Bug 966373 - After update, the pam auth module .so-file is missing. Configurations using pam auth fails after upgrade
After update, the pam auth module .so-file is missing. Configurations using p...
Status: CLOSED ERRATA
Product: Fedora EPEL
Classification: Fedora
Component: openvpn (Show other bugs)
el6
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Steven Pritchard
Fedora Extras Quality Assurance
:
: 966824 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-23 04:04 EDT by David Björkevik
Modified: 2013-09-02 11:31 EDT (History)
8 users (show)

See Also:
Fixed In Version: openvpn-2.3.1-3.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-10 13:05:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Björkevik 2013-05-23 04:04:00 EDT
Description of problem:


Version-Release number of selected component (if applicable):
openvpn-2.3.1-1.el6.x86_64

Steps to Reproduce:
1. Have a working openvpn 2.2 configuration with a line in the config line like:

plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so sshd

2. Upgrade to version 2.3.1-1

3. service openvpn start

Actual results:
[ERROR]

Expected results:
[OK]

Additional info:

The file /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so no longer exists and openvpn won't start
Comment 1 Gwyn Ciesla 2013-05-23 09:25:14 EDT
It's now supposed to be at:

/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so

But is missing.  I'll get an update out.
Comment 2 Fedora Update System 2013-05-23 10:45:26 EDT
openvpn-2.3.1-2.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/openvpn-2.3.1-2.el5
Comment 3 Fedora Update System 2013-05-23 10:45:47 EDT
openvpn-2.3.1-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/openvpn-2.3.1-2.el6
Comment 4 Michael Lampe 2013-05-23 14:07:33 EDT
These plugins should still be in the old place, because you are breaking existing installations -- mine for example.

I agree that the new path is nicer, but if EPEL mimics RHEL, this will have to wait until EL7.
Comment 5 Gwyn Ciesla 2013-05-23 14:36:05 EDT
Not simply the path, but the filename has changed as well.  If you can try a symlink from the old name and path to the new, and confirm that it works, I'll include that.
Comment 6 Michael Lampe 2013-05-23 15:01:50 EDT
I'd rather change my configuration.

Point is that EPEL behaves very much _unlike_ RHEL here.

With RHEL, you just do "yum update" and you are set. No surprises -- OK, major updates can have some.

OpenVPN not working after this update caught me unexpected and somehow pissed.

Why do we need new paths/names? The old ones are as good as everything.

Consistency is the difference between Fedora and RHEL (to which I would like to add EPEL).
Comment 7 Fedora Update System 2013-05-23 15:43:54 EDT
Package openvpn-2.3.1-2.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing openvpn-2.3.1-2.el5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5907/openvpn-2.3.1-2.el5
then log in and leave karma (feedback).
Comment 8 Gwyn Ciesla 2013-05-23 15:50:28 EDT
I'm not sure, you'd have to ask upstream.  The only reason I updated to 2.3.1 in EPEL at all was the CVE.  WRT consistency, EPEL aims for RHEL's consistency, but doesn't completely acheive it, being a volunteer organization like Fedora.  We do our best.  Caught between changes and CVEs, I tend to err on the side of fixing CVEs.
Comment 9 Michael Lampe 2013-05-23 17:18:22 EDT
Fair enough. But then: I can rebuild the original Fedora RPMs myself. What do I need EPEL for?

Wasn't there a simple patch for this CVE? RHEL would have fixed it that way.

But hey! RHEL doesn't even provide openvpn.
Comment 10 Gwyn Ciesla 2013-05-24 08:14:55 EDT
*** Bug 966824 has been marked as a duplicate of this bug. ***
Comment 11 James Juran 2013-05-24 13:57:17 EDT
Jon,

Thank you for doing this update. I ran into the missing plugin issue with the openvpn-down-root.so plugin. I have to agree with Michael that moving the plugins in an update causes big problems. As you requested, I confirmed that a symlink to the old directory and plugin name makes my existing configuration work. If you can add a patch to put them back in their old place for at least el6 and below I would greatly appreciate it.
Comment 12 Gwyn Ciesla 2013-05-24 14:14:41 EDT
Ok, thanks, I'll get that out ASAP.
Comment 13 Fedora Update System 2013-05-24 14:34:27 EDT
openvpn-2.3.1-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/openvpn-2.3.1-3.el6
Comment 14 Fedora Update System 2013-05-24 14:34:46 EDT
openvpn-2.3.1-3.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/openvpn-2.3.1-3.el5
Comment 15 James Juran 2013-05-24 21:34:38 EDT
Wow that was really fast, thank you. openvpn-2.3.1-3.el6 works for me.
Comment 16 Fedora Update System 2013-06-10 13:05:11 EDT
openvpn-2.3.1-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2013-06-10 13:06:48 EDT
openvpn-2.3.1-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Jackie Meese 2013-08-29 19:13:26 EDT
The same problem has appeared in the newest release for EPEL 6, openvpn-2.3.2-1.el6.x86_64
Comment 19 Gwyn Ciesla 2013-08-30 09:57:20 EDT
I see the plugins in their new location, as well as the symlinks, what does rpm -q --verify openvpn give you?
Comment 20 Jackie Meese 2013-08-30 10:16:29 EDT
[root@zuzz /]# rpm -q --verify openvpn
[root@zuzz /]# grep openvpn /var/log/messages
Aug 30 10:14:10 zuzz openvpn[23356]: PLUGIN_INIT: could not load plugin shared object /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so: cannot open shared object file: No such file or directory
Aug 30 10:14:10 zuzz openvpn[23356]: Exiting due to fatal error

