Re: [Cooker] Re: Cooker Login Fail after daily Update

[Moreno]

Hi

On Tue, May 20, 2008 at 10:57 AM, Olivier Blin <blino@mandriva.com> wrote:
> "Gustavo De Nardin (spuk)" <gustavodn@mandriva.com> writes:
>
>> * Moreno <moreno.mg@gmail.com> [2008-05-20 08:37 +0200]:
>>> Hi
>>>
>>> On Tue, May 20, 2008 at 8:01 AM, Moreno <moreno.mg@gmail.com> wrote:
>>> > Hi
>>> >
>>> > After the daily update of my Cooker machine all attempts to make a login fail.
>>>
>>> The problem is which urpmi have installed the packages and generated 2
>>> rpmnew files but it do not have signalled this.
>>>
>>> I have replaced the /etc/login-def and /etc/pam.d/system-auth file
>>> with the .rpmnew file and all return to work normally.
>>
>> Do you have msec installled? See
>> <https://qa.mandriva.com/show_bug.cgi?id=29719>.
>
> That's not strictly related to msec, other config tools can modify pam
> config files.
>
> But is it normal that pam_unix does not work anymore in the config
> file? In the initial plan, it was said that pam_tcb was backwards
> compatible with pam_unix, it does not seem to be the case...
>
> Anyway, I don't think we should force migration to pam_tcb in %post,
> there's no real reason to handle .rpmnew files differently in this
> package if pam_tcb is backwards compatible as you claim.
>
> --
> Olivier Blin (blino) - Mandriva
>

These are my configurations file



/etc/login-def.old NOT WORKING

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR	Maildir
MAIL_DIR	/var/spool/mail
#MAIL_FILE	.mail

# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS	0
PASS_MIN_LEN	5
PASS_WARN_AGE	7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN			  500
UID_MAX			60000

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN			  500
GID_MAX			60000

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD	/usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is ORed with the -m flag on
# useradd command line.
#
CREATE_HOME	yes



/etc/pam.d/system-auth.old NOT WORKING

#%PAM-1.0

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass likeauth nullok
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     required      pam_deny.so

password    required      pam_cracklib.so try_first_pass retry=3
minlen=2  dcredit=0  ucredit=0
password    sufficient    pam_unix.so try_first_pass use_authtok
nullok md5 shadow
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so



/etc/login-def WORKING

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR	Maildir
MAIL_DIR	/var/spool/mail
#MAIL_FILE	.mail

# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_MIN_LEN	5
PASS_WARN_AGE	7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN			  500
UID_MAX			60000

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN			  500
GID_MAX			60000

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD	/usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is ORed with the -m flag on
# useradd command line.
#
CREATE_HOME	yes

#
# The password hashing method and iteration count to use for group
# passwords that may be set with gpasswd(1).
#
CRYPT_PREFIX            $2a$
CRYPT_ROUNDS            8

#
# Whether to use tcb password shadowing scheme.  Use 'yes' if using
# tcb and 'no' if using /etc/shadow
#
USE_TCB                 no

#
# Whether newly created tcb-style shadow files should be readable by
# group "auth".
#
TCB_AUTH_GROUP          yes

#
# Whether useradd should create symlinks rather than directories under
# /etc/tcb for newly created accounts with UIDs over 1000.  See tcb(5)
# for information on why this may be needed.
#
TCB_SYMLINKS            no



/etc/pam.d/system-auth  WORKING

#%PAM-1.0

auth        required      pam_env.so
auth        sufficient    pam_tcb.so shadow fork nullok prefix=$2a$ count=8
auth        required      pam_deny.so

account     required      pam_tcb.so shadow fork

password    required      pam_cracklib.so try_first_pass retry=3
minlen=2  dcredit=0  ucredit=0
password    sufficient    pam_tcb.so use_authtok shadow
write_to=shadow fork nullok prefix=$2a$ count=8
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_tcb.so



Bye Bye, Moreno