Arch Linux

jwatte

Member

Registered: 2012-06-22

Posts: 58

useradd: PAM: Authentication service cannot retrieve authentication in

useradd fails on my system. This system was re-installed from scratch less than a year ago, and has had regular "pacman -Syu" run on it. I don't do much custom system administration; mainly run LXDE and vim/gcc/make as my regular user account.

I recently ran into a problem where both mariadb and percona-server would fail to start on the system after installation, and tracked it down to the mysql user not being properly created. Trying to run useradd manually, I find that that utility has broken. Googling around, people suggest this might be a problem with /etc/shadow or confg files in /etc/pam.d/, so I looked into that.

The error I get is:

useradd: PAM: Authentication service cannot retrieve authentication info

Running strace on useradd, it seems quite capable of opening /etc/shadow and /etc/passwd, and getuid() returns 0 for "root":

open("/etc/pam.d/other", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1a7c0eb000
read(3, "#%PAM-1.0\nauth\t\trequired\tpam_uni"..., 4096) = 127
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f1a7c0eb000, 4096)            = 0
getuid()                                = 0
getuid()                                = 0
open("/etc/login.defs", O_RDONLY)       = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=5519, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1a7c0eb000
read(3, "#\n# /etc/login.defs - Configurat"..., 4096) = 4096
read(3, "gular users using chfn - use\n# a"..., 4096) = 1423
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f1a7c0eb000, 4096)            = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=610, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1a7c0eb000
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 610
close(3)                                = 0
munmap(0x7f1a7c0eb000, 4096)            = 0
geteuid()                               = 0
open("/etc/shadow", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0600, st_size=413, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1a7c0eb000
read(3, "root:x::::::\nbin:x:14871::::::\nd"..., 4096) = 413
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f1a7c0eb000, 4096)            = 0
write(2, "useradd: PAM: Authentication ser"..., 73useradd: PAM: Authentication service cannot retrieve authentication info
) = 73

The config files look fine:

[root@robot1 jwatte]# cat /etc/pam.d/useradd 
#%PAM-1.0
auth		sufficient	pam_rootok.so
auth		required	pam_unix.so
account		required	pam_unix.so
session		required	pam_unix.so
password	required	pam_permit.so
[root@robot1 jwatte]# cat /etc/pam.d/other 
#%PAM-1.0
auth		required	pam_unix.so
account		required	pam_unix.so
password	required	pam_unix.so
session		required	pam_unix.so
[root@robot1 jwatte]# 

I'll re-post this in a separate topic.

How do I take the next step in resolving and debugging this issue?
Is there any debug I can find anywhere about why PAM decides this should fail? Good-old /var/log/auth.log doesn't exist anymore, and journalctl -b is not very helpful:

May 17 09:52:15 robot1 sudo[676]: pam_unix(sudo:session): session opened for user root by jwatte(uid=0)
May 17 09:52:15 robot1 useradd[677]: Authentication service cannot retrieve authentication info
May 17 09:52:15 robot1 useradd[677]: failed adding user 'mysql', data deleted

I still can't get much information out of PAM -- specifically, which module fails, at what step?
I've read the code for useradd, and the code for PAM (AAAUUGH! THE GOGGLES! THEY DO NOTHING!)
I ended up adding pam_warn.so to "others" and "useradd" for the "account" action, and I got one (1) more line into the journalctl:

May 17 11:04:54 robot1 useradd[29944]: pam_warn(useradd:account): function=[pam_sm_acct_mgmt] service=[useradd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]

Does it matter that terminal, ruser, and rhost are unknown? How would I found out?

Last edited by jwatte (2014-05-17 18:10:23)

jwatte

Member

Registered: 2012-06-22

Posts: 58

Re: useradd: PAM: Authentication service cannot retrieve authentication in

So, debugging why PAM doesn't want root to create users: impossible?

loafer

Member

From: the pub

Registered: 2009-04-14

Posts: 1,772

Re: useradd: PAM: Authentication service cannot retrieve authentication in

Have you modified any files that could affect this e.g. /etc/nsswitch.conf or /etc/pam.d/system-auth?

How do you authenticate your user?

---

All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

jwatte

Member

Registered: 2012-06-22

Posts: 58

Re: useradd: PAM: Authentication service cannot retrieve authentication in

Thanks for the answer. I have not modified any of those files.
The un-privileged user is automatically logged in to lxsession.
This used then authenticates as root with "sudo," or "sudo bash" in a terminal window, which reads a keyboard-entered password, which in turn lives in /etc/shadow (as normal.)

jwatte

Member

Registered: 2012-06-22

Posts: 58

Re: useradd: PAM: Authentication service cannot retrieve authentication in

This problem has struck again (or, perhaps, it's still there.)
I ran pacman -Syu, and it failed to create a "colord" user.
I also installed "ntp" and it failed to create the "ntpd" user.

I'm still looking for help on how to debug this.

jwatte

Member

Registered: 2012-06-22

Posts: 58

Re: useradd: PAM: Authentication service cannot retrieve authentication in

More clues: It is likely that my setup with auto-login is a culprit. I auto-login to LXDE, and then use "sudo" to "useradd."
With the following useradd file in /etc/pam.d, this works:

#%PAM-1.0
auth        sufficient  pam_rootok.so
#auth       required    pam_unix.so
auth        required    pam_permit.so
#account        required    pam_unix.so
account     required    pam_permit.so
account     required    pam_warn.so
#session        required    pam_unix.so
session     required    pam_permit.so
password    required    pam_permit.so

Note: This means that anyone who can get root can run useradd. I'm OK with this for now. But I'd like to know which option is actually failing, and why.