaround "zypper in -f gnome-keyring-pam" doens't work for me. The issue is still persistent. There must be something else wrong. Anyway, I will wait for the next update and keep silence.

Comment 13 Wolfgang Bauer 2016-06-09 13:28:15 UTC

(In reply to Sebastian Kuhne from comment #12)
> I am sorry but the workaround "zypper in -f gnome-keyring-pam" doens't work
> for me.

This is not a workaround for the main issue.

You'd need to reinstall systemd instead:
zypper in -f systemd

Or even better, run "pam-config --add --systemd" as recommended here:
https://lists.opensuse.org/opensuse-factory/2016-06/msg00113.html

Comment 14 Sebastian Kuhne 2016-06-09 14:06:00 UTC

(In reply to Wolfgang Bauer from comment #13)
> (In reply to Sebastian Kuhne from comment #12)
> > I am sorry but the workaround "zypper in -f gnome-keyring-pam" doens't work
> > for me.
> 
> This is not a workaround for the main issue.
> 
> You'd need to reinstall systemd instead:
> zypper in -f systemd
> 
> Or even better, run "pam-config --add --systemd" as recommended here:
> https://lists.opensuse.org/opensuse-factory/2016-06/msg00113.html

Many thanks Wolfgang, "pam-config --add --systemd" did work immediately. System back to life.

Comment 15 Robby Engelmann 2016-06-10 20:18:20 UTC

*** Bug 984210 has been marked as a duplicate of this bug. ***

Comment 16 Dominique Leuenberger 2016-06-16 07:46:00 UTC

*** Bug 984893 has been marked as a duplicate of this bug. ***

Comment 17 Dominique Leuenberger 2016-06-19 10:05:26 UTC

*** Bug 984089 has been marked as a duplicate of this bug. ***

Comment 18 Thorsten Kukuk 2016-11-22 15:43:11 UTC

Will not fix that anymore.

Comment 19 Dainius Masiliunas 2017-01-15 11:10:27 UTC

I just got hit by this too.

From what I can see, the issue is still there, as installing pam-config overwrites config files provided by pam (which do include pam-systemd) with its own ones (which do not include pam-systemd). systemd RPM scripts run pam-config --add --systemd to readd it, but that is not very robust, apparently, since otherwise I would not have been hit by this issue.

Why don't pam-config initial files include pam-systemd by default, when pam itself does?