View previous topic :: View next topic |
Author |
Message |
turtles Veteran
Joined: 31 Dec 2004 Posts: 1655
|
Posted: Fri Jun 02, 2006 2:15 am Post subject: |
|
|
So to solve my problem from above I edit Code: | #nano /etc/login.defs | and coment out everything that appeared as a config error or a unknown item for example from the configuration file Code: | # Enable logging and display of /var/log/faillog login failure info.
#
#FAILLOG_ENAB yes
#
# Enable display of unknown usernames when login failures are recorded.
#
LOG_UNKFAIL_ENAB no
#
# Enable logging and display of /var/log/lastlog login time info.
#
#LASTLOG_ENAB yes
#
# If defined, ":" delimited list of "message of the day" files to
# be displayed upon login.
#
#MOTD_FILE /etc/motd
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100 tty01".
#
TTYTYPE_FILE /etc/ttytype
#
# If defined, login failures will be logged here in a utmp format.
# last, when invoked as lastb, will read /var/log/btmp, so...
#
#FTMP_FILE /var/log/btmp
|
Note If any one knows of a cleaner way to deal with this please let me know. _________________ Donate to Gentoo |
|
Back to top |
|
|
RazielFMX l33t
Joined: 23 Apr 2005 Posts: 835 Location: NY, USA
|
Posted: Fri Jun 02, 2006 3:24 am Post subject: |
|
|
The way I dealt with this was to run emerge -C pam-login, then I ran my emrege -uND world. Once this completed, I ran etc-update, which suprisingly didn't prompt me and 'made trivial updates to config files' and it all worked great. _________________ I am not anti-systemd; I am pro-choice. If being the latter makes you feel that I am the former, then so be it. |
|
Back to top |
|
|
G F0rce 1 Tux's lil' helper
Joined: 16 Dec 2004 Posts: 115 Location: 51.418961, 5.500932
|
Posted: Fri Jun 02, 2006 12:08 pm Post subject: |
|
|
The Ennead wrote: | Ditto, cheers ecatmur
I've got a borked install i'm trying to put right at the moment and that was one of many things stopping me but the only one I hadn't found an answer for yet |
_________________ Reinoud.net |
|
Back to top |
|
|
tnt Veteran
Joined: 27 Feb 2004 Posts: 1222
|
Posted: Fri Jun 02, 2006 1:02 pm Post subject: |
|
|
tnt wrote: | dalek wrote: | Don't know if it helps but did you restart ssh? Now your problem will be getting in so you can I guess.
|
I've done this upgrade on a few other x86 and amd64 boxes and I was able to login again although I haven't restarted sshd, but this one seems not to like shadow upgrade...
|
I had to recompile all packages with 'pam' keyword to make them work again. one of them was openssh. _________________ gentoo user |
|
Back to top |
|
|
chrisstankevitz Guru
Joined: 14 Dec 2003 Posts: 472 Location: Santa Barbara, CA, USA
|
Posted: Fri Jun 02, 2006 4:49 pm Post subject: Re: pam-login blocks shadow |
|
|
zietbukuel wrote: |
To solve "emerge -C pam-login && emerge -1 shadow", this is safe to do - mark_alec[/i] |
Why is this required?
a) flaw in an ebuild
b) flaw in gentoo/portage
c) this is normal, by-design behavior for gentoo
d) other
Thanks,
Chris |
|
Back to top |
|
|
dalek Veteran
Joined: 19 Sep 2003 Posts: 1353 Location: Mississippi USA
|
Posted: Fri Jun 02, 2006 5:26 pm Post subject: |
|
|
I think C. Basically, there was some changes and from what I read pam-login is included in shadow now so you can't have both. If true, this would require you to remove pam-login then install the new shadow.
Basically portage is giving you the option to do what is best for your system. If for example something just has to have pam-login, then you can leave it until whatever other program is updated to the new way of doing things. At least it gives you the options. I knew when I saw it what to do but I was concerned about being able to get back in afterwords. I had read and had a time when a bad pam-login would not let me in at all.
Now for some other guru to chime in.
_________________ My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case |
|
Back to top |
|
|
chrisstankevitz Guru
Joined: 14 Dec 2003 Posts: 472 Location: Santa Barbara, CA, USA
|
Posted: Fri Jun 02, 2006 6:01 pm Post subject: |
|
|
dalek wrote: |
I had read and had a time when a bad pam-login would not let me in at all. |
I don't totally understand what you mean in the second quote, but you think normal, by-design behavior is for you to not be able to log in?
