Configuring PAM common files manually

This document (7019016) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
Pluggable Authentication Modules (PAM)

Situation

After a system update, users can no longer login to the system.

Manual changes were made to the /etc/pam.d/common-account, /etc/pam.d/common-auth, /etc/pam.d/common-password and /etc/pam.d/common-session files per the Manually Configuring PAM section of the Security Guide.

sles12sp2:/etc/pam.d # ls -al common-*
lrwxrwxrwx 1 root root  17 Apr  4 16:49 common-account -> common-account-pc
-rw-r--r-- 1 root root 451 May  1 11:22 common-account-pc
lrwxrwxrwx 1 root root  14 Apr  4 16:49 common-auth -> common-auth-pc
-rw-r--r-- 1 root root 536 May  1 11:22 common-auth-pc
lrwxrwxrwx 1 root root  18 Apr  4 16:49 common-password -> common-password-pc
-rw-r--r-- 1 root root 429 May  1 11:22 common-password-pc
lrwxrwxrwx 1 root root  17 Apr  4 16:49 common-session -> common-session-pc
-rw-r--r-- 1 root root 547 May  1 11:22 common-session-pc

All the manual changes were overwritten in the /etc/pam.d/common-{account,auth,password,session} files after the update.

Resolution

Remove the symbolic links so that /etc/pam.d/common-{account,auth,password,session} are files and not symbolic links to /etc/pam.d/common-{account,auth,password,session}-pc.

sles12sp2:/etc/pam.d # rm common-{account,auth,password,session}

sles12sp2:/etc/pam.d # ls -al common-*
-rw-r--r-- 1 root root 451 May  1 11:22 common-account-pc
-rw-r--r-- 1 root root 536 May  1 11:22 common-auth-pc
-rw-r--r-- 1 root root 429 May  1 11:22 common-password-pc
-rw-r--r-- 1 root root 547 May  1 11:22 common-session-pc

sles12sp2:/etc/pam.d # cp common-account-pc common-account
sles12sp2:/etc/pam.d # cp common-auth-pc common-auth
sles12sp2:/etc/pam.d # cp common-password-pc common-password
sles12sp2:/etc/pam.d # cp common-session-pc common-session

sles12sp2:/etc/pam.d # ls -al common-*
-rw-r--r-- 1 root root 451 May  1 11:22 common-account
-rw-r--r-- 1 root root 451 May  1 11:22 common-account-pc
-rw-r--r-- 1 root root 536 May  1 11:22 common-auth
-rw-r--r-- 1 root root 536 May  1 11:22 common-auth-pc
-rw-r--r-- 1 root root 429 May  1 11:22 common-password
-rw-r--r-- 1 root root 429 May  1 11:22 common-password-pc
-rw-r--r-- 1 root root 547 May  1 11:22 common-session
-rw-r--r-- 1 root root 547 May  1 11:22 common-session-pc

Now reconfigure all your manual changes using the /etc/pam.d/common-{account,auth,password,session} files instead of the /etc/pam.d/common-{account,auth,password,session}-pc files. When pam-config is run again either manually or during a system update, new /etc/pam.d/common-{account,auth,password,session}-pc files will be created, but they will not affect the manual change you made.

Cause

pam-config overwrites any changes made to the /etc/pam.d/common-{account,auth,password,session}-pc files. Since the /etc/pam.d/common-{account,auth,password,session} files were symbolically linked to /etc/pam.d/common-{account,auth,password,session}-pc, all changes were being overwritten.

Several packages trigger pam-config to run, such as: ecryptfs-utils, pam-config, pam_apparmor, systemd, systemd-32bit, gnome-keyring, and gnome-keyring-pam-32bit.

Per the Security Guide documentation:

"When you create your PAM configuration files from scratch using the pam-config --create command, it creates symbolic links from the common-* to the common-*-pc files. pam-config only modifies the common-*-pc configuration files. Removing these symbolic links effectively disables pam-config, because pam-config only operates on the common-*-pc files and these files are not put into effect without the symbolic links."

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7019016
  • Creation Date: 18-May-2017
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center