530 login incorrect error after upgrade

Thank you for taking the time to report this bug and helping to make Ubuntu better. Unfortunately, we cannot work on this bug because your description didn't include enough information. You may find it helpful to read "How to report bugs effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful if you would then provide a more complete description of the problem.

Specifically, could you please make sure you include:

The error that you're seeing the system log file, and which log file that is.

Details of your LDAP configuration, including any files you have changed in /etc/pam.d

The output of "sudo debconf-show ldap-auth-config" - be sure to remove any confidential information.

Please also execute the following command, as it will automatically gather debugging information, in a terminal:

apport-collect 869684

When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

Once done, please set the Status of this bug back to New.

Same problem occurs after update from Natty to Oneiric.

Package affected:

vsftpd 2.3.2-3ubuntu5

Actions taken before problem occurs.

1. Update from Maverick to Natty with do-release-update
2. Update from Natty to Oneiric with do-release-update

The problem was detected after the update from Natty to Oneiric, Natty may be affected too.

Tried to log into the ftp server (local or remote) brings up an error "530 login incorrect"
The login user is a standard user with /home directory

/etc/vsftp.conf
local_enable=yes

all values on default

Tried to remove / purge vsftpd packet several time, but problem still remains.

re-installd packet with standard /etc/vsftpd.conf and /etc/pam.d/vsftpd

No files changed in /etc/pam.d

/var/log/auth.log

Oct 18 10:51:23 localhost vsftpd: PAM unable to dlopen(pam_shells.so): /lib/security/pam_shells.so: cannot open shared object file: No such file or directory
Oct 18 10:51:23 localhost vsftpd: PAM adding faulty module: pam_shells.so
Oct 18 10:51:23 localhost vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Oct 18 10:51:23 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=XXX rhost=127.0.0.1
Oct 18 10:51:23 localhost vsftpd: pam_winbind(vsftpd:auth): getting password (0x00000388)
Oct 18 10:51:23 localhost vsftpd: pam_winbind(vsftpd:auth): pam_get_item returned a password

ubuntu-bug vsftpd

ApportVersion: 1.23-0ubuntu3
Architecture: amd64
Date: Tue Oct 16 10:55:50 2011
Dependencies:
  adduser 3.112+nmu1ubuntu5
  base-passwd 3.5.23
  busybox-initramfs 1:1.18.4-2ubuntu2
  coreutils 8.5-1ubuntu6
  cpio 2.11-7ubuntu1
  debconf 1.5.40ubuntu1
  debianutils 4.0.2
  dpkg 1.16.0.3ubuntu5
  findutils 4.4.2-1ubuntu3
  gcc-4.6-base 4.6.1-9ubuntu3
  ifupdown 0.7~alpha5.1ubuntu5
  initramfs-tools 0.99ubuntu7
  initramfs-tools-bin 0.99ubuntu7
  initscripts 2.88dsf-13.10ubuntu4
  insserv 1.14.0-2.1
  iproute 20110315-1build1
  klibc-utils 1.5.22-1ubuntu2
  libacl1 2.2.51-3
  libattr1 1:2.4.46-3

ldd /usr/sbin/vsftpd

linux-vdso.so.1 => (0x00007fff8653b000)
libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f5728a99000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007f572888b000)
libcap.so.2 => /lib/libcap.so.2 (0x00007f5728685000)
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f5728434000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f5728085000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5727ce5000)
libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f5727acb000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f57278c7000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f57276ae000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f5728cae000)

debconf-show ldap-auth-config

 ldap-auth-config/bindpw: (password omitted)
* ldap-auth-config/rootbindpw: (password omitted)
  ldap-auth-config/binddn: cn=proxyuser,dc=example,dc=net
* ldap-auth-config/dbrootlogin: true
  ldap-auth-config/pam_password: md5
* ldap-auth-config/move-to-debconf: true
* ldap-auth-config/ldapns/ldap-server: ldapi:///ldaplocalho...

Even on a fresh install, it fails (amd64).