Thanks,
Chris |
|
Back to top |
|
|
dalek Veteran
Joined: 19 Sep 2003 Posts: 1353 Location: Mississippi USA
|
Posted: Fri Jun 02, 2006 9:23 pm Post subject: |
|
|
I thought you were talking about shadow being blocked. That is normal when one program conflicts with another. Now not being able to login, that is not normal. What use is it when you can't use it.
I would have to assume that this was the only safe way to do this. The same could be said about gcc updates. All of them have a few risks especially in Gentoo and LFS. We just need to be warned and be careful.
All that said, I may have misunderstood your meaning. My fiance is badly sick, her grandma, 85, is in the hospital with us not knowing when she is going to go. It's just been tough the past few weeks. Doctors are not halping much because aparently they are all in a conference somewhere. Her regular doctor is gone and her family doctor is gone too. The emergency room is our best friend right now. They know our names when we go in and all.
Maybe I better get some rest.
_________________ My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case |
|
Back to top |
|
|
CrazyTerabyte Apprentice
Joined: 30 Dec 2004 Posts: 193
|
Posted: Sat Jun 03, 2006 1:49 am Post subject: Re: pam-login blocks shadow |
|
|
chrisstankevitz wrote: | zietbukuel wrote: | To solve "emerge -C pam-login && emerge -1 shadow", this is safe to do - mark_alec[/i] |
Why is this required?
a) flaw in an ebuild
b) flaw in gentoo/portage
c) this is normal, by-design behavior for gentoo
d) other |
I remember some time ago... "slocate" package has been updated, and we needed to rename "slocate" group to "locate". The new package detected the "old state" and printed a big error message telling us what happened, and how to fix it. Once I've renamed it, new version was emerged without problems, and my system did not break.
Thinking this way, the answer to your question is a. I think the new package/ebuild should explain us what happened, and how to fix it.
BUT... The ebuild did not even run, because portage did not allow that (because of conflicting dependencies). So, I change this to b, and ask for a new feature: Whenever something is blocking (and did not block before), then add some explanation message informing why this happens, and how to fix it.
BTW, for now I've masked ">=sys-apps/shadow-4.0.15", until a safe fix is available (or posted here). Preferably with a real good explanation. |
|
Back to top |
|
|
dalek Veteran
Joined: 19 Sep 2003 Posts: 1353 Location: Mississippi USA
|
Posted: Sat Jun 03, 2006 3:33 am Post subject: Re: pam-login blocks shadow |
|
|
CrazyTerabyte wrote: | BTW, for now I've masked ">=sys-apps/shadow-4.0.15", until a safe fix is available (or posted here). Preferably with a real good explanation. |
Uh oh. Does this mean we have to go through the downgrade process now?
_________________ My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case |
|
Back to top |
|
|
leahcim n00b
Joined: 17 Mar 2003 Posts: 29
|
Posted: Sat Jun 03, 2006 3:56 am Post subject: Re: pam-login blocks shadow |
|
|
[quote="CrazyTerabyte"] chrisstankevitz wrote: | zietbukuel wrote: | To solve "emerge -C pam-login && emerge -1 shadow", this is safe to do - mark_alec[/i] |
BUT... The ebuild did not even run, because portage did not allow that (because of conflicting dependencies). So, I change this to b, and ask for a new feature: Whenever something is blocking (and did not block before), then add some explanation message informing why this happens, and how to fix it.
BTW, for now I've masked ">=sys-apps/shadow-4.0.15", until a safe fix is available (or posted here). Preferably with a real good explanation. |
It blocks precisely because the dependancies are set for it to block, i.e the packages aren't compatible if installed together.
But nothing is broken for there to be an explanation of how to fix it, safely or otherwise.
If your system works now, what is there to fix? If there's a bug in the new package what is that to do with portage? If there isn't, then that works too.
Take your pick which package you want installed, but portage was good enough to stop you when you tried to install both.
i.e the output message would be just that "pam_login blocks shadow, so I'm not installing shadow as you requested"
Portage can't be expected to decide what you want to do, (which is either remove the blocking package to allow the package you're trying to install to be installed, or to not install the new package)
If you treat portage as a piece of software to help you install, uninstall and configure software on your machine, i.e instead of installing a different version of a distro every few weeks / months or finding your own tarballs and doing it all by hand. Or to add / remove software from an install so you don't have to install everything. In that sense it works pretty well.
But treated as some kind of AI system administrator where you put "-uD world" or similar and hope those flags mean "Err, I don't know, you do it and it better work afterwards otherwise it must need another feature" it'll fail - perhaps not always, but it will. It's not a substitute for a thread like this. |
|
Back to top |
|
|
xentric Guru
Joined: 16 Mar 2003 Posts: 410 Location: Netherlands
|
Posted: Sat Jun 03, 2006 7:33 am Post subject: |
|
|
turtles wrote: | I did run cfg-update
Code: | parsons turtle # cfg-update -u
/usr/bin/xxdiff not found - let's try /usr/bin/meld...
