[PAM] Unable to login: Cannot make/remove an entry for the specified session

Bug #259867 reported by Alexey Balmashnov on 2008-08-20
36
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Undecided
Unassigned

Bug Description

Just did an update of the system.

Now I can not log into the GNOME. IIRC there were updates for pidgin and pam libraries.

Console and ssh don't work either.
PAM error message - Cannot make/remove an entry for the specified session

Related branches

russofris (russofris) wrote :

I can confirm this. Running kubuntu intrepid. When I try to login from a console, the error displayed is "access violation", and it immediately logs me out.

Thanx Much,
Frank

Any suggestions on workarounds/how to fix this issue?

russofris (russofris) wrote :

I tried booting from the liveCD and chrooting into the system on disk. That worked. Then I tried to change the password of my user and rebooting. No dice.

We're going to have to find the pam packages that were upgraded, and revert them.

Unfortunately, I have little knowledge of apt/dpkg.

Basically....

boot from live cd
open terminal
sudo su - root
mkdir /mnt/chroot
mount /dev/XXX /mnt/chroot (where XXX is your linux partition)
chroot /mnt/chroot /bin/bash
apt-get --something-here-to-revert-pam

If you can figure out the last step, props to you. Welcome to the world of Alpha releases.

Frank

Stefano Maioli (smaioli) wrote :

Logging in from console:
Cannot make/remove an entry for the specified session
and another login prompt. It'a a pam error...

Stefano Maioli (smaioli) on 2008-08-20
description: updated

The packages which where updated are libpam-modules and libpam-runtime. There are no old versions of them in the repos anymore, so a simple downgrade is not possible, unless you have some old packages of them in your apt cache (/var/cache/apt/archives/)

russofris (russofris) wrote :

Sweet! It looks like I am fortunate.

root@ubuntu:/var/cache/apt/archives# ls -l | grep pam
-rw-r--r-- 1 root root 111744 2008-07-29 03:04 libpam0g_1.0.1-1ubuntu1_amd64.deb
-rw-r--r-- 1 root root 111544 2008-08-20 14:05 libpam0g_1.0.1-2ubuntu1_amd64.deb
-rw-r--r-- 1 root root 7916 2008-08-04 14:04 libpam-ck-connector_0.2.10-1ubuntu2_amd64.deb
-rw-r--r-- 1 root root 28562 2008-08-07 15:05 libpam-gnome-keyring_2.23.6-0ubuntu2_amd64.deb
-rw-r--r-- 1 root root 28874 2008-08-18 15:05 libpam-gnome-keyring_2.23.90-0ubuntu1_amd64.deb
-rw-r--r-- 1 root root 311926 2008-07-29 03:04 libpam-modules_1.0.1-1ubuntu1_amd64.deb
-rw-r--r-- 1 root root 310186 2008-08-20 14:05 libpam-modules_1.0.1-2ubuntu1_amd64.deb
-rw-r--r-- 1 root root 75980 2008-07-29 03:04 libpam-runtime_1.0.1-1ubuntu1_all.deb
-rw-r--r-- 1 root root 83354 2008-08-20 14:05 libpam-runtime_1.0.1-2ubuntu1_all.deb
root@ubuntu:/var/cache/apt/archives#

So how does one revert to an older version via apt? (Hitting the docs now)

Frank

russofris (russofris) wrote :

Hmmm.. It should be something like..

apt-get install libpam-modules=libpam-modules_1.0.1-1ubuntu1_amd64.deb

root@ubuntu:/var/cache/apt/archives# apt-get install libpam-modules=libpam-modules_1.0.1-1ubuntu1_amd64.deb
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Version 'libpam-modules_1.0.1-1ubuntu1_amd64.deb' for 'libpam-modules' was not found

Still readin and doing some head scratchin.

Dan Andreșan (danyer) wrote :

I am hit too. I still have another computer where I didn't update, so I'll try to compare the configuration files between them

russofris (russofris) wrote :

Is everyone else here 64bit, or do we have some 32bit users here?

