LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 09-23-2006, 08:09 PM   #1
JWilliamCupp
Member
 
Registered: Jul 2005
Location: Indiana, U.S.A.
Distribution: Fedora
Posts: 32

Rep: Reputation: 15
No Users Can Log In; Only Root Can


Can't Log In to Linux

I have Fedora Core 5 and at some point in the past few weeks something has changed, to the effect that normal users cannot log in.
(Possibly, something done by a yum update caused this; I was chasing another problem at the time* and cannot be more specific about the source of the trouble.)
I found a detailed discussion on Tech Republic but no resolution to that person's problems. My symptoms are identical:

Root can log it both on GUI or command line. No user other than root can log in.
On a GUI log in attempt, an "Authentication failed" error box pops up. On command line, the error message "Error in service module" appears, very briefly, and the command line interface clears to the next log in attempt.
Interestingly, at the command line the response differs for a valid verus and invalid password attempt:
For the username's valid password, the "Error in service module" appears briefly then the login screen resets to a first-log in attempt.
For the username's password entered incorrectly, "Incorrect password" appears, does not blank and a new login attempt is presented.
It looks like something in the system recognizes the correct password -- but it does not permit login.

Other discussion have revolved around SELinux versus PAM. I have SELinux set to Disabled. It has been that way for a long time, and I don't think it has anything to do with this problem.

Entering the command: # tail -100 /var/log/messages reveals that
QUOTE
[pam_winbind] request failed, but PAM error 0!
[pam_winbind] internal module error (retval = 3, user = 'username')
UNQUOTE
appears at each attempted login (with the username's correct password.

Interestingly, I have a CRON job with fired off within the time period of the tail end of the logfile, and
QUOTE
[crond] Error in service module
[crond] CRON (username) ERROR: failed to open PAM security session: Success
[crond] CRON (username) ERROR: cannot set security context
UNQUOTE
appears within the last couple of lines of the logfile.

The other discussion suggested using 'trace' (or 'strace') to get a dump on what's happening to the command
# su - username
but it seems my system does not have either trace or strace installed.

Here is my /etc/pam.d/login file:
#%PAM-1.0
auth required pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open
just now copied off my system.

I have tried creating testusers, and the results are the same.

I can (and have) modified the user accounts either from the GUI User Manager, or by setting passwords from command line passwd. From everthing I can tell, it seems all the changes are being entered properly. That is, the /etc/passwd and the /etc/shadow files both seem to be in order. (Changes can be detected in these file when entered in User Manager, and so on.)

Does anyone have any idea what might be going wrong here? Thanks,

- Bill

(P.S. * That "other problem" was that the message bus took over ten minutes to start on boot up, and essentially the Power Manager utility really prevented use of the GUI for normal users. After a lot of searching, I found on another board to disable LDAP in various conf files, and that cleared the problem. But I had the message bus / LDAP problem for over two months before this inability to log in showed up, and now I have cleared the LDAP problem but still cannot authenticate a log in password. I really don't think the two are connected, but wanted to mention it here just in case I'm wrong.)
 
Old 09-23-2006, 08:18 PM   #2
w3bd3vil
Senior Member
 
Registered: Jun 2006
Location: Hyderabad, India
Distribution: Fedora
Posts: 1,189

Rep: Reputation: 49
is /etc/securetty file empty?
 
Old 09-23-2006, 10:17 PM   #3
rowancompsciguy
Member
 
Registered: Sep 2006
Location: Cherry Hill, NJ
Distribution: Fedora Core 6
Posts: 42

Rep: Reputation: 15
I had a similar problem with Fedora Core 5. You may want to check your selinux configuration. Good luck.
 
Old 09-25-2006, 09:25 PM   #4
JWilliamCupp
Member
 
Registered: Jul 2005
Location: Indiana, U.S.A.
Distribution: Fedora
Posts: 32

Original Poster
Rep: Reputation: 15
Contents of /etc/securetty

Here's the contents of my file as it now exists:
--------------
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
--------------
What should it look like? What does this file do?

As stated earlier, I have SELinux disabled, so I am sure that has nothing to do with it. In any case, nothing has changed with SELinux; it was disabled before I moved from FC4 to FC5, and at first (in FC5) I did not experience this trouble logging in.
 
Old 09-26-2006, 01:31 AM   #5
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I noticed that there is an uncommented line dealing with pam_selinux even though you said you disabled selinux, however it is a system group control. You may want to read through your system-auth file that pam.login includes. The errors in /var/log/messages indicates a winbind problem. Is the winbind service running. What does samba use for account information. It is possibly a networking problem if for example another server supplies account information.
 
Old 10-05-2006, 05:41 AM   #6
codfather
LQ Newbie
 
Registered: Nov 2005
Distribution: Ubuntu and Redhat
Posts: 5

Rep: Reputation: 0
I also noticed this problem today after doing a full yum update, the problem lies in the file /etc/pam.d/system_auth, I commented out the following line , which looks incorrectly written:

#account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so

This should read

account sufficient /lib/security/$ISA/pam_winbind.so

I guess this was a typo in the latest release.

Works fine now.

Cod
 
Old 10-14-2006, 07:00 PM   #7
JWilliamCupp
Member
 
Registered: Jul 2005
Location: Indiana, U.S.A.
Distribution: Fedora
Posts: 32

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by codfather
I also noticed this problem today after doing a full yum update, the problem lies in the file /etc/pam.d/system_auth, I commented out the following line , which looks incorrectly written:

#account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
THANK YOU! This worked perfectly!

- Bill
 
Old 12-24-2006, 05:26 PM   #8
colonboy
Member
 
Registered: Dec 2005
Location: Prior Lake, MN
Distribution: Fedora, Suse, Mandriva, Ubuntu
Posts: 35

Rep: Reputation: 15
I know this thread is a little old, but I wanted to confirm the fix for the aformentioned problem. I had the same problem on FC6 and fixed it in a similar fashion. The only difference is that on my FC6 box, the line reads as follows:

account [default=bad success=ok user_unknown=ignore] pam_winbind.so

I changed this to:

account sufficient pam_winbind.so

and issue was resolved.

It may seem obvious that the path stays the same in the corrected line, but I wanted to display this for those who didn't catch the obvious.

Good Luck

Colonboy
 
Old 02-07-2012, 12:54 AM   #9
duffylasker
LQ Newbie
 
Registered: Sep 2003
Posts: 1

Rep: Reputation: 0
root login only

I ran into this problem with pam updates to CentOS 6.2.

I found that certain pam files had been updated and in different sections but all containing the phrase:

"[default=bad success=ok user_unknown=ignore]"

in the line. when I commented out those lines (too tired to figure out the correct syntax ) the login problem was resolved.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba - If I use @valid users, only root can log in essdeeay Linux - General 6 04-10-2006 01:05 PM
root users won't log out aubrey-calm2 Linux - Newbie 2 04-08-2006 01:48 AM
root can log in, but not users walterbyrd Debian 7 02-08-2006 06:17 AM
Users can't log in unless part of the root group jeffreybluml Linux - Newbie 3 12-02-2004 07:24 PM
non-root users can't log in (RH9) skullmunky Linux - Security 1 11-17-2004 11:41 AM


All times are GMT -5. The time now is 07:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration