After moving from Leap to TW local users cannot login

ascotti · May 24, 2018, 4:03pm

After moving from Leap 42.3 to TW, using zypper dup, the local users, including root, cannot login (neither from console login, ssh,…). Only users that authenticate using Kerberos are allowed to login.

From the login console, if I try to log in a local user (or root) I get

User not known to the underlying authentication module.

I regenerated the pam files with pam-config to have a fresh start but still no luck.

The permissions on /etc/passwd and /etc/shadow are

-rw-r–r-- 1 root root May 23 17:03 /etc/passwd

-rw-r----- 1 root shadown 1250 May 23 18:05 /etc/shadow

the content of common-account is

account requisite pam_unix.so debug try_first_pass
account required pam_krb5.som use_frst_pass
account required pam_localuser.so

I can boot adding init=/bin/sh to have root access, but that does not give me access to log files which are not mounted.

Again, this happened after moving from Leap 42.3 to TW, and only to users that authenticate locally (i.e., the passwd are stored in /etc/passwd). This applies to all manner of logins (console, sddm, ssh, su, sudo).

Any help greatly appreciated.

ascotti · May 24, 2018, 4:33pm

This is getting weirder. I was able to use the console to login with a local user, but only once. After I logged out, I could not login back (same message User not known…). Root still cannot login.

BTW, it is TW 20180521

Fraser_Bell · May 25, 2018, 1:57am

At boot, when the Grub menu comes up, press “e” to edit the boot command line. Go down to the line that starts with “linux” (could be just linux, or a derivative that contains linux, depending on your install).
Hit the End-key to get to the end of that line, as it wraps.

At the end of that line, add a space, then add:

init=/bin/sh

Press F10 to continue to a minimal system without need for a password.
then do:

passwd

You will then be able to create/change the root password.
When you have done that, boot to a root console by rebooting and using the “e” to edit that boot command line again.
This time, at the end of the line, add a space and the numeral 3, press F10 and you will get to a CLI where you can now log in as root.
Log in as root, using your new password, then do:

yast

This will give you an ncurses version of Yast, where you can select the Users controls. In there, check your users, look for anything suspicious, and change the User passwords.

I suggest you use new passwords for all, just to be certain something else has not happened.

arvidjaar · May 25, 2018, 6:30am

There is no pam_krb5.som, module is called pam_krb5.so.
It is set as “required” - do you have working Kerberos setup?

-rw-r–r-- 1 root root May 23 17:03 /etc/passwd

That cannot be output of ls because size is missing. What is content of this file?

ascotti · May 25, 2018, 9:28pm

The problem was with common-account.
For some reason, it had

account requisite pam_unix.so
account required pam_krb5.so

and so when checking with user who did not authenticate via kerberos (which includes root), the required was the problem.
Replaced
account required pam_krb5.so
with
account sufficient pam_krb5.so
and now everything works fine.

One thing though. When a new version of pam was donwloaded, the config script put it back as required. How can I make sure that it stays sufficient? Otherwise, everything there is an upgrade to PAM I have to do this.

BTW, I also discovered that I could still login as root if I booted in init 1 (rather than init=/bin/sh). It would ask me the passwd, but I guess in init 1 PAM is not active, so I could log in.

Thanks for your help.

arvidjaar · May 26, 2018, 8:11am

This is normally managed by pam-config which does not have option to use “sufficient”. But pam_krb5 has option ignore_unknown_principals which sounds like what you need; pam-config supports this.

Alternatively you could unlink common-account from common-account-pc; this implies that any changes done by system will be ignored in the future.