In my system the local login works only when the anonymous access is enabled in the conf file (after the upgrade to oneiric).

anonymous_enable=YES

I have been unable to reproduce this both on a fresh installation of Oneiric and on an upgrade from Natty (using cloud images). In both cases I added a password to the "ubuntu" user, installed vsftpd from the archive and successfully FTPd into it using "ftp", connecting to both localhost and to the IP assigned to eth0.

Duane, thank you for your very comprehensive and useful bug report. Could you please confirm that /lib/security/pam_shells.so does not exist on your problem system, and let me know if /lib/x86_64-linux-gnu/security/pam_shells.so exists instead?

I have the same problem having upgraded from 10.04 on AMD 64.

I can confirm that:

/lib/security/pam_shells.so does not exist
/lib/x86_64-linux-gnu/security/pam_shells.so does exist

I have carried out update process.

I am still unable to FTP using user accounts.

Thanks.
I assume that every bit information helps.

I can also confirm (thx Nigel) that:

/lib/security/pam_shells.so does not exist

and

/lib/x86_64-linux-gnu/security/pam_shells.so does exist

cheers

I have the exact same issue upgrading from 11.04-server i386

It was a clean install and was only used as an FTP server (running vsftp).

I get a 530 login incorrect when attempting to connect to the server.

I of course understand that Ubuntu is FOSS, but any chance of this being allocated to someone to fix?

Nearly seven weeks after reporting as a High priorty.

Thanks

With this bug affecting only four people after two months, it appears that this bug affects only a minority of users in perhaps more unusual configurations. Thus I'm reducing Importance to Medium as per the guidelines at https://wiki.ubuntu.com/Bugs/Importance.

I'd love to fix this but I'm in the dark without the ability to reproduce (#6).

Probably a lot of lurkers hoping it will be fixed soon.

How can we assist you to investigate further? I would offer SSH into my box but can't because I can't allocate an external IP. Could someone else?

This is causing quite a lot of extra work having to manually load patches to me Drupal dev box so would appreciate a fix soon.

Thanks

I would like to throw my hat in the ring. I have the same issue after upgrading to Oneiric. Is there a work around for this?

I tried symlinking the pam_shells.so file but it then fails with a memory allocation error.

Just wanted to report back that I was able to solve my issue by:

apt-get remove vsftpd
rm /etc/pam.d/vsftpd (figuring it will recreate it)
apt-get install vsftpd

Now it works fine.

The /etc/pam.d/vsftpd was NOT recreated.

Steven's solution fixes it for me. Thanks.

Hi - no go for me, I have:

apt-get purge vsftpd
rm /etc/pam.d/vsftpd
Checked that vsftpd.conf was removed
Manually removed ftp group as this had some users in

apt-get install vsftpd

/etc/pam.d/vsftp NOT recreated

Added user back into ftp group

Still can't access, I have attached the authlog as vsftpd_auth.log

Help!

Last December I setup 10.04 on a machine as a LAMP with vsftpd:

Changed the conf: Removed the anonymous access, enable write access, chroot users to their home directory & set local_umask to 022

All good.

Do it today (21st Feb 2012) but just Apache, transmission and vsftpd, change the conf as above, no dice, 530 error.

After some hacking about I get bored, uninstall, reinstall and bingo, it all works.

Looking at what flashed before me post install, the ftp group may not have been configured correctly the first time round.

I'm a bit noob to be of much use but I can confirm that this issue does exist.

I would like to report that i tried Steven Browns method with success

 apt-get remove vsftpd
 rm /etc/pam.d/vsftpd
 apt-get install vsftpd

Works for me!

Have a nice day.

This happend on Ubuntu Server x64 12.04 after i upgraded from 11.10 last week. No FTP user could log in any more.

/var/log/auth.log showed:
May 8 10:37:59 bcweb1 vsftpd: PAM unable to dlopen(pam_shells.so): /lib/security/pam_shells.so: cannot open shared object file: No such file or directory
May 8 10:37:59 bcweb1 vsftpd: PAM adding faulty module: pam_shells.so
May 8 10:37:59 bcweb1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 8 10:37:59 bcweb1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=weerstation rhost=172.23.0.16
May 8 10:37:59 bcweb1 vsftpd: pam_winbind(vsftpd:auth): getting password (0x00000388)
May 8 10:37:59 bcweb1 vsftpd: pam_winbind(vsftpd:auth): pam_get_item returned a password

Now solved by the steps
# apt-get remove vsftpd
# rm /etc/pam.d/vsftpd
# apt-get install vsftpd

I had this problem also, the method about (thanks Steve Brown) worked like a champ.

