Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 235590 - su fails - PAM_AUTHINFO_UNAVAIL
Summary: su fails - PAM_AUTHINFO_UNAVAIL
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: High normal (vote)
Assignee: PAM Gentoo Team (OBSOLETE)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-24 02:47 UTC by Stefan de Konink
Modified: 2008-10-01 17:25 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan de Konink 2008-08-24 02:47:37 UTC 
1) I have added a new user
2) New user is in group wheel
3) I am able to log in as this user
4) I am able to log in as root
5) user cannot su - with the root password

Reproducible: Always

Steps to Reproduce:

Actual Results:  
Aug 24 04:44:36 localhost su[22205]: pam_unix(su:auth): authentication failure; logname=skinkie uid=1000 euid=1000 tty=pts/4 ruser=skinkie rhost=  user=root
Aug 24 04:44:38 localhost su[22205]: pam_authenticate: Authentication failure
Aug 24 04:44:38 localhost su[22205]: FAILED su for root by skinkie
Aug 24 04:44:38 localhost su[22205]: - pts/4 skinkie:root



Portage 2.2_rc8 (default-linux/amd64/2007.0/no-multilib, gcc-4.3.1, glibc-2.8_p20080602-r0, 2.6.20-xen-r3 x86_64)
=================================================================
System uname: Linux-2.6.20-xen-r3-x86_64-Intel-R-_Xeon-R-_CPU_L5320_@_1.86GHz-with-glibc2.2.5
Timestamp of tree: Sat, 23 Aug 2008 22:45:01 +0000
app-shells/bash:     3.2_p39
dev-lang/python:     2.5.2-r7
sys-apps/baselayout: 2.0.0
sys-apps/openrc:     0.2.5
sys-apps/sandbox:    1.2.18.1-r3
sys-devel/autoconf:  2.62-r1
sys-devel/automake:  1.10.1-r1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   2.2.4
virtual/os-headers:  2.6.25-r4
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe -mno-tls-direct-seg-refs "
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=nocona -O2 -pipe -mno-tls-direct-seg-refs "
DISTDIR="/usr/portage/distfiles"
FEATURES="buildpkg distlocks parallel-fetch preserve-libs sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo http://www.ibiblio.org/gentoo"
LDFLAGS=""
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://ftp.snt.utwente.nl/gentoo-portage"
USE="acl amd64 berkdb cli cracklib crypt cups dri fortran gdbm iconv ipv6 isdnlog midi mmx mudflap ncurses nls nptl nptlonly pam pcre perl pppd readline reflection session spl sse sse2 ssl tcpd unicode xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x     ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3     trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64      mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis     sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-08-25 00:56:34 UTC 
ensure that your pambase is up to date and that you did etc-update properly, and include the output of the following:

as skinkie:
# id
# su -
# id

as root:
# id
# su - skinkie
# id
# su -
# id

also include the output from:
# echo su ; cat /etc/pam.d/su |egrep -v '^#|^$'
# echo system-auth ; cat /etc/pam.d/system-auth |egrep -v '^#|^$'
Comment 2 Stefan de Konink 2008-08-25 01:08:44 UTC 
skinkie@localhost ~ $ id
uid=1000(skinkie) gid=1000(skinkie) groups=10(wheel),1000(skinkie)
skinkie@localhost ~ $ su -
Password: 
su: Authentication failure
skinkie@localhost ~ $ id
uid=1000(skinkie) gid=1000(skinkie) groups=10(wheel),1000(skinkie)

localhost ~ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
localhost ~ # su - skinkie
skinkie@localhost ~ $ id
uid=1000(skinkie) gid=1000(skinkie) groups=10(wheel),1000(skinkie)
skinkie@localhost ~ $ su -
Password: 
su: Authentication failure
skinkie@localhost ~ $ id
uid=1000(skinkie) gid=1000(skinkie) groups=10(wheel),1000(skinkie)

localhost ~ # echo su ; cat /etc/pam.d/su |egrep -v '^#|^$'
su
auth       sufficient   pam_rootok.so
auth       required     pam_wheel.so use_uid
auth       include              system-auth
account    include              system-auth
password   include              system-auth
session    include              system-auth
session    required     pam_env.so
session    optional             pam_xauth.so
localhost ~ # echo system-auth ; cat /etc/pam.d/system-auth |egrep -v '^#|^$'
system-auth
auth            required        pam_env.so 
auth            required        pam_unix.so try_first_pass likeauth nullok 
 
account         required        pam_unix.so 
 
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
 
session         required        pam_limits.so 
session         required        pam_env.so 
session         required        pam_unix.so 
session         optional        pam_permit.so



[ebuild   R   ] sys-auth/pambase-20080801  USE="cracklib sha512 -consolekit -debug -gnome-keyring -mktemp -passwdqc (-selinux) -ssh" 0 k

localhost ~ # etc-update 
Scanning Configuration files...
Exiting: Nothing left to do; exiting. :)
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-08-25 01:21:47 UTC 
Your pam.d/su is different to mine.

# echo su ; cat /etc/pam.d/su |egrep -v '^#|^$'
su
auth       sufficient	pam_rootok.so
auth       sufficient   pam_wheel.so use_uid trust
auth       required     pam_wheel.so use_uid
auth       include		system-auth
account    include		system-auth
password   include		system-auth
session    include		system-auth
session    required     pam_env.so
session    optional		pam_xauth.so
Comment 4 Stefan de Konink 2008-08-25 01:31:35 UTC 
(In reply to comment #3)
> auth       sufficient   pam_wheel.so use_uid trust

First I didn't change it.


When I uncomment the line in my su file, I get the following error instead after typing su -

Aug 25 03:29:31 localhost su[23747]: pam_acct_mgmt: Authentication service cannot retrieve authentication info
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-08-25 02:26:26 UTC 
How did you login?
can you try to merge sys-libs/pam and sys-apps/shadow again?
does your user have a valid entry in /etc/shadow?

That message you got is for PAM_AUTHINFO_UNAVAIL, which is really weird. 

it happens only in the following cases:
1. /etc/shadow is corrupt or does not contain your user
2. can't call the selinux helper on password update
3. can't call a normal helper binary (missing perms etc)
Comment 6 Stefan de Konink 2008-08-25 02:46:23 UTC 
(In reply to comment #5)
> How did you login?

ssh

> can you try to merge sys-libs/pam and sys-apps/shadow again?

Done. Now it gets even MORE interesting... su - gives me root without password. Ok that is fixed by commenting the 'trust' rule again.

> does your user have a valid entry in /etc/shadow?

It has.

> That message you got is for PAM_AUTHINFO_UNAVAIL, which is really weird. 
> 
> it happens only in the following cases:
> 1. /etc/shadow is corrupt or does not contain your user
> 2. can't call the selinux helper on password update
> 3. can't call a normal helper binary (missing perms etc)

The only thing I can imagine is that my root password update script works in mysterious ways. I have created a programma that sets the password for images using chroot and chpasswd.

The contents of /etc/shadow- and /etc/shadow do *NOT* match. At least not in the way it matches on my other systems.


(but my problems seems to be solved by remerging)
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-08-25 02:54:43 UTC 
Yeah, 'trust' makes it not ask for the password to become root. It's useful specifically as you can get the real error code out of PAM like I did.

So either your pam or shadow was broken, not sure which, but it wasn't a problem with anything at the source level.

/etc/shadow- is the contents of /etc/shadow from before the last update.
Comment 8 Stefan de Konink 2008-08-25 03:07:06 UTC 
Thanks for the help :) Although I could have tried to emerge pam/shadow by myself...
Comment 9 Tais P. Hansen 2008-10-01 17:25:03 UTC 
I was just bitten by this one too. Emerging sys-apps/shadow alone fixed it.