Frank

Stefano Maioli (smaioli) wrote :

This command will fix it:
http://people.ubuntu.com/~vorlon/meh

And the updated packages are coming anyway...

Stefano Maioli (smaioli) wrote :

Fix committed:
<slangasek> [...] binary is accepted and soon to be published

Changed in pam:
status: Confirmed → Fix Committed
Steve Langasek (vorlon) wrote :

This bug has been fixed in the upload of pam 1.0.1-3ubuntu2. Changelog is:

 pam (1.0.1-3ubuntu2) intrepid; urgency=high
 .
   * debian/local/common-session: the session stack needs to be handled the
     same way as the password stack, with the possibility of zero primary
     modules; required to fix build failures on the Ubuntu buildds due to
     su not being able to open sessions by default. LP: #259867.
   * debian/libpam-runtime.postinst: when upgrading from the broken
     1.0.1-2ubuntu1 version, manually edit /etc/pam.d/common-session to
     recover.

The i386 package (which is what provides libpam-runtime) is built, and should make it into the next publisher run.

My apologies for the broken upload, it tested out fine with sudo before I uploaded it. :/

Changed in pam:
status: Fix Committed → Fix Released
Steve Langasek (vorlon) wrote :

downgrading the packages will not help, the old packages don't know how to roll back this change and downgrading will break the upgrade check that's been added in the just-uploaded fixed version.

This is an architecture-independent bug, both 64-bit and 32-bit users will have the same problem.

Dan Andreșan (danyer) wrote :

russofris (Frank), I am on 32 bits. Thanks Steve for providing a quick fix, now if only I would be able to apply it (I am logged out of my system, although I have a LiveCD available for emergency work)

russofris (russofris) wrote :

Dan,

To recover, you have 2 options..

1: Recovery console
2: Chroot from the loveCD (see above)

After that, it should be the normal update/upgrade process.

Steve,

thanx much for the quick turnaround.

Frank

Dan Andreșan (danyer) wrote :

Long live the Vorlon (and Stefano Maioli).
The link you indicated solved the problem, I am back in my system.

Yes...

Dan Andreșan (danyer) wrote :

Thanks Frank,

I modified the file seen in the Stefano's script /etc/pam.d/common-session on my harddisk, booting from the livecd.

I'll have in mind the chroot method for the future.

Thanks again,
Dan

Matthias Metzger (macellarius) wrote :

Stefano and Frank, God bless you. Thanks to you two, I got Intrepid back to life.

Stefano Maioli (smaioli) wrote :

Well, I just copy-pasted the link..
But thanks! :)

I used the recovery thing and chose to have a root terminal, yet I get no internet access from the terminal, if I try to ping something its unable to resolve the host, so I can't seem to find a way to do an APT upgrade.

Andrew (keen101) wrote :

Just installed updates. 10:00 pm MST 08/21/08

My system keeps saying authentication failure at gdm login screen. This practically hosed the system.

I do not understand the workarounds. My system is 32 bit pretty sure. I really hope a fixed package is in the works, but i need to know how to fix my system. I have a live-cd and a live USB.

I'm pretty sure it doesn't have internet access in the recovery console on mine.'

so i somehow need to edit /etc/pam.d/common-session?

what do i edit it to?

"sed -i -e'
 /here.s the fallback if no module succeeds/,/prime the stack/ {
  s/.*pam_deny.*/# this is obviously a completely redundant line, except that it lets us\
# handle better the case where there are no "Primary" modules provided\
session required pam_permit.so/
 }' /etc/pam.d/common-session"

Steve Langasek (vorlon) wrote :

Jeremy,

If you can run the script that I've provided at <http://people.ubuntu.com/~vorlon/meh>, this will fix the problem so that you can again log in and continue the upgrade.

