[PAM] Unable to login: Cannot make/remove an entry for the specified session

I can confirm this. Running kubuntu intrepid. When I try to login from a console, the error displayed is "access violation", and it immediately logs me out.

Thanx Much,
Frank

Any suggestions on workarounds/how to fix this issue?

I tried booting from the liveCD and chrooting into the system on disk. That worked. Then I tried to change the password of my user and rebooting. No dice.

We're going to have to find the pam packages that were upgraded, and revert them.

Unfortunately, I have little knowledge of apt/dpkg.

Basically....

boot from live cd
open terminal
sudo su - root
mkdir /mnt/chroot
mount /dev/XXX /mnt/chroot (where XXX is your linux partition)
chroot /mnt/chroot /bin/bash
apt-get --something-here-to-revert-pam

If you can figure out the last step, props to you. Welcome to the world of Alpha releases.

Frank

Logging in from console:
Cannot make/remove an entry for the specified session
and another login prompt. It'a a pam error...

The packages which where updated are libpam-modules and libpam-runtime. There are no old versions of them in the repos anymore, so a simple downgrade is not possible, unless you have some old packages of them in your apt cache (/var/cache/apt/archives/)

Sweet! It looks like I am fortunate.

root@ubuntu:/var/cache/apt/archives# ls -l | grep pam
-rw-r--r-- 1 root root 111744 2008-07-29 03:04 libpam0g_1.0.1-1ubuntu1_amd64.deb
-rw-r--r-- 1 root root 111544 2008-08-20 14:05 libpam0g_1.0.1-2ubuntu1_amd64.deb
-rw-r--r-- 1 root root 7916 2008-08-04 14:04 libpam-ck-connector_0.2.10-1ubuntu2_amd64.deb
-rw-r--r-- 1 root root 28562 2008-08-07 15:05 libpam-gnome-keyring_2.23.6-0ubuntu2_amd64.deb
-rw-r--r-- 1 root root 28874 2008-08-18 15:05 libpam-gnome-keyring_2.23.90-0ubuntu1_amd64.deb
-rw-r--r-- 1 root root 311926 2008-07-29 03:04 libpam-modules_1.0.1-1ubuntu1_amd64.deb
-rw-r--r-- 1 root root 310186 2008-08-20 14:05 libpam-modules_1.0.1-2ubuntu1_amd64.deb
-rw-r--r-- 1 root root 75980 2008-07-29 03:04 libpam-runtime_1.0.1-1ubuntu1_all.deb
-rw-r--r-- 1 root root 83354 2008-08-20 14:05 libpam-runtime_1.0.1-2ubuntu1_all.deb
root@ubuntu:/var/cache/apt/archives#

So how does one revert to an older version via apt? (Hitting the docs now)

Frank

Hmmm.. It should be something like..

apt-get install libpam-modules=libpam-modules_1.0.1-1ubuntu1_amd64.deb

root@ubuntu:/var/cache/apt/archives# apt-get install libpam-modules=libpam-modules_1.0.1-1ubuntu1_amd64.deb
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Version 'libpam-modules_1.0.1-1ubuntu1_amd64.deb' for 'libpam-modules' was not found

Still readin and doing some head scratchin.

I am hit too. I still have another computer where I didn't update, so I'll try to compare the configuration files between them

Is everyone else here 64bit, or do we have some 32bit users here?

Frank

This command will fix it:
http://people.ubuntu.com/~vorlon/meh

And the updated packages are coming anyway...

Fix committed:
<slangasek> [...] binary is accepted and soon to be published

This bug has been fixed in the upload of pam 1.0.1-3ubuntu2. Changelog is:

 pam (1.0.1-3ubuntu2) intrepid; urgency=high
 .
   * debian/local/common-session: the session stack needs to be handled the
     same way as the password stack, with the possibility of zero primary
     modules; required to fix build failures on the Ubuntu buildds due to
     su not being able to open sessions by default. LP: #259867.
   * debian/libpam-runtime.postinst: when upgrading from the broken
     1.0.1-2ubuntu1 version, manually edit /etc/pam.d/common-session to
     recover.

The i386 package (which is what provides libpam-runtime) is built, and should make it into the next publisher run.

My apologies for the broken upload, it tested out fine with sudo before I uploaded it. :/

downgrading the packages will not help, the old packages don't know how to roll back this change and downgrading will break the upgrade check that's been added in the just-uploaded fixed version.

This is an architecture-independent bug, both 64-bit and 32-bit users will have the same problem.

russofris (Frank), I am on 32 bits. Thanks Steve for providing a quick fix, now if only I would be able to apply it (I am logged out of my system, although I have a LiveCD available for emergency work)

Dan,

To recover, you have 2 options..

1: Recovery console
2: Chroot from the loveCD (see above)

After that, it should be the normal update/upgrade process.

Steve,

thanx much for the quick turnaround.

Frank

Long live the Vorlon (and Stefano Maioli).
The link you indicated solved the problem, I am back in my system.

Yes...