(1/3) /etc/login.defs [unknown file]
Update file : /etc/login.defs ? [y|n|q|?] y
(meld) : when done, just save the merged file over the original!
No module named pygtk
Meld requires pygtk1.99.15 or higher.
No changes detected...
Press [y] - if the current file is OK, and you want to remove the ._cfg0000_file
Press [n] - to cancel this update
Are you sure this update is complete? [y|n] y
Update complete...
(2/3) /etc/securetty [modified file]
Update file : /etc/securetty ? [y|n|q|?] y
(meld) : when done, just save the merged file over the original!
No module named pygtk
Meld requires pygtk1.99.15 or higher.
No changes detected...
Press [y] - if the current file is OK, and you want to remove the ._cfg0000_file
Press [n] - to cancel this update
Are you sure this update is complete? [y|n] y
Update complete...
(3/3) /etc/pam.d/login [unknown file]
Update file : /etc/pam.d/login ? [y|n|q|?] y
(meld) : when done, just save the merged file over the original!
No module named pygtk
Meld requires pygtk1.99.15 or higher.
No changes detected...
Press [y] - if the current file is OK, and you want to remove the ._cfg0000_file
Press [n] - to cancel this update
Are you sure this update is complete? [y|n] y
Update complete...
|
|
The problem is that you didn't update those configuration files at all... because cfg-upate couldn't find xxdiff it switched to meld. But meld had a problem so it never started. That's why cfg-update reports that no change in the files is detected because you haven't merged the old and new config file with meld. Then cfg-update asked if you wanted to keep the old config file and remove the new configfile or if you would like to cancel the update... you chose to remove the new configfile. (cfg-update has created a backup of the new file as /etc/pam.d/login.newcfg or /etc/pam.d/._new-cfg_login depending on which version of cfg-update you use, so you can always retry updating)
I hope you haven't done more updates this way... you are just throwing away the new files this way
I strongly recommend removing the old version of cfg-update and installing the latest version of cfg-update before retrying the configfile updates! (https://forums.gentoo.org/viewtopic.php?t=86622) Make sure that you have a working diff/merge tool like xxdiff, meld, kdiff3 or gtkdiff. Then find the backups of the above 3 files with "cfg-update -b" and use "cfg-update -r [number]" to restore the original situation. Then simply run "cfg-update -u" to update them again, if the mergetool (xxdiff,meld,kdiff3,gtkdiff or sdiff) works properly it should present you with the old and new file side by side so you can choose which lines/settings you would like to have in the merged result. There are some instructions and screenshots on the installation page to show you how cfg-update is supposed to work. _________________ When all else fails, read the manual...
Registered Linux User #340626
Last edited by xentric on Sat Jun 03, 2006 1:38 pm; edited 2 times in total |
|
Back to top |
|
|
lkajssfhdlkfja n00b
Joined: 03 Jun 2006 Posts: 4
|
Posted: Sat Jun 03, 2006 10:23 am Post subject: Re: pam-login blocks shadow |
|
|
[quote="leahcim"] CrazyTerabyte wrote: | chrisstankevitz wrote: | zietbukuel wrote: | To solve "emerge -C pam-login && emerge -1 shadow", this is safe to do - mark_alec[/i] |
BUT... The ebuild did not even run, because portage did not allow that (because of conflicting dependencies). So, I change this to b, and ask for a new feature: Whenever something is blocking (and did not block before), then add some explanation message informing why this happens, and how to fix it.
BTW, for now I've masked ">=sys-apps/shadow-4.0.15", until a safe fix is available (or posted here). Preferably with a real good explanation. |
It blocks precisely because the dependancies are set for it to block, i.e the packages aren't compatible if installed together.
But nothing is broken for there to be an explanation of how to fix it, safely or otherwise.
If your system works now, what is there to fix? If there's a bug in the new package what is that to do with portage? If there isn't, then that works too.
Take your pick which package you want installed, but portage was good enough to stop you when you tried to install both.
i.e the output message would be just that "pam_login blocks shadow, so I'm not installing shadow as you requested"
Portage can't be expected to decide what you want to do, (which is either remove the blocking package to allow the package you're trying to install to be installed, or to not install the new package)
If you treat portage as a piece of software to help you install, uninstall and configure software on your machine, i.e instead of installing a different version of a distro every few weeks / months or finding your own tarballs and doing it all by hand. Or to add / remove software from an install so you don't have to install everything. In that sense it works pretty well.
