1835666 – pam_usertype fails with `Module is unknown` on the most recent rhel-8.3

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1835666 - pam_usertype fails with `Module is unknown` on the most recent rhel-8.3

Summary: pam_usertype fails with `Module is unknown` on the most recent rhel-8.3

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	rc
Target Release:	8.3
Assignee:	Iker Pedrosa
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-14 10:00 UTC by Matej Marušák
Modified:	2020-11-04 01:42 UTC (History)
CC List:	6 users (show)
Fixed In Version:	pam-1.3.1-11.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 01:41:54 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4466	0	None	None	None	2020-11-04 01:42:02 UTC

Description Matej Marušák 2020-05-14 10:00:49 UTC

Description of problem:
Rhel gating tests for Cockpit are busted due to not being able to log in. This problem seems to be very recent. Two weeks ago it was working fine.
We can reproduce this easily (even without cockpit) in gating images, but not in our own rhel-8.3 images (a fresh RHEL 8.3 nightly virt-install build from today with the same pam package).

Version-Release number of selected component (if applicable):
systemd-pam-239-30.el8_2.x86_64
pam-1.3.1-10.el8.x86_64


How reproducible:
$ wget http://artifacts.osci.redhat.com/rhel-8.3.0-packages/rhel-pr-pipeline/cockpit/images/rhel-guest-image-8.3.0.qcow2

$ TEST_SUBJECTS=rhel-guest-image-8.3.0.qcow2  TESTS_DEBUG=1  /usr/share/ansible/inventory/standard-inventory-qcow2

$ ssh -p 5200 127.0.0.3 (adjust to the output from previous command)

$ journalctl -r
...
May 14 05:04:40 localhost sshd[4484]: Accepted password for root from 10.0.2.2 port 55876 ssh2
May 14 05:04:38 localhost sshd[4484]: PAM unable to resolve symbol: pam_sm_acct_mgmt
May 14 05:04:38 localhost sshd[4484]: PAM unable to resolve symbol: pam_sm_setcred
May 14 05:04:38 localhost sshd[4484]: PAM unable to resolve symbol: pam_sm_authenticate
May 14 05:04:38 localhost sshd[4484]: PAM unable to resolve symbol: pam_sm_setcred
May 14 05:04:38 localhost sshd[4484]: PAM unable to resolve symbol: pam_sm_authenticate
...

Or just create user and do `sudo - <user>` and you get the same output in journal for `su`.
```
May 14 05:10:12 localhost su[4630]: pam_unix(su-l:session): session closed for user mm
May 14 05:10:03 localhost su[4630]: pam_unix(su-l:session): session opened for user mm by root(uid=0)
May 14 05:10:03 localhost su[4630]: pam_systemd(su-l:session): Cannot create session: Already running in a session or user slice
May 14 05:10:03 localhost su[4630]: (to mm) root on pts/0
May 14 05:10:03 localhost su[4630]: PAM unable to resolve symbol: pam_sm_acct_mgmt
May 14 05:10:03 localhost su[4630]: PAM unable to resolve symbol: pam_sm_setcred
May 14 05:10:03 localhost su[4630]: PAM unable to resolve symbol: pam_sm_authenticate
May 14 05:10:03 localhost su[4630]: PAM unable to resolve symbol: pam_sm_setcred
May 14 05:10:03 localhost su[4630]: PAM unable to resolve symbol: pam_sm_authenticate
May 14 05:09:57 localhost passwd[4625]: pam_unix(passwd:chauthtok): password changed for mm
May 14 05:09:44 localhost useradd[4618]: new user: name=mm, UID=1001, GID=1001, home=/home/mm, shell=/bin/bash
May 14 05:09:44 localhost useradd[4618]: new group: name=mm, GID=1001
```

Cockpit fails with `Module is unknown` error message, which is the same message I get when I just spin up the image and try to log in.


Additional info:

Comment 1 Martin Pitt 2020-05-14 11:50:06 UTC

Bumping priority, as PAM regressions that prevent logging in are quite some blocker. This doesn't happen in our upstream RHEL 8.3 images (pretty much bog standard virt-install from nightly), so I check how the OSCI gatingimage (no idea how it gets built) differs from our's. Both have pam-1.3.1-10.el8.x86_64 and systemd-pam-239-30.el8_2.x86_64 and no other packages matching "*pam*".

