Project

General

Profile

Actions
Copy link

tickets #169213

open

Kanidm PAM_CONV_ERR

Added by crameleon 19 days ago. Updated 17 days ago.

Status:
New
Priority:
Normal
Assignee:
firstyear
Category:
FreeIPA/Kanidm
Target version:
-
Start date:
2024-11-02
Due date:
% Done:

0%

Estimated time:

Description

Today I wanted to elevate to root:

crameleon@slimhat:/home/crameleon> sudo -i
2024-11-02T12:43:02.371263Z ERROR get_pam_info err=PAM_CONV_ERR
Sorry, try again.
2024-11-02T12:43:02.371648Z ERROR get_pam_info err=PAM_CONV_ERR
Sorry, try again.
2024-11-02T12:43:02.371973Z ERROR get_pam_info err=PAM_CONV_ERR

The journal reports:

Nov 02 12:42:55 slimhat sudo[30310]: crameleon : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/bash
Nov 02 12:43:02 slimhat sudo[30312]: crameleon : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/bash

But I did not even get to enter my passphrase once.

The following updates were installed in the last two days (I recall it still working 1-2 days ago):

slimhat (Hypervisor, IPMI access):~ # grep '^2024-11-0' /var/log/zypp/history
2024-11-01 00:17:04|command|root@slimhat|'zypper' 'up' '-y' '--auto-agree-with-product-licenses'|
2024-11-01 00:17:05|install|libgnutls30|3.8.3-150600.4.3.1|x86_64||repo-sle-update|8b0fef9f2f65cccc86b3cdc5722787ea7b9a16edc5a42faaabc9ff408b2e8354|
2024-11-01 00:17:05|install|gnutls|3.8.3-150600.4.3.1|x86_64||repo-sle-update|a4ad1b597cced3ff10c1701602c6a5fee0e69d276bca1f2578143094b3d19b84|
2024-11-01 00:17:05|patch  |openSUSE-SLE-15.6-2024-3846|1|noarch|repo-sle-update|moderate|recommended|needed|applied|
2024-11-02 00:17:29|command|root@slimhat|'zypper' 'up' '-y' '--auto-agree-with-product-licenses'|
2024-11-02 00:17:29|install|libgcc_s1|14.2.0+git10526-150000.1.6.1|x86_64||repo-sle-update|fe0445a81ab6cecc2fa9e4bf8b005b1cf5f638d72082241864ea7887fe3f2ca6|
2024-11-02 00:17:29|install|libpython3_6m1_0|3.6.15-150300.10.75.1|x86_64||repo-sle-update|6cba0cd7346049bc038fae9f746da636b6e73b5cf3e7f705e64c6033a65dd94a|
2024-11-02 00:17:33|install|python3-base|3.6.15-150300.10.75.1|x86_64||repo-sle-update|c7c64d1b8c20abae5550cfa7edccdfd6965fd13140b50abcae92637e70324754|
2024-11-02 00:17:34|install|python3|3.6.15-150300.10.75.1|x86_64||repo-sle-update|1dbdb24fe3a3de83e641c442607bef3885fc4f7d010a339f1dead50e57f0577c|
2024-11-02 00:17:34|install|python3-curses|3.6.15-150300.10.75.1|x86_64||repo-sle-update|4687fa113ba2aea5c134020a08a68e45b0edfa9cabf232e1236d0bfd2a172661|
2024-11-02 00:17:34|install|libquadmath0|14.2.0+git10526-150000.1.6.1|x86_64||repo-sle-update|151bf346c3cb33a12dfb10703a1474e92d8d6737f2536b5a71fea36e83886d73|
2024-11-02 00:17:34|install|libruby2_5-2_5|2.5.9-150000.4.32.1|x86_64||repo-sle-update|9834282840d03cb8b46c29ae03e6049149654077860d688034632bb81b3fc084|
2024-11-02 00:17:37|install|ruby2.5-stdlib|2.5.9-150000.4.32.1|x86_64||repo-sle-update|aec7b885034317769a9843dbc10d550c0176071e40b6b0c8699f9086757962f8|
2024-11-02 00:17:37|install|ruby2.5|2.5.9-150000.4.32.1|x86_64||repo-sle-update|9375193cf0d8046862dde051fa34335e632ac1323f25c62b2ba10700b71b9aa0|
2024-11-02 00:17:37|install|libstdc++6|14.2.0+git10526-150000.1.6.1|x86_64||repo-sle-update|1d1f97ad630757884c319cc563ad7a839a7eedacd4ebf936d0fcc850d9870d3b|
2024-11-02 00:17:38|install|python3-dbm|3.6.15-150300.10.75.1|x86_64||repo-sle-update|1a4d2a5f9c392a33a733f6717372178d16d10a10c1875026cb34513434f06bc4|
2024-11-02 00:17:38|install|libgfortran5|14.2.0+git10526-150000.1.6.1|x86_64||repo-sle-update|7aba5e854ae5ac3457b96b48fe112217aee028dfd4f711e3ada022afdeacbaab|
2024-11-02 00:17:39|install|kanidm-clients|1.4.0~git1.c297c3f-lp156.2.1|x86_64||openSUSE:infrastructure|366cd19e4128580f8079d812cd554ade0534590ba537bdc3e76dd218f5b6b0a7|
2024-11-02 00:17:50|install|kanidm-unixd-clients|1.4.0~git1.c297c3f-lp156.2.1|x86_64||openSUSE:infrastructure|bbe7e4e794a50caa65de2f19ad3a0f9c0f6bd380f48a557ca1292a10fbf03465|
2024-11-02 00:17:51|install|kanidm|1.4.0~git1.c297c3f-lp156.2.1|x86_64||openSUSE:infrastructure|b9435cefc079971765c8cddda5de3d7ae72bbaa0709d575a50e52934c58b25e4|
2024-11-02 00:17:51|patch  |openSUSE-SLE-15.6-2024-3865|1|noarch|repo-sle-update|moderate|recommended|needed|applied|
2024-11-02 00:17:51|patch  |openSUSE-SLE-15.6-2024-3879|1|noarch|repo-sle-update|moderate|security|needed|applied|
2024-11-02 00:17:51|patch  |openSUSE-SLE-15.6-2024-3874|1|noarch|repo-sle-update|important|security|needed|applied|

This happens on all Leap machines as far as I can tell.

Downgrading the packages

kanidm
kanidm-clients
kanidm-unixd-clients

from 1.4.0~git1.c297c3f to 1.3.3~git0.f075d13 makes it work again.

We still have the Factory version through openSUSE:infrastructure due to need for a newer version in the past, hence us discovering this. I suggest we switch back to the distribution version (as we should be using that anyways - we switched to the o:i link in the past when we had earlier need for some patches) and to stop releasing https://build.opensuse.org/request/show/1219995 until there's a solution.

Actions
Copy link
 #1

Updated by crameleon 19 days ago

  • Assignee set to firstyear
  • Private changed from Yes to No
Actions
Copy link
 #2

Updated by crameleon 19 days ago ยท Edited

I did 

salt -G osfullname:Leap cmd.run 'zypper -n in --oldpackage --from repo-backports-update kanidm kanidm-clients kanidm-unixd-clients'

now so all Leap clients are back to the stable/distribution version (1.3.3 and working well as of now) and I deleted the link from openSUSE:infrastructure as we do not need it anymore.

Kanidm servers I notice were also using it, but I'm not sure downgrading those is safe so I left them for now.

Actions
Copy link
 #4

Updated by crameleon 19 days ago

Cool, maybe supersede the previous SR to avoid confusion. :)

Actions
Copy link
 #5

Updated by firstyear 17 days ago

I don't see an option to supersede, so I'll just leave it be (OBS confuses me at the best of times).

Actions
Copy link

Also available in: Atom PDF