Results 1 to 6 of 6

Thread: After moving from Leap to TW local users cannot login

  1. #1

    Default After moving from Leap to TW local users cannot login

    After moving from Leap 42.3 to TW, using zypper dup, the local users, including root, cannot login (neither from console login, ssh,...). Only users that authenticate using Kerberos are allowed to login.

    From the login console, if I try to log in a local user (or root) I get

    User not known to the underlying authentication module.

    I regenerated the pam files with pam-config to have a fresh start but still no luck.

    The permissions on /etc/passwd and /etc/shadow are

    -rw-r--r-- 1 root root May 23 17:03 /etc/passwd

    -rw-r----- 1 root shadown 1250 May 23 18:05 /etc/shadow

    the content of common-account is

    account requisite pam_unix.so debug try_first_pass
    account required pam_krb5.som use_frst_pass
    account required pam_localuser.so

    I can boot adding init=/bin/sh to have root access, but that does not give me access to log files which are not mounted.

    Again, this happened after moving from Leap 42.3 to TW, and only to users that authenticate locally (i.e., the passwd are stored in /etc/passwd). This applies to all manner of logins (console, sddm, ssh, su, sudo).

    Any help greatly appreciated.

  2. #2

    Default Re: After moving from Leap to TW local users cannot login

    This is getting weirder. I was able to use the console to login with a local user, but only once. After I logged out, I could not login back (same message User not known...). Root still cannot login.

    BTW, it is TW 20180521

  3. #3
    Join Date
    Nov 2013
    Location
    Kamloops, BC, Canada
    Posts
    4,029

    Default Re: After moving from Leap to TW local users cannot login

    At boot, when the Grub menu comes up, press "e" to edit the boot command line. Go down to the line that starts with "linux" (could be just linux, or a derivative that contains linux, depending on your install).
    Hit the End-key to get to the end of that line, as it wraps.

    At the end of that line, add a space, then add:
    Code:
    init=/bin/sh
    Press F10 to continue to a minimal system without need for a password.
    then do:
    Code:
    passwd
    You will then be able to create/change the root password.
    When you have done that, boot to a root console by rebooting and using the "e" to edit that boot command line again.
    This time, at the end of the line, add a space and the numeral 3, press F10 and you will get to a CLI where you can now log in as root.
    Log in as root, using your new password, then do:
    Code:
    yast
    This will give you an ncurses version of Yast, where you can select the Users controls. In there, check your users, look for anything suspicious, and change the User passwords.

    I suggest you use new passwords for all, just to be certain something else has not happened.
    Last edited by Fraser_Bell; 24-May-2018 at 16:58. Reason: typo
    "Take a Walk on a Sunny Day, Greet everyone along the way, and Make Somebody Smile, Today"
    Gerry Jack Macks"Walk On A Sunny Day" GerryJackMacks.net

  4. #4
    Join Date
    Sep 2012
    Posts
    7,106

    Default Re: After moving from Leap to TW local users cannot login

    Quote Originally Posted by ascotti View Post
    the content of common-account is

    account requisite pam_unix.so debug try_first_pass
    account required pam_krb5.som use_frst_pass
    1. There is no pam_krb5.som, module is called pam_krb5.so.
    2. It is set as "required" - do you have working Kerberos setup?

    -rw-r--r-- 1 root root May 23 17:03 /etc/passwd
    That cannot be output of ls because size is missing. What is content of this file?

  5. #5

    Default Re: After moving from Leap to TW local users cannot login

    The problem was with common-account.
    For some reason, it had

    account requisite pam_unix.so
    account required pam_krb5.so

    and so when checking with user who did not authenticate via kerberos (which includes root), the required was the problem.
    Replaced
    account required pam_krb5.so
    with
    account sufficient pam_krb5.so
    and now everything works fine.

    One thing though. When a new version of pam was donwloaded, the config script put it back as required. How can I make sure that it stays sufficient? Otherwise, everything there is an upgrade to PAM I have to do this.

    BTW, I also discovered that I could still login as root if I booted in init 1 (rather than init=/bin/sh). It would ask me the passwd, but I guess in init 1 PAM is not active, so I could log in.

    Thanks for your help.

  6. #6
    Join Date
    Sep 2012
    Posts
    7,106

    Default Re: After moving from Leap to TW local users cannot login

    Quote Originally Posted by ascotti View Post
    One thing though. When a new version of pam was donwloaded, the config script put it back as required. How can I make sure that it stays sufficient?
    This is normally managed by pam-config which does not have option to use "sufficient". But pam_krb5 has option ignore_unknown_principals which sounds like what you need; pam-config supports this.

    Alternatively you could unlink common-account from common-account-pc; this implies that any changes done by system will be ignored in the future.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •