On Sat, Mar 09, 2019 at 08:25:50PM +0100, Michael Biebl wrote: > [bringing Steve, our pam maintainer, into the loop]
> Hi Steve, > the following looks like an issue in pam-auth-update and similar to > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923362 > Any idea what might be going wrong there? If it's the same as bug #923362, note that this bug was closed as invalid as the user had a corrupt debconf database that was somehow causing the wrong information to be returned to pam-auth-update. So it's quite possible this is a latent debconf database corruption problem on end users' systems, which is only tickled now as a result of there being a new upstream version of pam causing pam debconf prompts for the first time in a few years. I would suggest taking a snapshot of /var/cache/debconf, then running /usr/share/debconf/fix_db.pl as the submitter of the other bug did, then diffing to see what has changed if anything. > Am 09.03.19 um 19:55 schrieb Julien Leproust: > > Hi, > > > > Well we're in luck, I have etckeeper installed since 2012. > > > > On both machines, I never edited /etc/pam.d/common-* manually. > > > > * fc3256a - Sat, 9 Mar 2019 12:59:20 +0100 (7 hours ago) (HEAD -> master) > > | daily autocommit - root > > * efc0d23 - Thu, 7 Feb 2019 23:16:46 +0100 (4 weeks ago) > > | committing changes in /etc made by "aptitude" - root > > * 6d1fbcf - Tue, 20 Feb 2018 22:51:34 +0100 (1 year, 1 month ago) > > | committing changes in /etc after apt run - root > > * 72d4029 - Tue, 19 Apr 2016 22:00:51 +0200 (2 years, 11 months ago) > > | committing changes in /etc after apt run - root > > * 50f69ee - Sat, 1 Mar 2014 15:33:33 +0100 (5 years ago) > > | committing changes in /etc after apt run - root > > * dee824f - Sat, 4 Aug 2012 10:55:33 +0200 (7 years ago) > > Initial commit - root > > > > The modification today is the fix using pam-auth-update. > > > > The last modification, which broke pam_systemd.so, was triggered by > > libpam-cap:amd64 (1:2.25-2). The update triggered pam-auth-update, and > > /var/log/apt/term.log shows the choices I made: > > > > ────────────────────────┤ PAM configuration ├─────────────────────── > > Pluggable Authentication Modules (PAM) determine how authentication, > > authorization, and password changing are handled on the system, as > > well as allowing configuration of additional actions to take when > > starting user sessions. > > > > Some PAM module packages provide profiles that can be used to > > automatically adjust the behavior of all PAM-using applications on > > the system. Please indicate which of these behaviors you wish to > > enable. > > > > PAM profiles to enable: > > > > [*] Unix authentication > > [*] Register user sessions in the systemd control group ... > > [ ] Create home directory on login > > [*] GNOME Keyring Daemon - Login keyring management > > [*] Inheritable Capabilities Management > > > > > > <Ok> <Cancel> > > > > ──────────────────────────────────────────────────────────────────── > > > > And then, pam_systemd.so was incorrectly removed? I'm sure you're going > > to assume I disabled the second option, but I really doubt this. > > > > Previous modifications: > > - 20 Feb 2018: removal of libpam-ck-connector > > - 19 Apr 2016: installation of libpam-cgfs > > - 1 Mar 2014: installation of libpam-systemd > > > > Initial state for reference in August 2012: > > ======================================================================= > > # > > # /etc/pam.d/common-session - session-related modules common to all > > services > > # > > # This file is included from other service-specific PAM config files, > > # and should contain a list of modules that define tasks to be performed > > # at the start and end of sessions of *any* kind (both interactive and > > # non-interactive). > > # > > # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. > > # To take advantage of this, it is recommended that you configure any > > # local modules either before or after the default block, and use > > # pam-auth-update to manage selection of other modules. See > > # pam-auth-update(8) for details. > > > > # here are the per-package modules (the "Primary" block) > > session [default=1] pam_permit.so > > # here's the fallback if no module succeeds > > session requisite pam_deny.so > > # prime the stack with a positive return value if there isn't one already; > > # this avoids us returning an error just because nothing sets a success > > code > > # since the modules above will each just jump around > > session required pam_permit.so > > # and here are more per-package modules (the "Additional" block) > > session required pam_unix.so > > session optional pam_systemd.so > > session optional pam_ck_connector.so nox11 > > # end of pam-auth-update config > > ======================================================================= > > > > And today: > > ======================================================================= > > # > > # /etc/pam.d/common-session - session-related modules common to all > > services > > # > > # This file is included from other service-specific PAM config files, > > # and should contain a list of modules that define tasks to be performed > > # at the start and end of sessions of *any* kind (both interactive and > > # non-interactive). > > # > > # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. > > # To take advantage of this, it is recommended that you configure any > > # local modules either before or after the default block, and use > > # pam-auth-update to manage selection of other modules. See > > # pam-auth-update(8) for details. > > > > # here are the per-package modules (the "Primary" block) > > session [default=1] pam_permit.so > > # here's the fallback if no module succeeds > > session requisite pam_deny.so > > # prime the stack with a positive return value if there isn't one already; > > # this avoids us returning an error just because nothing sets a success > > code > > # since the modules above will each just jump around > > session required pam_permit.so > > # and here are more per-package modules (the "Additional" block) > > session required pam_unix.so > > session optional pam_systemd.so > > session optional pam_cgfs.so -c freezer,memory,name=systemd > > # end of pam-auth-update config > > ======================================================================= > > > > I can provide the full git and apt logs, but I'd have to edit them > > before to hide personal information. > > > > Thanks anyway. > > > > Best regards, > > > > > -- > Why is it that all of the instruments seeking intelligent life in the > universe are pointed away from Earth? > -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature
