How do I completely re-install PAM security?

michaeldchristopher · 17 March 2024 22:58

Long time Manjaro user, but i am learning as I go. I don’t know much about PAM, but i know how to setup a samba password. That is all i have ever really done with PAM.

A recent update (not sure when) killed my ability to access or share any samba file shares. I have had this working for years and it stopped with some update. I have tried everything, including re-installing samba. This is all in my home network behind a router based firewall.

I have backed up my smb.conf file and restoring that does not help. I have about 8 other Linux boxes (mint, KDE Neon, Ubuntu, Windows 10, etc) that all work fine still. My Manjaro is no longer able to access any other machine or be accessed by any other machine.

I believe my PAM services are damaged. I don’t know how to re-install that and there are many warnings on the web to not touch it or i will be locked out. I spent months getting everything working including my outward facing web server and I hate to erase the whole system even though i have my HOME directory all backed up.

When i look at the status of sudo systemctl status smb this is what i get:

Mar 17 16:38:30 manjaro smbd[6047]: [2024/03/17 16:38:30.681619,  0] ../../source3/auth/pampass.c:592(smb_pam_account)
Mar 17 16:38:30 manjaro smbd[6047]:   smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: michael
Mar 17 16:38:30 manjaro smbd[6047]: [2024/03/17 16:38:30.681653,  0] ../../source3/auth/pampass.c:800(smb_pam_accountcheck)
Mar 17 16:38:30 manjaro smbd[6047]:   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User michael!
Mar 17 16:50:25 manjaro smbd[4075]: pam_unix(samba:session): session closed for user nobody
Mar 17 17:36:29 manjaro smbd[9380]: pam_unix(samba:account): helper binary execve failed: Permission denied
Mar 17 17:36:29 manjaro smbd[9379]: [2024/03/17 17:36:29.041559,  0] ../../source3/auth/pampass.c:592(smb_pam_account)

I am the only user on my internal network and i don’t mind resetting my password of course.

I don’t want to lock myself out of logging in to the system which works fine. It is just my samba that I can’t access remotely and I can’t access any other machines on my network using samba.

I appreciate if you can suggest what I should study to fix this.

I debated posing my smb.conf, but that has worked for a long time, so I don’t think that is the problem.

Moderator edit: “How to” is a preface to a tutorial or what one would use to find a tuturial in a search engine. This is a support forum. Topic title edited.

In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text

soundofthunder · 17 March 2024 23:06

Changes to default password hashing algorithm and umask settings ( 2023-10-04) lists some important changes which may (or may not) be related, however, I can help no further with any complete re-install.

cscs · 17 March 2024 23:13

Hi @michaeldchristopher
First things first … are we sure of the sync status?

sudo pacman -Syu

And then … are all pacnews handled?

pacdiff -o

I also found this similar thread:

As to ‘reinstall pam things’, I think the base install is just pam and lib32-pam, ex:

sudo pacman -Syu pam lib32-pam

michaeldchristopher · 17 March 2024 23:52

reply is:

:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
 multilib is up to date
:: Starting full system upgrade...
 there is nothing to do

pacdiff was unknown, and when i tried to install it with sudo pacman -Sy pacdiff it says target not found.

I have never heard of or used pacdiff

Moderator edit: In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text

i used the GUI add/remove to add pacdiff. 

this was the result to pacdiff -o

/usr/share/icons/default/index.theme.pacnew
/etc/passwd.pacnew
/etc/shells.pacnew
/etc/gdm/custom.conf.pacsave
/etc/locale.gen.pacnew
/etc/default/grub.pacnew
/etc/mkinitcpio.conf.pacnew
/etc/pacman.conf.pacnew
/etc/php/php.ini.pacnew
/etc/pam.d/polkit-1.pacsave
/etc/default/useradd.pacnew

If you think i have hosed my system, i can try to backup everything and re-install Manjaro fresh. I have dozens of hours into setting up the webserver which is working great including cgi-bin with python. That took me a while to get running so i hate to wipe it and start over.

I thought i was being 'good' and i updated pretty much everytime it showed me that something could be updated using the gui.

cscs · 17 March 2024 23:54

Never install software this way. You are asking for a partial upgrade which is equal to broken.

It used to be provided by pacman, but is now split out into the pacman-contrib package.

This affirms that you have pacnews that have been left unmanaged.
The [community] repo was discontinued a long time ago.

This is the wiki primer for that:

michaeldchristopher · 17 March 2024 23:58

sudo pacman -Syu pam lib32-pam

it re-installed with no error.