So, nothing (log file edited for redundancy, removing earlier attempts)
Comment 21 Gwyn Ciesla 2013-08-30 10:18:47 EDT
What do you see in /usr/share/openvpn/plugin/lib/ ?
Comment 22 Jackie Meese 2013-08-30 11:03:16 EDT
[root@zuzz ~]# ls -alF  /usr/share/openvpn/plugin/lib/
ls: cannot access /usr/share/openvpn/plugin/lib/: No such file or directory
[root@zuzz ~]# rpm -ql openvpn
/etc/openvpn
/etc/rc.d/init.d/openvpn
/usr/lib64/openvpn
/usr/lib64/openvpn/plugin
/usr/lib64/openvpn/plugin/lib
/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so
/usr/lib64/openvpn/plugin/lib/openvpn-down-root.so
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn-2.3.2
/usr/share/doc/openvpn-2.3.2/AUTHORS
/usr/share/doc/openvpn-2.3.2/COPYING
/usr/share/doc/openvpn-2.3.2/COPYRIGHT.GPL
/usr/share/doc/openvpn-2.3.2/INSTALL
/usr/share/doc/openvpn-2.3.2/PORTS
/usr/share/doc/openvpn-2.3.2/README
/usr/share/doc/openvpn-2.3.2/README.auth-pam
/usr/share/doc/openvpn-2.3.2/README.down-root
/usr/share/doc/openvpn-2.3.2/contrib
/usr/share/doc/openvpn-2.3.2/contrib/OCSP_check
/usr/share/doc/openvpn-2.3.2/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn-2.3.2/contrib/README
/usr/share/doc/openvpn-2.3.2/contrib/multilevel-init.patch
/usr/share/doc/openvpn-2.3.2/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn-2.3.2/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn-2.3.2/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn-2.3.2/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn-2.3.2/contrib/pull-resolv-conf
/usr/share/doc/openvpn-2.3.2/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn-2.3.2/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn-2.3.2/sample
/usr/share/doc/openvpn-2.3.2/sample/Makefile
/usr/share/doc/openvpn-2.3.2/sample/Makefile.am
/usr/share/doc/openvpn-2.3.2/sample/Makefile.in
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/README
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/firewall.sh
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/home.up
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/loopback-client
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/loopback-server
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/office.up
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/static-home.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/static-office.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/tls-home.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/tls-office.conf
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn-2.3.2/sample/sample-keys
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/README
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/ca.crt
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/ca.key
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/client.crt
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/client.key
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/dh1024.pem
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/pass.crt
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/pass.key
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/pkcs12.p12
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/server.crt
/usr/share/doc/openvpn-2.3.2/sample/sample-keys/server.key
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer/README
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer/build
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer/simple.c
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer/simple.def
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/defer/winbuild
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/log
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/log/build
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/log/log.c
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/log/log_v3.c
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/log/winbuild
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple/README
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple/build
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple/simple.c
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple/simple.def
/usr/share/doc/openvpn-2.3.2/sample/sample-plugins/simple/winbuild
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts/bridge-start
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts/bridge-stop
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts/ucn.pl
/usr/share/doc/openvpn-2.3.2/sample/sample-scripts/verify-cn
/usr/share/doc/openvpn-2.3.2/sample/sample-windows
/usr/share/doc/openvpn-2.3.2/sample/sample-windows/sample.ovpn
/usr/share/man/man8/openvpn.8.gz
/usr/share/openvpn
/var/run/openvpn
Comment 23 Gwyn Ciesla 2013-08-30 11:09:11 EDT
Ok, it looks like there's in /usr/lib64, where they should be.  Do you know what's looking for them in /usr/share?
Comment 24 Jackie Meese 2013-09-02 11:31:04 EDT
[root@zuzz sample-config-files]# grep lib /etc/openvpn/server.conf
plugin /usr/share/openvpn/plugin/lib64/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS

So it looks like it was in a file that isn't distributed with the RPM, so it sounds like this bug can be re-closed.
Comment 25 Jackie Meese 2013-09-02 11:31:36 EDT
[root@zuzz sample-config-files]# grep lib /etc/openvpn/server.conf
plugin /usr/share/openvpn/plugin/lib64/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS

So it looks like it was in a file that isn't distributed with the RPM, so it sounds like this bug should be kept closed.

Note You need to log in before you can comment on or make changes to this bug.