Thanks Frank,

I modified the file seen in the Stefano's script /etc/pam.d/common-session on my harddisk, booting from the livecd.

I'll have in mind the chroot method for the future.

Thanks again,
Dan

Stefano and Frank, God bless you. Thanks to you two, I got Intrepid back to life.

Well, I just copy-pasted the link..
But thanks! :)

I used the recovery thing and chose to have a root terminal, yet I get no internet access from the terminal, if I try to ping something its unable to resolve the host, so I can't seem to find a way to do an APT upgrade.

Just installed updates. 10:00 pm MST 08/21/08

My system keeps saying authentication failure at gdm login screen. This practically hosed the system.

I do not understand the workarounds. My system is 32 bit pretty sure. I really hope a fixed package is in the works, but i need to know how to fix my system. I have a live-cd and a live USB.

I'm pretty sure it doesn't have internet access in the recovery console on mine.'

so i somehow need to edit /etc/pam.d/common-session?

what do i edit it to?

"sed -i -e'
 /here.s the fallback if no module succeeds/,/prime the stack/ {
  s/.*pam_deny.*/# this is obviously a completely redundant line, except that it lets us\
# handle better the case where there are no "Primary" modules provided\
session required pam_permit.so/
 }' /etc/pam.d/common-session"

Jeremy,

If you can run the script that I've provided at <http://people.ubuntu.com/~vorlon/meh>, this will fix the problem so that you can again log in and continue the upgrade.

Alternatively, from a rescue session you can simply replace "pam_deny" with "pam_permit" in /etc/pam.d/common-session, continue booting, then do the following:
1) open a root shell
2) rm /etc/pam.d/common-session
3) run pam-auth-update --force
4) upgrade

this should get you a pristine configuration with the new version of libpam-runtime installed.

Thanks, I think I got it going now. I don't remember what I was told to
do, but it was something about "pam_allow.so" or something similar,
sorry I lost the page.

Thanks to all, and thanks to all the developers on how great Intrepid is
so far even with the occasional hiccup.

Steve Langasek wrote:
> Jeremy,
>
> If you can run the script that I've provided at
> <http://people.ubuntu.com/~vorlon/meh>, this will fix the problem so
> that you can again log in and continue the upgrade.
>
> Alternatively, from a rescue session you can simply replace "pam_deny" with "pam_permit" in /etc/pam.d/common-session, continue booting, then do the following:
> 1) open a root shell
> 2) rm /etc/pam.d/common-session
> 3) run pam-auth-update --force
> 4) upgrade
>
> this should get you a pristine configuration with the new version of
> libpam-runtime installed.
>
>

I've edited the common-session file, and got the updates installed. It all works fine.....

BUT - it seems to me I should be able to revert to the original common-session file and not get the Authentification failed error. Doesn't work that way - putting the pam_deny.so line back into common-session brings up the Authentification failed error again.

I've tried following Steve's suggestion to remove the existing common-session and run pam-auth-update --force, but it fails saying it can't stat common-session - not surprising, as I removed it.

What next? Do we need the line "session requisite pam_deny.so" in common-session, or was redundant?

Seconded, I'd also be happy to see what common-session is supposed to look now, as following Steve's instructions had the same effect as for Stephen above. I am not sure anymore whether I ended up with a good file, and my /usr/share/pam/common-session looks slightly different from my /etc/pam.d/common-session: the former has two more lines, "$session_primary" and "$session_additional".

Mario - thanks for the pointer - those are presumably spare copies of the working files in /etc/pam.d/

But you're right - the common-session file in the /usr/share/pam set doesn't have the pam-deny.so line - it has pam-permit.so instead. I checked the common-auth files in /etc/pam.d/ and /usr/share/pam/, and they are the way common-session used to be - a line "auth requisite pam_deny.so" and a line "auth required pam_permit.so".

The header of the files in /usr/share/pam/ refers to pam 1.0.1-4, by the way, while the files in /etc/pam.d/ refer to pam 1.0.1-3.

It looks as if this is a new paradigm being implemented on the wing, as it were.... I'm sure we'll get it all right soon. The block labels $session_primary and $session_additional look as if they will be new in version 1.0.1-4.

Wonder what would happen if I tried using those versions with 1.0.1-3 installed....

cp: cannot stat `/etc/pam.d/common-session': No such file or directory

This is a cosmetic error only, which I'll fix in the next version.

Copying /usr/share/pam/common-session to /etc/pam.d/common-session is /not/ correct, and will also give you authentication errors. The file in /usr/share/pam is a template that needs to be processed by pam-auth-update before it can be used; this is precisely what the instructions I offered do for you.

thanks for the clarification, Steve. I won't try running with the copy in /usr/share/pam/!

Thanks Steve. You helped me fix the problem nicely.

run pam-auth-update --force did not work for me either, but i just did the update anyway, and received the new package. Thanks for the good work and trouble shooting. The Ubuntu community is why i switched to using Linux. That and the fact that I didn't like windows anymore. Been using Ubuntu happily for almost four years now.

-Andrew
-keen101