NOTE: testparm runs with no error.

here is what it says:

testparm                                                         ✔ 
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

WARNING: The 'client ipc signing' value may mean SMB signing is not used when contacting a domain controller or other server. This setting is not recommended; please be aware of the security implications when using this configuration setting.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
	client ipc signing = if_required
	client min protocol = NT1
	dns proxy = No
	log file = /var/log/samba/%m.log
	map to guest = Bad Password
	max log size = 1000
	name resolve order = lmhosts bcast host wins
	obey pam restrictions = Yes
	pam password change = Yes
	passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
	passwd program = /usr/bin/passwd %u
	security = USER
	server min protocol = NT1
	server role = standalone server
	unix password sync = Yes
	usershare allow guests = Yes
	usershare max shares = 100
	usershare path = /var/lib/samba/usershare
	idmap config * : backend = tdb
	force create mode = 0070
	force directory mode = 0070


[homes]
	comment = Home Directories
	create mask = 0700
	directory mask = 0700
	read only = No
	valid users = %S


[printers]
	browseable = No
	comment = All Printers
	create mask = 0700
	path = /var/spool/samba
	printable = Yes


[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers

after i updated the PAM install, i re-entered the smbpasswd

this is the status:

sudo systemctl status smb                                                                                                        ✔ 
● smb.service - Samba SMB Daemon
     Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; preset: disabled)
     Active: active (running) since Sun 2024-03-17 18:30:10 CDT; 27min ago
       Docs: man:smbd(8)
             man:samba(7)
             man:smb.conf(5)
   Main PID: 1465 (smbd)
     Status: "smbd: ready to serve connections..."
      Tasks: 7 (limit: 38136)
     Memory: 21.3M (peak: 49.1M)
        CPU: 1.520s
     CGroup: /system.slice/smb.service
             ├─1465 /usr/bin/smbd --foreground --no-process-group
             ├─1479 "smbd: notifyd "
             ├─1480 "smbd: cleanupd"
             ├─2878 "smbd: client [192.168.2.135]"
             ├─2914 "smbd: client [192.168.2.135]"
             ├─2998 "smbd: client [192.168.2.229]"
             └─3040 "smbd: client [192.168.2.68]"

Mar 17 18:39:02 manjaro smbd[3058]: pam_unix(samba:account): helper binary execve failed: Permission denied
Mar 17 18:39:02 manjaro smbd[3057]: [2024/03/17 18:39:02.332807,  0] ../../source3/auth/pampass.c:592(smb_pam_account)
Mar 17 18:39:02 manjaro smbd[3057]:   smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: michael
Mar 17 18:39:02 manjaro smbd[3057]: [2024/03/17 18:39:02.334847,  0] ../../source3/auth/pampass.c:800(smb_pam_accountcheck)
Mar 17 18:39:02 manjaro smbd[3057]:   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User michael!
Mar 17 18:39:17 manjaro smbd[3066]: pam_unix(samba:account): helper binary execve failed: Permission denied
Mar 17 18:39:17 manjaro smbd[3065]: [2024/03/17 18:39:17.731122,  0] ../../source3/auth/pampass.c:592(smb_pam_account)
Mar 17 18:39:17 manjaro smbd[3065]:   smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: michael
Mar 17 18:39:17 manjaro smbd[3065]: [2024/03/17 18:39:17.731151,  0] ../../source3/auth/pampass.c:800(smb_pam_accountcheck)
Mar 17 18:39:17 manjaro smbd[3065]:   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User michael!

Moderator edit: In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text

Yochanan · 18 March 2024 00:00

@michaeldchristopher Please…

…and edit your last reply if no one has responded yet instead of replying multiple time in a row.

I’ve cleaned this thread up accordingly to help others help you.

michaeldchristopher · 18 March 2024 00:07

I am sorry. I have used Manjaro for years but never needed to ask for help. I will try to do better.
I did not know the backtics were good, i thought i needed to remove them.

I will try to figure out how to edit. All i saw was reply.

I see the pencil now for reply. mea culpa.

cscs · 18 March 2024 00:17

I still think that your pacnews might include some pam configs that need to be compared/merged.

sudo pacman -S pacman-contrib
pacdiff -o

Thats just to print.
You will probably want to do something like

DIFFPROG=meld pacdiff -s

to do the actual managing.
Or use the manjaro-pacnew-checker tool.

This is covered at the link and some threads here as well.

Yochanan · 18 March 2024 00:17

…or manjaro-pacnew-checker.

athlon13 · 18 March 2024 08:52

Hi. can you try this?

sudo aa-complain /usr/bin/smbd
and next command
sudo aa-complain samba-dcerpcd samba-bgqd samba-rpcd samba-rpcd-classic samba-rpcd-spoolss

sudo systemctl restart smb.service

then give it a try!

MrLavender · 18 March 2024 10:09

If you haven’t been handling .pacnew and .pacsave files then your problem is almost certainly related to the recent polkit update. Compare /etc/pam.d/polkit-1.pacsave (old) to /usr/lib/pam.d/polkit-1 (new) and merge changes as necessary.

This was very clearly pointed out in Known Issues for [Stable Update] 2024-02-21.

michaeldchristopher · 19 March 2024 01:26

Thank you all so much. I am back alive and hopefully a bit wiser.

I really appreciate the help.

soundofthunder · 19 March 2024 14:01

For the sake of closing this thread, what exactly solved your issue? Please add little a tick under the post you feel helped you the most.

(I’m guessing it was this one.)

Cheers.

system · 21 March 2024 02:01

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.