Alternatively, from a rescue session you can simply replace "pam_deny" with "pam_permit" in /etc/pam.d/common-session, continue booting, then do the following:
1) open a root shell
2) rm /etc/pam.d/common-session
3) run pam-auth-update --force
4) upgrade

this should get you a pristine configuration with the new version of libpam-runtime installed.

Thanks, I think I got it going now. I don't remember what I was told to
do, but it was something about "pam_allow.so" or something similar,
sorry I lost the page.

Thanks to all, and thanks to all the developers on how great Intrepid is
so far even with the occasional hiccup.

Steve Langasek wrote:
> Jeremy,
>
> If you can run the script that I've provided at
> <http://people.ubuntu.com/~vorlon/meh>, this will fix the problem so
> that you can again log in and continue the upgrade.
>
> Alternatively, from a rescue session you can simply replace "pam_deny" with "pam_permit" in /etc/pam.d/common-session, continue booting, then do the following:
> 1) open a root shell
> 2) rm /etc/pam.d/common-session
> 3) run pam-auth-update --force
> 4) upgrade
>
> this should get you a pristine configuration with the new version of
> libpam-runtime installed.
>
>

Stephen Cradock (s-cradock) wrote :

I've edited the common-session file, and got the updates installed. It all works fine.....

BUT - it seems to me I should be able to revert to the original common-session file and not get the Authentification failed error. Doesn't work that way - putting the pam_deny.so line back into common-session brings up the Authentification failed error again.

I've tried following Steve's suggestion to remove the existing common-session and run pam-auth-update --force, but it fails saying it can't stat common-session - not surprising, as I removed it.

What next? Do we need the line "session requisite pam_deny.so" in common-session, or was redundant?

Mario Vukelic (mario-vukelic) wrote :

Seconded, I'd also be happy to see what common-session is supposed to look now, as following Steve's instructions had the same effect as for Stephen above. I am not sure anymore whether I ended up with a good file, and my /usr/share/pam/common-session looks slightly different from my /etc/pam.d/common-session: the former has two more lines, "$session_primary" and "$session_additional".

Stephen Cradock (s-cradock) wrote :

Mario - thanks for the pointer - those are presumably spare copies of the working files in /etc/pam.d/

But you're right - the common-session file in the /usr/share/pam set doesn't have the pam-deny.so line - it has pam-permit.so instead. I checked the common-auth files in /etc/pam.d/ and /usr/share/pam/, and they are the way common-session used to be - a line "auth requisite pam_deny.so" and a line "auth required pam_permit.so".

The header of the files in /usr/share/pam/ refers to pam 1.0.1-4, by the way, while the files in /etc/pam.d/ refer to pam 1.0.1-3.

It looks as if this is a new paradigm being implemented on the wing, as it were.... I'm sure we'll get it all right soon. The block labels $session_primary and $session_additional look as if they will be new in version 1.0.1-4.

Wonder what would happen if I tried using those versions with 1.0.1-3 installed....

Steve Langasek (vorlon) wrote :

cp: cannot stat `/etc/pam.d/common-session': No such file or directory

This is a cosmetic error only, which I'll fix in the next version.

Copying /usr/share/pam/common-session to /etc/pam.d/common-session is /not/ correct, and will also give you authentication errors. The file in /usr/share/pam is a template that needs to be processed by pam-auth-update before it can be used; this is precisely what the instructions I offered do for you.

Stephen Cradock (s-cradock) wrote :

thanks for the clarification, Steve. I won't try running with the copy in /usr/share/pam/!

Andrew (keen101) wrote :

Thanks Steve. You helped me fix the problem nicely.

run pam-auth-update --force did not work for me either, but i just did the update anyway, and received the new package. Thanks for the good work and trouble shooting. The Ubuntu community is why i switched to using Linux. That and the fact that I didn't like windows anymore. Been using Ubuntu happily for almost four years now.

-Andrew
-keen101

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers