LinuxQuestions.org - User not able to login

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - User not able to login - PAM error (https://www.linuxquestions.org/questions/linux-server-73/user-not-able-to-login-pam-error-662317/)

User not able to login - PAM error

OS SuSE 9.0

Users except root not able to login to the server. When tried to login it throws error "Authentication Failure"

I see the following error in /var/log/messages:

Aug 12 16:26:16 machine -- MARK --
Aug 12 16:29:06 machine login[8245]: pam_unix2: Unknown option: `required'
Aug 12 16:29:06 machine login[8245]: pam_unix2: Unknown option: `/lib/security/pam_tally.so'
Aug 12 16:29:06 machine login[8245]: pam_unix2: Unknown option: `deny=5'
Aug 12 16:29:08 machine login[8245]: pam_unix2: Unknown option: `required'
Aug 12 16:29:08 machine login[8245]: pam_unix2: Unknown option: `/lib/security/pam_tally.so'
Aug 12 16:29:08 machine login[8245]: pam_unix2: Unknown option: `reset'
Aug 12 16:29:08 machine pam_tally[8245]: user unadm (1026) tally 62, deny 2
Aug 12 16:29:08 machine login[8245]: Authentication failure

Just to give a background:
This server was up and running for long time and is having SAP, DB2 installed and running. There was an issue with the SAN connected and hence the machine were brought down gracefully. Now after I fixed the SAN issue and when tried to start the machine I found this error.
I tried creating a new user and that user logs in successfully.
/lib/security/pam_tally.so is available in the machine.

/ Rinish (rinishriju)

Here are some more updates...

As I mentioned earlier.. I am able to login as root, from there, I am able to do su - localuser. But after that I am not able to change "localuser"'s password. when try to change password it gives the following error:

Changing password for localuser.
Old Password:
New password:
Re-enter new password:
Can't open /etc/security/opasswd: Permission denied
Canot lock password file: already locked
Error: Password NOT changed
Canot lock password file: already locked
Error: Password NOT changed
passwd: Authentication token lock busy

The problem in PAM doesn't seem to be pam_tally.so. Rather, it's the use of pam_unix2.
Furthermore, it seems that the PAM config file is incorrectly parsed. It tries to see the word "required"
as an option to pam_unix2, whereas "required" more likely should indicate that authentication through pam_tally.so
is required.

Perhaps you could look for incorrect line termination at the end of the pam_unix2 line in the PAM config
or a syntax problem at the start of the pam_tally.so line?

The Pam config files are probably in /etc/pam.d or /etc/security or something similar.
You could verify the contents of /etc/security/pam_unix2.conf, the general pam_unix2 config too.

Could you check the file permissions of /etc/security/opasswd (or post the output of ls -l /etc/security/opasswd)?