Hi,
I tried to update a 5.0-9 errata1212 primary controller in a test environment to 5.2.
The pre-update checks ran fine, but the univention-upgrade script stopped due to an return (1) by dpkg while processing libpam-modules_1.4.0-9+deb11u1A~5.1.0.202303221546_amd64.deb.
Error message from updater.log
Preparing to unpack .../libpam-modules_1.4.0-9+deb11u1A~5.1.0.202303221546_amd64.deb ...
Configuring libpam-modules
--------------------------
you are using pam_tally or pam_tally2 in your configuration
The pam_tally and pam_tally2 modules have been removed from PAM. You are
using one of these modules in your PAM configuration in /etc/pam.d. You must
remove the uses of these modules before PAM can be upgraded; including these
modules in your PAM configuration after the upgrade will stop users from
being able to log into the system.
Consider the pam_faillock module as a replacement for pam_tally.
dpkg: error processing archive /var/cache/apt/archives/libpam-modules_1.4.0-9+deb11u1A~5.1.0.202303221546_amd64.deb (--unpack):
new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2
Errors were encountered while processing:
/var/cache/apt/archives/libpam-modules_1.4.0-9+deb11u1A~5.1.0.202303221546_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
Error: Failed to execute "apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 dist-upgrade"
exitcode of univention-updater: 1
ERROR: update failed. Please check /var/log/univention/updater.log
The mentioned modules are required by the following files:
/etc/pam.d/common-account:11:account required pam_tally.so
/etc/pam.d/univention-management-console:9:# /etc/univention/templates/files/etc/pam.d/univention-management-console.d/30_tally
/etc/pam.d/univention-management-console:19:auth required pam_tally.so per_user deny=5
/etc/pam.d/univention-management-console:22:account required pam_tally.so
/etc/pam.d/common-auth:14:auth required pam_tally.so per_user deny=5
/etc/pam.d/common-auth-nowrite:12:auth required pam_tally.so per_user deny=5
The underlying problem seems to be inside of the following file:
/etc/univention/templates/files/etc/pam.d/univention-management-console.d/30_tally
@!@
if configRegistry.is_true('auth/faillog', False):
tally_option = 'per_user deny=%s' % configRegistry.get('auth/faillog/limit', '5')
if configRegistry.is_true('auth/faillog/root', False):
tally_option += ' even_deny_root_account'
if configRegistry.get('auth/faillog/unlock_time', '0') != '0':
tally_option += ' unlock_time=%s' % configRegistry.get('auth/faillog/unlock_time')
if configRegistry.is_true('auth/faillog/lock_global', False):
print('auth [success=1 user_unknown=1 default=bad] pam_tally.so %s' % tally_option)
print('auth [default=die] pam_runasroot.so program=/usr/lib/univention-pam/lock-user')
else:
print('auth required pam_tally.so %s' % tally_option)
@!@
@!@
if configRegistry.is_true('auth/faillog', False):
print('account required pam_tally.so')
@!@
After unsetting auth/faillog the upgrade process ran fine.
Please consider a pre-update check for this case.
