systemd error: "PAM _pam_load_conf_file: unable to open config for system-auth"; ref: issue #6038

h698 · October 19, 2018, 8:17pm

I run


    lsb_release -rd
        Description:    openSUSE Leap 15.0
        Release:        15.0

Working on some systemd unit file troubleshooting, I see in logs


    Oct 19 08:13:01 thanos systemd[63844]: PAM _pam_load_conf_file: unable to open config for system-auth
    Oct 19 08:13:01 thanos systemd[63844]: PAM _pam_load_conf_file: unable to open config for system-auth
    Oct 19 08:13:01 thanos systemd[63844]: user@30.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted

That error is seen here


    user@32.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted #6038
     https://github.com/systemd/systemd/issues/6038

Checking default, currently installed,


    rpm -ql systemd-234 | grep pam.d/system
        /etc/pam.d/systemd-user
        /usr/share/factory/etc/pam.d/system-auth


    ls -al \
     /etc/pam.d/systemd-user \
     /usr/share/factory/etc/pam.d/system-auth


        -rw-r--r-- 1 root root 220 Jul 27 03:21 /etc/pam.d/systemd-user
        -rw-r--r-- 1 root root 340 Jul 27 03:21 /usr/share/factory/etc/pam.d/system-auth


    cat /etc/pam.d/systemd-user
        # This file is part of systemd.
        #
        # Used by systemd --user instances.


        account  include common-account


        session  required pam_selinux.so close
        session  required pam_selinux.so nottys open
        session  include common-session


    cat  /usr/share/factory/etc/pam.d/system-auth
        # This file is part of systemd.


        auth     sufficient pam_unix.so nullok try_first_pass


        account  required   pam_nologin.so
        account  sufficient pam_unix.so


        password sufficient pam_unix.so nullok sha512 shadow try_first_pass try_authtok


        -session optional   pam_loginuid.so
        -session optional   pam_systemd.so
        session  sufficient pam_unix.so

OTOH, suggested from the bug report


    cat /etc/pam.d/systemd-user
        account include system-auth
        session include system-auth
        session optional pam_keyinit.so force revoke
        session optional pam_systemd.so


    cat /etc/pam.d/system-auth
        auth required pam_env.so
        auth required pam_unix.so try_first_pass likeauth nullok
        auth optional pam_permit.so
        account required pam_unix.so
        account optional pam_permit.so

Is that “unable to open config for system-auth” occurring due to the lack of the system-auth entries in systemd-user?

It’s unclear why the location of system-auth is different, or if it’s required.

What needs to be added/changed in my config?

Or is this a ‘bug’ in Leap’s systemd packaging?

hendwolt · October 19, 2018, 9:15pm

“user@30.service”
Which user is this in your system?
In my Leap 15 it is “wwwrun”, the Apache user.
Any other trouble beside the log entries?

Hendrik

h698 · October 19, 2018, 9:31pm

here too, being used for nginx though,


grep 30 /etc/passwd
  wwwrun:x:**30**:8:WWW daemon apache:/var/lib/wwwrun:/bin/false

Yes. my nsd4 service isn’t starting after some system-startups. Usually? after logrotate … Investigating further.

Is that the cause of, or even related to, the pam.d business? Don’t think so.

h698 · October 19, 2018, 9:46pm

There’s also this bug:

https://github.com/coreos/bugs/issues/1498

hendwolt · October 20, 2018, 8:44pm

Did you try the workaround there? (systemctl reset-failed)

Beside that I suggest to check security frameworks like AppArmor.

Hendrik