But treated as some kind of AI system administrator where you put "-uD world" or similar and hope those flags mean "Err, I don't know, you do it and it better work afterwards otherwise it must need another feature" it'll fail - perhaps not always, but it will. It's not a substitute for a thread like this. |
Dang. What an interesting response.
The users who are posting here didn't request any conflicting packages. I found this problem when I did an "emerge -a system". It is obvious what happened: Somebody was in a hurry trying to plug a security leak with their thumb and made a boo-boo and berked the build of something related to PAM in the distro tree then threw it over the wall without testing it.
Happily, this kind of thing doesn't happen very often, as Gentoo is one of the most widely used Linux distrobutions on the planet.
No, sadly, I lied. It happens all the time. It happened twice in this emerge alone -- unless utemper is related to this somehow (has anyone else heard of utemper?).
Usually this kind of thing happens when Gentoo is scrambling to close a security hole. I'm glad they are security concious. Sometimes it causes grief tho. They decided the version of one package I was using had a problem, so they deleted it. The only problem was, the only package left was totally incompatible with the one I had installed and I didn't have any ground left to stand on. It emerged the new version, unmerged the old. Nothing left to go back to when I found the new one didn't work, as the version I had been using was gone from the portage tree. That left two domains screwed for over a month.
Hopefully, the rest of the users on this board are smarter than I am, and took the advice I've seen posted in reviews multiple times: don't use Gentoo on a critical machine because it gets broken.
But I just came to a huge realization just now: If Gentoo isn't supposed to be used for critical machines like servers, why are they so willing to make it disfunctional every time there is a security flaw?!? How much does anyone care about security on a machine that isn't important enough to be exposed to a security threat?
Restated, security and stability go hand in hand. If you don't have stability, security is much less important. If security *is* important (and it should be), then stability should be equally so! If you have both, you can use the machine in a critical application.
good = secure AND stable |
|
Back to top |
|
|
CrazyTerabyte Apprentice
Joined: 30 Dec 2004 Posts: 193
|
Posted: Sat Jun 03, 2006 1:15 pm Post subject: |
|
|
Portage is a package manager. It serves to help the admin to install, uninstall and update packages. The admin will not need to do these things "by hand" anymore (most of time), so he can focus on doing other important things.
When you try to install a package that is masked, portage tells you the package is masked and explains why (try emerge -pv unreal to see an example). Even if that explanation might be short, it is enough to give the admin a rough idea about why it is masked, and maybe where to find more information about it (id of some bug report or some URL, for example).
When you try to update a working system and it simply says it can't update because one package blocks another, then you think: "Wtf? These packages were installed before, were working before, why this will not work anymore?" Portage does not give you any tip about why this happened*. The admin must, then, try to figure how to fix it (fix = avoid/solve blocking). Most of time, the admin will search in bugs or at forums, and hope to find useful (and complete) information.
Now, we find this thread, where people say "do this", some other say "I screwed my system!" and one said "do that, but also recompile all pam packages".
If you are the admin of a server running Gentoo, what would you do? What would you think?
* Well, there are some "obvious" blocks, like installing more than one cron or syslog. I'm talking about non-obvious blocks, like this. |
|
Back to top |
|
|
UncleOwen Veteran
Joined: 27 Feb 2003 Posts: 1493 Location: Germany, Hamburg
|
Posted: Sat Jun 03, 2006 1:21 pm Post subject: |
|
|
CrazyTerabyte wrote: | When you try to update a working system and it simply says it can't update because one package blocks another, then you think: "Wtf? These packages were installed before, were working before, why this will not work anymore?" Portage does not give you any tip about why this happened*. The admin must, then, try to figure how to fix it (fix = avoid/solve blocking). Most of time, the admin will search in bugs or at forums, and hope to find useful (and complete) information. |
Really, the first way to look should be the Changelog, especially in those "it used to work, why did it stop?" cases. And in there it cleary says:
Quote: | *shadow-4.0.14-r2 (12 Mar 2006)
12 Mar 2006; Diego Pettenò <flameeyes@gentoo.org> +files/login.defs,
+files/login.pamd, +shadow-4.0.14-r2.ebuild:
Merge pam-login back into shadow, as 4.x version was already being used;
this means that upgrade from 4.0.14-r1 requires to remove pam-login before. |
On you could simply use emerge --changelog. |
|
Back to top |
|
|
Jimi... Tux's lil' helper
Joined: 06 Aug 2005 Posts: 136 Location: IoM
|
Posted: Sat Jun 03, 2006 3:04 pm Post subject: |
|
|
What does it do when you use the -C switch? |
|
Back to top |
|
|
dalek Veteran
Joined: 19 Sep 2003 Posts: 1353 Location: Mississippi USA
|
Posted: Sat Jun 03, 2006 3:14 pm Post subject: |
|
|
Jimi... wrote: | What does it do when you use the -C switch? |
Code: | --unmerge (-C)
WARNING: This action can remove important packages! Removes all matching packages. This does
no checking of dependencies, so it may remove packages necessary for the proper operation of
your system. Its arguments can be ebuilds, classes, or dependencies -- see --clean above for
examples.
|
It's the same as the old unmerge. That help?
