Bug 966373

Summary: After update, the pam auth module .so-file is missing. Configurations using pam auth fails after upgrade
Product: [Fedora] Fedora EPEL Reporter: David Björkevik <david>
Component: openvpnAssignee: Steven Pritchard <steve>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: el6CC: dm, gwync, huzaifas, james.juran, kalaklanar, lampe, rhbugzilla, steve
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openvpn-2.3.1-3.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-10 17:05:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Björkevik 2013-05-23 08:04:00 UTC
Description of problem:


Version-Release number of selected component (if applicable):
openvpn-2.3.1-1.el6.x86_64

Steps to Reproduce:
1. Have a working openvpn 2.2 configuration with a line in the config line like:

plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so sshd

2. Upgrade to version 2.3.1-1

3. service openvpn start

Actual results:
[ERROR]

Expected results:
[OK]

Additional info:

The file /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so no longer exists and openvpn won't start

Comment 1 Gwyn Ciesla 2013-05-23 13:25:14 UTC
It's now supposed to be at:

/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so

But is missing.  I'll get an update out.

Comment 2 Fedora Update System 2013-05-23 14:45:26 UTC
openvpn-2.3.1-2.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/openvpn-2.3.1-2.el5

Comment 3 Fedora Update System 2013-05-23 14:45:47 UTC
openvpn-2.3.1-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/openvpn-2.3.1-2.el6

Comment 4 Michael Lampe 2013-05-23 18:07:33 UTC
These plugins should still be in the old place, because you are breaking existing installations -- mine for example.

I agree that the new path is nicer, but if EPEL mimics RHEL, this will have to wait until EL7.

Comment 5 Gwyn Ciesla 2013-05-23 18:36:05 UTC
Not simply the path, but the filename has changed as well.  If you can try a symlink from the old name and path to the new, and confirm that it works, I'll include that.

Comment 6 Michael Lampe 2013-05-23 19:01:50 UTC
I'd rather change my configuration.

Point is that EPEL behaves very much _unlike_ RHEL here.

With RHEL, you just do "yum update" and you are set. No surprises -- OK, major updates can have some.

OpenVPN not working after this update caught me unexpected and somehow pissed.

Why do we need new paths/names? The old ones are as good as everything.

Consistency is the difference between Fedora and RHEL (to which I would like to add EPEL).

Comment 7 Fedora Update System 2013-05-23 19:43:54 UTC
Package openvpn-2.3.1-2.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing openvpn-2.3.1-2.el5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5907/openvpn-2.3.1-2.el5
then log in and leave karma (feedback).

Comment 8 Gwyn Ciesla 2013-05-23 19:50:28 UTC
I'm not sure, you'd have to ask upstream.  The only reason I updated to 2.3.1 in EPEL at all was the CVE.  WRT consistency, EPEL aims for RHEL's consistency, but doesn't completely acheive it, being a volunteer organization like Fedora.  We do our best.  Caught between changes and CVEs, I tend to err on the side of fixing CVEs.

Comment 9 Michael Lampe 2013-05-23 21:18:22 UTC
Fair enough. But then: I can rebuild the original Fedora RPMs myself. What do I need EPEL for?

Wasn't there a simple patch for this CVE? RHEL would have fixed it that way.

But hey! RHEL doesn't even provide openvpn.

Comment 10 Gwyn Ciesla 2013-05-24 12:14:55 UTC
*** Bug 966824 has been marked as a duplicate of this bug. ***

Comment 11 James Juran 2013-05-24 17:57:17 UTC
Jon,

Thank you for doing this update. I ran into the missing plugin issue with the openvpn-down-root.so plugin. I have to agree with Michael that moving the plugins in an update causes big problems. As you requested, I confirmed that a symlink to the old directory and plugin name makes my existing configuration work. If you can add a patch to put them back in their old place for at least el6 and below I would greatly appreciate it.

Comment 12 Gwyn Ciesla 2013-05-24 18:14:41 UTC
Ok, thanks, I'll get that out ASAP.

Comment 13 Fedora Update System 2013-05-24 18:34:27 UTC
openvpn-2.3.1-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/openvpn-2.3.1-3.el6

Comment 14 Fedora Update System 2013-05-24 18:34:46 UTC
openvpn-2.3.1-3.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/openvpn-2.3.1-3.el5

Comment 15 James Juran 2013-05-25 01:34:38 UTC
Wow that was really fast, thank you. openvpn-2.3.1-3.el6 works for me.

Comment 16 Fedora Update System 2013-06-10 17:05:11 UTC
openvpn-2.3.1-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2013-06-10 17:06:48 UTC
openvpn-2.3.1-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Jackie Meese 2013-08-29 23:13:26 UTC
The same problem has appeared in the newest release for EPEL 6, openvpn-2.3.2-1.el6.x86_64

Comment 19 Gwyn Ciesla 2013-08-30 13:57:20 UTC
I see the plugins in their new location, as well as the symlinks, what does rpm -q --verify openvpn give you?

Comment 20 Jackie Meese 2013-08-30 14:16:29 UTC
[root@zuzz /]# rpm -q --verify openvpn
[root@zuzz /]# grep openvpn /var/log/messages
Aug 30 10:14:10 zuzz openvpn[23356]: PLUGIN_INIT: could not load plugin shared object /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so: cannot open shared object file: No such file or directory
Aug 30 10:14:10 zuzz openvpn[23356]: Exiting due to fatal error

So, nothing (log file edited for redundancy, removing earlier attempts)

Comment 21 Gwyn Ciesla 2013-08-30 14:18:47 UTC
What do you see in /usr/share/openvpn/plugin/lib/ ?

Comment 22 Jackie Meese 2013-08-30 15:03:16 UTC
[root@zuzz ~]# ls -alF  /usr/share/openvpn/plugin/lib/
ls: cannot access /usr/share/openvpn/plugin/lib/: No such file or directory
[root@zuzz ~]# rpm -ql openvpn
/etc/openvpn
/etc/rc.d/init.d/openvpn
/usr/lib64/openvpn
/usr/lib64/openvpn/plugin
/usr/lib64/openvpn/plugin/lib
/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so
/usr/lib64/openvpn/plugin/lib/openvpn-down-root.so
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn-2.3.2
/usr/share/doc/openvpn-2.3.2/AUTHORS
/usr/share/doc/openvpn-2.3.2/COPYING
/usr/share/doc/openvpn-2.3.2/COPYRIGHT.GPL
/usr/share/doc/openvpn-2.3.2/INSTALL
/usr/share/doc/openvpn-2.3.2/PORTS
/usr/share/doc/openvpn-2.3.2/README
/usr/share/doc/openvpn-2.3.2/README.auth-pam
/usr/share/doc/openvpn-2.3.2/README.down-root
/usr/share/doc/openvpn-2.3.2/contrib
/usr/share/doc/openvpn-2.3.2/contrib/OCSP_check
/usr/share/doc/openvpn-2.3.2/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn-2.3.2/contrib/README
/usr/share/doc/openvpn-2.3.2/contrib/multilevel-init.patch
/usr/share/doc/openvpn-2.3.2/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn-2.3.2/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn-2.3.2/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn-2.3.2/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn-2.3.2/contrib/pull-resolv-conf
/usr/share/doc/openvpn-2.3.2/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn-2.3.2/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn-2.3.2/sample
/usr/share/doc/openvpn-2.3.2/sample/Makefile
/usr/share/doc/openvpn-2.3.2/sample/Makefile.am
/usr/share/doc/openvpn-2.3.2/sample/Makefile.in
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/README
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/firewall.sh
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/home.up
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/loopback-client
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/loopback-server
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/office.up
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/static-home.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/static-office.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/tls-home.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/tls-office.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn-2.3.2/sample/sample-keys
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/README
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/ca.crt
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/ca.key
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/client.crt
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/client.key
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/dh1024.pem
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/pass.crt
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/pass.key
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/pkcs12.p12
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/server.crt
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/server.key
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer/README
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer/build
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer/simple.c
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer/simple.def
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer/winbuild
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/log
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/log/build
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/log/log.c
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/log/log_v3.c
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/log/winbuild
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple/README
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple/build
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple/simple.c
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple/simple.def
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple/winbuild
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts/bridge-start
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts/bridge-stop
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts/ucn.pl
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts/verify-cn
/usr/share/doc/openvpn-2.3.2/sample/sample-windows
/usr/share/doc/openvpn-2.3.2/sample/sample-windows/sample.ovpn
/usr/share/man/man8/openvpn.8.gz
/usr/share/openvpn
/var/run/openvpn

Comment 23 Gwyn Ciesla 2013-08-30 15:09:11 UTC
Ok, it looks like there's in /usr/lib64, where they should be.  Do you know what's looking for them in /usr/share?

Comment 24 Jackie Meese 2013-09-02 15:31:04 UTC
[root@zuzz sample-config-files]# grep lib /etc/openvpn/server.conf
plugin /usr/share/openvpn/plugin/lib64/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS

So it looks like it was in a file that isn't distributed with the RPM, so it sounds like this bug can be re-closed.

Comment 25 Jackie Meese 2013-09-02 15:31:36 UTC
[root@zuzz sample-config-files]# grep lib /etc/openvpn/server.conf
plugin /usr/share/openvpn/plugin/lib64/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS

So it looks like it was in a file that isn't distributed with the RPM, so it sounds like this bug should be kept closed.