package libpam-modules 1.3.1-5ubuntu4.6 failed to install/upgrade: new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2

ubuntu-release-upgrader 1:22.04.13 and later in Ubuntu 22.04 includes a check to detect pam_tally's presence in /etc/pam.d and abort the upgrade to let the user fix up their config beforehand.

If you are getting failures from libpam-modules during do-release-upgrade, then this check is not correctly working for you.

Please attach the config files that reference pam_tally on the affected system, so that we can debug.

[Expired for ubuntu-release-upgrader (Ubuntu) because there has been no activity for 60 days.]

Hello,

I am seeing the exact same problem. Down to the minor version of pam reported.

I am attaching the config files of pam that have a recent date. I do not recall how exactly I modified them. I believe only the `common-*` ones have been touched by me, but I added the other ones that were newer too (login, su, su-l)

Thanks, looking at the attached files it's clear what has happened here. The check in the ubuntu-release-upgrader code does:

        for f in os.listdir('/etc/pam.d'):
            if f in ('common-account', 'common-auth', 'common-password',
                     'common-session', 'common-session-noninteractive'):
                # managed by pam-auth-updates, and any references to
                # pam_tally* will be handled by libpam-modules on upgrade
                # without breaking
                continue
            with open(os.path.join('/etc/pam.d', f)) as f:
                content = f.read()
                if re.search('^[^#]*pam_tally', content, re.MULTILINE):
                    logging.error("pam_tally* in use")
                    # from libpam-modules.templates
[...]

So it specifically ignores references to pam_tally* in /etc/pam.d/common-* because it's expected these will be managed by the libpam-modules maintainer scripts. However, in your case pam_tally2.so was MANUALLY added to /etc/pam.d/common-account and /etc/pam.d/common-auth; and this code intended to catch the issue early can't distinguish.

I don't think we're going to risk making the situation worse by trying to further distinguish between manually and automatically edited common-* files. So unfortunately I have to consider this a 'wontfix'.

Thank you for the exact explanation ! Indeed, it is clear that this is exactly what happened. I did MANUALLY modify them, because that's what most tutorials said to do in order to use pam_tally2 :).

I understand the WONT FIX. It's probably very rare, and "old" issue, not many people left to upgrade I imagine.

I have another machine, an exact copy of this one. In order to avoid the issue, I should comment our all `pam_tally*` lines in all files under /etc/pam.d/ , is that right ?

Thank you for your help and quick response !

On Thu, Sep 21, 2023 at 07:46:42PM -0000, Ciprian Tomoiaga wrote:
> I have another machine, an exact copy of this one. In order to avoid the
> issue, I should comment our all `pam_tally*` lines in all files under
> /etc/pam.d/ , is that right ?

Yes, you will need to comment them out, since the modules no longer exist in
the new release.