_________________ My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case |
|
Back to top |
|
|
Jimi... Tux's lil' helper
Joined: 06 Aug 2005 Posts: 136 Location: IoM
|
Posted: Sat Jun 03, 2006 4:22 pm Post subject: |
|
|
Oh right, umm is pam-login important? Because it was conflicting when I tried to do a emerge --update --deep world so I did emerge -C pam-login and now my system is updating fine. |
|
Back to top |
|
|
dalek Veteran
Joined: 19 Sep 2003 Posts: 1353 Location: Mississippi USA
|
Posted: Sat Jun 03, 2006 5:30 pm Post subject: |
|
|
Shadow is taking care of what pam-login used to do. I guess you could say they are merging two programs together so that you only have to have one instead of both. Just make sure you emerge shadow and do any etc-update(s) before you logout. From what I have read if you don't, you have to chroot in to fix it or boot in single user mode or something like that.
That's my understanding anyway.
_________________ My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case |
|
Back to top |
|
|
chrisstankevitz Guru
Joined: 14 Dec 2003 Posts: 472 Location: Santa Barbara, CA, USA
|
Posted: Sat Jun 03, 2006 5:30 pm Post subject: Re: pam-login blocks shadow |
|
|
lkajssfhdlkfja wrote: |
Happily, this kind of thing doesn't happen very often |
You are correct, it doesn't happen very often. It has happened three times for me in the past 2.5 years. Unfortunately, two of those (pam-login and utempter) were in the same day.
I am still interested in getting an answer to my original question: Did this happen due to a borked ebuild or is it a fundamental shortcoming in gentoo/portage? [I hope unmerging pamlogin is not how Founding Fathers intended us to use portage.]
Chris |
|
Back to top |
|
|
chrisstankevitz Guru
Joined: 14 Dec 2003 Posts: 472 Location: Santa Barbara, CA, USA
|
Posted: Sat Jun 03, 2006 5:32 pm Post subject: Re: pam-login blocks shadow |
|
|
leahcim wrote: |
Portage can't be expected to decide what you want to do, (which is either remove the blocking package to allow the package you're trying to install to be installed, or to not install the new package) |
Of course. But the issue is how did the blocked package stuff happen in the first place. |
|
Back to top |
|
|
Jimi... Tux's lil' helper
Joined: 06 Aug 2005 Posts: 136 Location: IoM
|
Posted: Sat Jun 03, 2006 6:06 pm Post subject: |
|
|
I just noticed Shadow is being emerged with the updates. Will I still have emerge it after my system is updated? |
|
Back to top |
|
|
dalek Veteran
Joined: 19 Sep 2003 Posts: 1353 Location: Mississippi USA
|
Posted: Sat Jun 03, 2006 6:17 pm Post subject: |
|
|
Do you get the same error as the OP or were you not using pam to begin with? I have read where some don't use pam is why I ask.
_________________ My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case |
|
Back to top |
|
|
chrisstankevitz Guru
Joined: 14 Dec 2003 Posts: 472 Location: Santa Barbara, CA, USA
|
Posted: Sat Jun 03, 2006 6:27 pm Post subject: |
|
|
Jimi... wrote: | I just noticed Shadow is being emerged with the updates. Will I still have emerge it after my system is updated? |
No. But re-emerging something never hurts, so when in doubt, emerge!
Chris |
|
Back to top |
|
|
Trejkaz Guru
Joined: 14 Nov 2002 Posts: 479 Location: Sydney, Australia
|
Posted: Mon Jun 05, 2006 12:18 am Post subject: |
|
|
dalek wrote: | Shadow is taking care of what pam-login used to do. I guess you could say they are merging two programs together so that you only have to have one instead of both. |
Times like this, it makes me wish Portage could handle this kind of thing transparently.
Instead of saying "shadow blocks pam-login", it could say "shadow obsoletes pam-login", and then Portage could go and install shadow and later remove the remaining files from pam-login which are leftover. It's sort of like a special case of a package being renamed, which does seem to be handled transparently. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|