package libpam-modules 1.3.1-5ubuntu4.6 failed to install/upgrade: new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2

Bug #2012174 reported by Reza
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ubuntu-release-upgrader (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Upgrade from Ubuntu 20.04 to 22.4 fails if pam_tally is present in the system's PAM config

I run do-release-upgrade and I got a message upgrade completed with errors. I rebooted the server and it is now in an undefined state between 20.04 and 22.04. Not all packages have been installed.

ProblemType: Package
DistroRelease: Ubuntu 20.04
Package: libpam-modules 1.3.1-5ubuntu4.6
ProcVersionSignature: Ubuntu 5.4.0-144.161-generic 5.4.229
Uname: Linux 5.4.0-144-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.25
Architecture: amd64
CasperMD5CheckResult: pass
Date: Sun Mar 19 07:20:35 2023
ErrorMessage: new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2
InstallationDate: Installed on 2023-03-19 (0 days ago)
InstallationMedia: RNP Ubuntu-Server 20.04.1 21.07 "Custom OIEC Secure OS" (20210111)
Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2
PythonDetails: N/A
RelatedPackageVersions:
 dpkg 1.21.1ubuntu2.1
 apt 2.0.9
SourcePackage: pam
Title: package libpam-modules 1.3.1-5ubuntu4.6 failed to install/upgrade: new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2
UpgradeStatus: Upgraded to focal on 2023-03-19 (0 days ago)
mtime.conffile..etc.security.limits.conf: 2021-01-09T12:35:56

Revision history for this message
Reza (tavakolirad) wrote :
tags: removed: need-duplicate-check
Revision history for this message
Steve Langasek (vorlon) wrote :

ubuntu-release-upgrader 1:22.04.13 and later in Ubuntu 22.04 includes a check to detect pam_tally's presence in /etc/pam.d and abort the upgrade to let the user fix up their config beforehand.

If you are getting failures from libpam-modules during do-release-upgrade, then this check is not correctly working for you.

Please attach the config files that reference pam_tally on the affected system, so that we can debug.

affects: pam (Ubuntu) → ubuntu-release-upgrader (Ubuntu)
Changed in ubuntu-release-upgrader (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for ubuntu-release-upgrader (Ubuntu) because there has been no activity for 60 days.]

Changed in ubuntu-release-upgrader (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Ciprian Tomoiaga (cipri.tom) wrote :

Hello,

I am seeing the exact same problem. Down to the minor version of pam reported.

I am attaching the config files of pam that have a recent date. I do not recall how exactly I modified them. I believe only the `common-*` ones have been touched by me, but I added the other ones that were newer too (login, su, su-l)

Revision history for this message
Steve Langasek (vorlon) wrote :

Thanks, looking at the attached files it's clear what has happened here. The check in the ubuntu-release-upgrader code does:

        for f in os.listdir('/etc/pam.d'):
            if f in ('common-account', 'common-auth', 'common-password',
                     'common-session', 'common-session-noninteractive'):
                # managed by pam-auth-updates, and any references to
                # pam_tally* will be handled by libpam-modules on upgrade
                # without breaking
                continue
            with open(os.path.join('/etc/pam.d', f)) as f:
                content = f.read()
                if re.search('^[^#]*pam_tally', content, re.MULTILINE):
                    logging.error("pam_tally* in use")
                    # from libpam-modules.templates
[...]

So it specifically ignores references to pam_tally* in /etc/pam.d/common-* because it's expected these will be managed by the libpam-modules maintainer scripts. However, in your case pam_tally2.so was MANUALLY added to /etc/pam.d/common-account and /etc/pam.d/common-auth; and this code intended to catch the issue early can't distinguish.

I don't think we're going to risk making the situation worse by trying to further distinguish between manually and automatically edited common-* files. So unfortunately I have to consider this a 'wontfix'.

Revision history for this message
Ciprian Tomoiaga (cipri.tom) wrote :

Thank you for the exact explanation ! Indeed, it is clear that this is exactly what happened. I did MANUALLY modify them, because that's what most tutorials said to do in order to use pam_tally2 :).

I understand the WONT FIX. It's probably very rare, and "old" issue, not many people left to upgrade I imagine.

I have another machine, an exact copy of this one. In order to avoid the issue, I should comment our all `pam_tally*` lines in all files under /etc/pam.d/ , is that right ?

Thank you for your help and quick response !

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 2012174] Re: package libpam-modules 1.3.1-5ubuntu4.6 failed to install/upgrade: new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2

On Thu, Sep 21, 2023 at 07:46:42PM -0000, Ciprian Tomoiaga wrote:
> I have another machine, an exact copy of this one. In order to avoid the
> issue, I should comment our all `pam_tally*` lines in all files under
> /etc/pam.d/ , is that right ?

Yes, you will need to comment them out, since the modules no longer exist in
the new release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.