Fails to join a domain: Unknown pam configuration

Warning: Unknown pam configuration
The likewise PAM module cannot be configured for the gnome-screensaver service.
Either this service is unprotected (does not require a valid password for
access), or it is using a pam module that this program is unfamiliar with.
Please email Likewise technical support and include a copy of /etc/pam.conf or
/etc/pam.d.

Warning: Unknown pam configuration
The likewise PAM module cannot be configured for the cron service. Either this
service is unprotected (does not require a valid password for access), or it is
using a pam module that this program is unfamiliar with. Please email Likewise
technical support and include a copy of /etc/pam.conf or /etc/pam.d.

Warning: Unknown pam configuration
The likewise PAM module cannot be configured for the chfn service. Either this
service is unprotected (does not require a valid password for access), or it is
using a pam module that this program is unfamiliar with. Please email Likewise
technical support and include a copy of /etc/pam.conf or /etc/pam.d.

Error: Unknown pam configuration [code 0x00080035]

The likewise PAM module cannot be configured for the login service. Either this
service is unprotected (does not require a valid password for access), or it is
using a pam module that this program is unfamiliar with. Please email Likewise
technical support and include a copy of /etc/pam.conf or /etc/pam.d.

I get the same error, all software up to date on a x32 dell optiplex 170l

I have a fix in testing. Needs a little bit more validation. I'm attaching it here for testing and will generate a new source drop for Interepid to handle this.

this is the log from gui inerface likewise

1st proposal: minimal fix over 4.1.0.2956

likewise-open (4.1.0.2956-0ubuntu2) intrepid; urgency=low

  * Fix incompatibility with Intrepid's PAM configuration (LP: #262264)
  * Revert to using a specific libwbclient0 in /usr/lib/likewise-open
    because upstream says it is compatible but not equivalent to the one
    provided by Samba.

 -- Thierry Carrez <email address hidden> Thu, 11 Sep 2008 12:10:56 +0200

2nd proposal: update to 4.1.2982 upstream bugfix microrelease

Using upstream tarball at http://archives.likewisesoftware.com/likewise-open/src/likewise-open-4.1.2982.tar.gz

likewise-open (4.1.2982-0ubuntu1) intrepid; urgency=low

  * Upstream bugfix microrelease
  * Fix incompatibility with Intrepid's PAM configuration (LP: #262264)
  * Revert to using a specific libwbclient0 in /usr/lib/likewise-open
    because upstream says it is compatible but not equivalent to the one
    provided by Samba
  * Replaced no-template-modifications.diff by homedir_setting.patch to
    match upstream patchnames
  * Added upstream's daemon_restart.patch that removes likewise-open
    self-management of daemon start at boot

 -- Thierry Carrez <email address hidden> Thu, 11 Sep 2008 12:20:03 +0200

Combined interdiff for review of 2nd proposal

Relevant upstream microrelease diffstats :

 samba/source/VERSION | 2
 samba/source/configure | 3
 samba/source/configure.in | 4
 samba/source/include/version.h | 4
 samba/source/lib/interface.c | 9 ++
 samba/source/libsmb/cliconnect.c | 12 --
 samba/source/nsswitch/wb_common.c | 20 ++++
 samba/source/winbindd/winbindd_cache.c | 11 +-
 samba/source/winbindd/winbindd_dual.c | 7 -
 samba/source/winbindd/winbindd_group.c | 2

slangasek wants to fix it in a more Intrepid way.

Running domainjoin-cli on my system, I end up with the following in /etc/pam.d/common-auth:

# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000
auth sufficient pam_lwidentity.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so

This, of course, is not the intended behavior...

Yes, I think we need to fix this for Ubuntu by implementing support for pam-auth-update.

Steve, Would you mind pointing me at some details of path-auth-update? Thanks.

Hi Gerald,

On Fri, Sep 12, 2008 at 11:09:28PM -0000, Gerald Carter wrote:
> Steve, Would you mind pointing me at some details of path-auth-update?

Steve is probably referring to the new Pam configuration framework he
implemented for intrepid:

https://wiki.ubuntu.com/PAMConfigFrameworkSpec

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Sorry, I ended up down a rat hole debugging a pam-auth-update bug on my system when trying to work on a patch for this. Please find attached a patch which should switch likewise-open over to using pam-auth-update exclusively on Ubuntu. Unfortunately there's no way to automatically enable/disable a module in the PAM config via pam-auth-update, so instead we ship the module in a configuration that can be non-disruptively enabled by default. If there's a reason that this isn't acceptable, let me know and I'll try to find a different approach (have libdomainjoin invoke pam-auth-update itself for interactive configuration?)

the previous patch fails to DTRT on package removal; updated patch attached.

pam-auth-update.diff makes it segfault at domain join/leave, I'm trying to disable the pam module in domainjoin more completely, stay tuned

Proposed update
Includes the libwbclient0 fix and a slightly modified pam-auth-update.diff patch.

likewise-open (4.1.0.2956-0ubuntu2) intrepid; urgency=low

  [ Steve Langasek ]
  * debian/likewise-open.{pam-auth-update,prerm,postinst,install}: port
    likewise-open PAM handling to pam-auth-update.
  * debian/control: depend on libpam-runtime (>= 1.0.1-4ubuntu1) for the
    above.
  * debian/patches/pam-auth-update.diff: disable the code in
    libdomainjoin to edit pam.d directly, since this should now be
    addressed at the package level.

  [ Thierry Carrez ]
  * debian/rules, debian/likewise-open.install: Revert to using a specific
    libwbclient0 in /usr/lib/likewise-open because upstream says it is
    compatible but not equivalent to the one provided by Samba.
  * debian/patches/pam-auth-update.diff: disable the "pam" domainjoin module
    completely in djmodule.c rather than working around it in djpamconf.c
    (fixes LP: #262264)

 -- Thierry Carrez <email address hidden> Tue, 16 Sep 2008 13:36:43 +0200

This bug was fixed in the package likewise-open - 4.1.0.2956-0ubuntu2

---------------
likewise-open (4.1.0.2956-0ubuntu2) intrepid; urgency=low

  [ Steve Langasek ]
  * debian/likewise-open.{pam-auth-update,prerm,postinst,install}: port
    likewise-open PAM handling to pam-auth-update.
  * debian/control: depend on libpam-runtime (>= 1.0.1-4ubuntu1) for the
    above.
  * debian/patches/pam-auth-update.diff: disable the code in
    libdomainjoin to edit pam.d directly, since this should now be
    addressed at the package level.
  * debian/rules: fix the clean target to call distclean in the
    centutils and domainjoin, to avoid cruft in the diff after a
    build/clean cycle.

  [ Thierry Carrez ]
  * debian/rules, debian/likewise-open.install: Revert to using a specific
    libwbclient0 in /usr/lib/likewise-open because upstream says it is
    compatible but not equivalent to the one provided by Samba.
  * debian/patches/pam-auth-update.diff: disable the "pam" domainjoin module
    completely in djmodule.c rather than working around it in djpamconf.c
    (fixes LP: #262264)

 -- Thierry Carrez <email address hidden> Tue, 16 Sep 2008 13:36:43 +0200