I too have this bug but

# apt-get remove vsftpd
# rm /etc/pam.d/vsftpd
# apt-get install vsftpd

did not work for me.

Hello All,

as stated in bug #992578 I continue here to add my findings.

Uncommenting the line
#auth required pam_shells.so

in the file /etc/pam.d/vsftpd just made the error message lines in /var/log/auth.log disappear:
vsftpd: PAM unable to dlopen(pam_shells.so): /lib/security/pam_shells.so: cannot open shared object file: No such file or directory
vsftpd: PAM adding faulty module: pam_shells.so

but a local user could not login.

Also just installing vsftpd again like

# apt-get remove vsftpd
# rm /etc/pam.d/vsftpd
# apt-get install vsftpd

did NOT work.

On my fresh installation the state of the pam_shells.so is as follows:

/lib/security/pam_shells.so does not exist
/lib/x86_64-linux-gnu/security/pam_shells.so does exist

Only removing (i.e. renaming) /etc/pam.d/vsftpd worked for me, too (as mentioned in bug #992578)

The contents of the log files were:

root@develop:/etc/pam.d# tail /var/log/auth.log
Jul 22 00:50:12 develop useradd[5560]: new user: name=ftp, UID=108, GID=117, home=/srv/ftp, shell=/bin/false
Jul 22 00:50:12 develop usermod[5565]: change user 'ftp' password
Jul 22 00:50:13 develop chage[5570]: changed password expiry for ftp
Jul 22 00:50:13 develop chfn[5573]: changed user 'ftp' information
Jul 22 00:51:07 develop vsftpd: PAM unable to dlopen(pam_shells.so): /lib/security/pam_shells.so: cannot open shared object file: No such file or directory
Jul 22 00:51:07 develop vsftpd: PAM adding faulty module: pam_shells.so
Jul 22 00:51:07 develop vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Jul 22 00:51:07 develop vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=amueckl rhost=127.0.0.1
Jul 22 00:51:07 develop vsftpd: pam_winbind(vsftpd:auth): getting password (0x00000388)
Jul 22 00:51:07 develop vsftpd: pam_winbind(vsftpd:auth): pam_get_item returned a password

root@develop:/etc/pam.d# tail /var/log/vsftpd.log
Sun Jul 22 00:09:57 2012 [pid 2] CONNECT: Client "127.0.0.1"
Sun Jul 22 00:10:04 2012 [pid 1] [amueckl] FAIL LOGIN: Client "127.0.0.1"
Sun Jul 22 00:15:50 2012 [pid 2] CONNECT: Client "127.0.0.1"
Sun Jul 22 00:15:57 2012 [pid 1] [amueckl] FAIL LOGIN: Client "127.0.0.1"
Sun Jul 22 00:36:22 2012 [pid 2] CONNECT: Client "127.0.0.1"
Sun Jul 22 00:36:27 2012 [pid 1] [amueckl] FAIL LOGIN: Client "127.0.0.1"
Sun Jul 22 00:51:03 2012 [pid 2] CONNECT: Client "127.0.0.1"
Sun Jul 22 00:51:10 2012 [pid 1] [amueckl] FAIL LOGIN: Client "127.0.0.1"
Sun Jul 22 01:01:55 2012 [pid 2] CONNECT: Client "127.0.0.1"
Sun Jul 22 01:02:00 2012 [pid 1] [amueckl] OK LOGIN: Client "127.0.0.1"

Note:
- At around 00:50:12 I installed vsftpd (again) and then tried to login as a local user -> 530 Login incorrect.
- At around 01:00:00 I renamed the file /etc/pam.d/vsftpd to vsftpd_invisible and tried again to login a local user -> 230 Login successful, but pam is not used anymore!

root@develop:/etc/pam.d# ftp localhost
Connected to localhost.
220 (vsFTPd 2.3.5)
Name (localhost:amueckl): amueckl
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here c...

Hi,

Im using vsftpd-2.3.5 on Ubuntu 12.04 LTS 64 bit.
This problem appeared after I installed winbind. There before:
sudo apt-get remove winbind
sudo reboot now

Solved my problem.

Regards,
David

Hi,

Yesterday I did the upgrade from 10.04 to 12.04. All the updates and upgrades were done on 10.04 before the upgrade to 12.04. FTP was working perfectly for months but stopped working with 12.04. I checked all the settings and they seem to be as they were before. I went to several forums and tried what was suggested but nothing helps. I'm now tempted to believe I'm affected by this bug. Thank you for working on it. Please let me know if you need information.

François

hi,
had the same problem here with a user I created just to ftp-ing (this user was created with shell /bin/false ), but SOLVED permitting the user to have a shell:

usermod ftpuser -s /bin/bash

I've been having this problem also for some time now. I did some more testing with pam configuration and found out that there is something broken(?) in using combination of pam_unix and pam_ldap with auth and account management group types.

So this does NOT work (in file /etc/pam.d/vsftpd):
----------
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_permit.so

auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_permit.so
----------

BUT this DOES work (for both unix-only and ldap-only users, although now ldap has precedence of course):
---------
account sufficient pam_ldap.so
account sufficient pam_unix.so
account required pam_permit.so

auth sufficient pam_ldap.so
auth sufficient pam_unix.so use_first_pass
auth required pam_permit.so
---------

Additionally order of pam_unix and pam_ldap does not matter with session and password types.

Also if you use pam_unix ONLY in either of account OR auth before pam_ldap, then it also fails.

So something strange going on with pam_unix.so perhaps?

Oh yes, I forgot to mention:

I tried this also with sssd and with that everything works ok with pam_unix being first in stack. (Configured sssd running and then replaced all pam_ldap.so with pam_sss.so in the original configuration).

I'm running into this problem as well.

Only entry in auth.log is:
Mar 25 11:22:55 viper vsftpd: PAM audit_log_acct_message() failed: Operation not permitted

ls -l /lib/security/pam_shells.so
ls: cannot access /lib/security/pam_shells.so: No such file or directory

ls -l /lib/x86_64-linux-gnu/security/pam_shells.so
-rw-r--r-- 1 Groot root 6168 Mar 11 23:42 /lib/x86_64-linux-gnu/security/pam_shells.so

This is a brand new install of ubuntu 13.04 (raring) with latest updates as of today.

Same problem here as Matthew. Upgraded 12.04 -> 12.10 -> 13.04.

removed the pamd/vsftpd, no success. Used the one above, no success.
Added my user to the ftp group
did allow anon ftp. No success.

When I used the pam config above, I got an error, indicating that it is not seaching for 64-bit PAM modules, but only in /lib/security/

Apr 30 14:43:18 server1 vsftpd: PAM unable to dlopen(pam_ldap.so): /lib/security/pam_ldap.so: cannot open shared object file: No such file or directory
Apr 30 14:43:18 server1 vsftpd: PAM adding faulty module: pam_ldap.so
Apr 30 14:43:18 server1 vsftpd: pam_unix(vsftpd:auth): auth could not identify password for [user]
Apr 30 14:43:18 server1 vsftpd: PAM audit_log_acct_message() failed: Operation not permitted

Installing libpam_ldapd and libpam_abl only libpam_abl ends up as the sole item in /lib/security - pam_ldap.so ends up in /lib/x86_64-linux-gnu/security/

So there seems to be some 32 bit / 64 bit issues.

 sudo apt-get install --reinstall libpam-modules libpam-modules-bin did not fix anything.

Same problem:

Upgraded 12.10 -> 13.04.

I had the same problem for a while, turns out the file /etc/pam.d/vsftpd that comes with ubuntu is buggy...
Comments the following line in /etc/pam.d/vsftpd :
auth required pam_shells.so

And restart vsftpd

This is the only solution that worked for me.