For the longest time Plesk updates have been showing the error “Warning: install PAM module not successed” on one of my Plesk installations. While this message is a bit scary to read, the installer always claimed that all changes had been executed successfully. And I never experienced any negative effects, indeed. So I got used to ignoring the error a while ago.
Today I stepped over it once more and I finally took the time to investigate it further.
FYI: this is Plesk Obsidian 18.0.61 on Ubuntu 20.04 LTS.
This is the message appearing in the installation log:
CRITICAL:3:a programming/runtime error (PAMConfig.confset.PAMServiceError: system-auth)
Trying to install PAM module… PAM configuration loaded from (directory="/etc/pam.d", file="/etc/pam.conf"). Configuration contains 29 file(s)
3:a programming/runtime error (PAMConfig.confset.PAMServiceError: system-auth)
Warning: install PAM module not successedGoogle wasn’t very helpful as I found exactly one result complaining about the same error, but without any solution. The Plesk forum didn’t have anything good to tell either at this point. Even though there is no clear indication which (.deb) package exactly is causing the issue, its pretty obvious that it must be PAM related. `libpam-plesk` seems to be a good candidate. So I grabbed it from `/var/cache/apt` to have a look at its content.
$# ar -x ../libpam-plesk_18.0-v.ubuntu.20.04+p18.0.61.0+t240426.1307_amd64.deb
$# tar xJf control.tar.xz
$# tar xJf data.tar.xzThis got me a bunch of files and directories to look at.
Unfortunately the message “install PAM module” can’t be found inside any of them, but there is a “uninstall PAM module” message, so I considered myself being on the right track.
After some more digging I found that postinst calls /opt/psa/bootstrapper/components/libpam-plesk.sh which contains “install PAM module”. Yay!
This bootstrapper script finally calls the binary /opt/psa/pam_plesk_config/pam_plesk_install. Uuuh, a binary?
Remember the plesk forum? This time a search there gave me 2 hints: a) people have been calling pam_plesk_install multiple times without doing any futher harm and b) pam_plesk_install supports -v for more verbosity.
# /usr/local/psa/pam_plesk_config/pam_plesk_install -v
DEBUG:Loading PAM configuration from (directory="/etc/pam.d", file="/etc/pam.conf")
INFO:PAM configuration loaded from (directory="/etc/pam.d", file="/etc/pam.conf"). Configuration contains 29 file(s)
DEBUG:calculating changes for 'auth' stacks
DEBUG:S3:Traceback (most recent call last):
File "pam_plesk_install.py", line 351, in main
File "pam_plesk_install.py", line 35, in getAuthChanges
File "PAMConfig/analyzers.py", line 130, in selectServices
shared = confSet.getCommonServiceNames(self.facility)
File "PAMConfig/confset.py", line 958, in getCommonServiceNames
if self.getConf(c, facility):
File "PAMConfig/confset.py", line 980, in getConf
raise PAMServiceError(service)
PAMConfig.confset.PAMServiceError: system-auth
CRITICAL:3:a programming/runtime error (PAMConfig.confset.PAMServiceError: system-auth)Not too helpful, but there are references to .py files? Ok… so this “binary” might be just a collection of Python scripts, stitched together with something like pyinstaller.
Thankfully theres a python script pyinstextractor.py available at https://github.com/extremecoders-re/pyinstxtractor to extract whatever might be hidden in such a binary. Spoiler Alert: THIS is not a pyinstaller binary. Dead end.
Sooo… back to the binary: the first two bytes of the file header read PK… maybe its a simple ZIP file?
$# unzip pam_plesk_install
Archive: pam_plesk_install
inflating: .bootstrap/init.py
inflating: .bootstrap/_markerlib/init.py
[...]Indeed! Now we’re talking…
Crawling the source code was challenging and I will not claim to understand everything or even try to document the steps, but my summary is: pam_plesk_install verifies/analyzes all files in pam.d, regardsless if it needs to touch them or not. So this might be something completely unrelated to plesk.
BTW:
# FIXME: the entire aproach is somewhat sick. I just don’t
PAMConfig/analyzers.py
# have a better one at the moment…
Well… yeah, by now I think I know what you mean! And heres the root cause: a completely different service (Acronis Backup Manager) referenced `system-auth` in one of its own `pam.d` files. Appearantly `system-auth` is not available in Ubuntu 20.04 (anymore?) and `pam_plesk_install` can’t get any details about it. That ultimately crashed the script!
#%PAM-1.0
acronisagent.system
auth include system-auth
auth required pam_listfile.so item=user sense=allow file=/etc/security/acronisagent.conf onerr=fail
account include system-auth
Since I didn’t use Acronis for a long time, my fix was easy: just get rid of BackupManager. Or: So I thought… but thats another story which will be told another day.
Hint: Don’t trust Acronis’ uninstaller to not touch files it doesn’own in /usr/sbin !
Anyways, the takeaway is: The error described here is gone for good after removing any invalid/outdated entries from pam.d files.
Plese let me know if you found this to be helpful!
I posted a copy of this to the plesk forums here: https://talk.plesk.com/threads/error-message-during-plesk-updates-warning-install-pam-module-not-successed-pamconfig-confset-pamserviceerror-system-auth.374405/