But the CI one uses authselect, while our's doesn't. On the broken image:

# cat /etc/authselect/authselect.conf 
sssd

And indeed when I run "authselect select minimal" the failures go away, and they come back after "authselect select sssd". The difference in system-auth:

--- /tmp/system-auth	2020-05-14 07:46:15.740078340 -0400
+++ /etc/pam.d/system-auth	2020-05-14 07:46:19.312122686 -0400
@@ -1,15 +1,24 @@
-# Generated by authselect on Thu May 14 07:46:07 2020
+# Generated by authselect on Thu May 14 07:46:19 2020
 # Do not modify this file manually.
 
 auth        required                                     pam_env.so
 auth        required                                     pam_faildelay.so delay=2000000
+auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
+auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
 auth        sufficient                                   pam_unix.so nullok try_first_pass
+auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
+auth        sufficient                                   pam_sss.so forward_pass
 auth        required                                     pam_deny.so
 
 account     required                                     pam_unix.so
+account     sufficient                                   pam_localuser.so
+account     sufficient                                   pam_usertype.so issystem
+account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+account     required                                     pam_permit.so
 
-password    requisite                                    pam_pwquality.so try_first_pass
+password    requisite                                    pam_pwquality.so try_first_pass local_users_only
 password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient                                   pam_sss.so use_authtok
 password    required                                     pam_deny.so
 
 session     optional                                     pam_keyinit.so revoke
@@ -17,3 +26,4 @@
 -session    optional                                     pam_systemd.so
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
 session     required                                     pam_unix.so
+session     optional                                     pam_sss.so

Of these, the culprit is pam_usertype -- if I comment out the three lines with it, the failure goes away. pam_usertype.so comes from the pam package itself, so the component is right.

Comment 2 Pavel Březina 2020-05-14 13:30:36 UTC

I updated authselect this week to use pam_usertype so this is what's causing it. AFAIK pam_usertype.so was added in pam-1.3.1-9.el8 and authselect requires it. Can you check that the module is installed in /usr/lib64/security/pam_usertype.so?

Comment 3 Martin Pitt 2020-05-14 17:22:14 UTC

Yes, it does exist, it just seems to misbehave:

/usr/lib64/security/pam_usertype.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=bbcaa4cf56438863069f5517ed2f271cf40af59f, stripped

Comment 4 Pavel Březina 2020-05-15 08:30:25 UTC

Hmm. Same module works on Fedora for some time now. Diff between patch in Fedora and RHEL did not reveal anything that should cause it. I'll prep a machine and try to reproduce it.

Comment 5 Iker Pedrosa 2020-05-15 08:34:19 UTC

Somehow I malformed the patch and I'm fixing it right now, I hope it doesn't take long to spread the new version of pam.

Comment 9 Amith 2020-07-20 07:46:58 UTC

Verified the bug on PAM version: pam-1.3.1-11.el8.x86_64

Steps followed during verification:

1. Reproduce the issue with older pam version ie, pam-1.3.1-10.el8.x86_64

# dnf downgrade pam-1.3.1-10.el8.x86_64.rpm

# rpm -q pam
pam-1.3.1-10.el8.x86_64

2. Add a testuser to system.

$ id testuser
uid=1000(testuser) gid=1000(testuser) groups=1000(testuser)

3. Configure authselect with SSSD profile.

# authselect select --force sssd
# cat /etc/authselect/authselect.conf 
sssd

4. Run "su - testuser" and monitor /vag/log/secure file.

# tail -f /var/log/secure
.
.
Jul 20 03:28:52 martini_r83 su[2966]: PAM unable to resolve symbol: pam_sm_authenticate
Jul 20 03:28:52 martini_r83 su[2966]: PAM unable to resolve symbol: pam_sm_setcred
Jul 20 03:28:52 martini_r83 su[2966]: PAM unable to resolve symbol: pam_sm_acct_mgmt
Jul 20 03:28:52 martini_r83 su[2966]: pam_systemd(su-l:session): Cannot create session: Already running in a session or user slice
Jul 20 03:28:52 martini_r83 su[2966]: pam_unix(su-l:session): session opened for user testuser by root(uid=0)
Jul 20 03:29:12 martini_r83 su[2966]: pam_unix(su-l:session): session closed for user testuser
.
.

5. Observe the pam errors, these should not be preset.

6. Upgrade pam to latest version : pam-1.3.1-11.el8.x86_64

7. Repeat step(4).

Jul 20 03:31:33 martini_r83 su[3083]: pam_systemd(su-l:session): Cannot create session: Already running in a session or user slice
Jul 20 03:31:33 martini_r83 su[3083]: pam_unix(su-l:session): session opened for user testuser by root(uid=0)


8. With the latest build, the pam errors disappear.

Comment 12 errata-xmlrpc 2020-11-04 01:41:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pam bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4466

Note You need to log in before you can comment on or make changes to this bug.