|
Bugzilla – Full Text Bug Listing |
| Summary: | After update it's not possible to access over samba | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Unger <os-tw> |
| Component: | AppArmor | Assignee: | Christian Boltz <suse-beta> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | nopower, os-tw, santiago.zarate |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | 64bit | ||
| OS: | openSUSE Tumbleweed | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Unger
2024-02-17 23:36:01 UTC
(In reply to Unger from comment #0) > Hi, > > After an update of a bunch of packages last week, it wasn't possible to log > in to / access samba from windows or via smbclient. In log I found: > > smbd[3096]: pam_unix(samba:account): helper binary execve failed: Keine > Berechtigung > nscd[836]: Prüfe auf überwachte Datei »/etc/nsswitch.conf«: Datei oder > Verzeichnis nicht gefunden according to google translate this message is saying /etc/nsswitch.conf is missing so no surprise authentication isn't working were you doing something else that might have resulted in this file getting deleted ? (or moved) can you verify nsswitch.conf exists ? (In reply to Noel Power from comment #1) > (In reply to Unger from comment #0) > > Hi, > > > > After an update of a bunch of packages last week, it wasn't possible to log > > in to / access samba from windows or via smbclient. In log I found: > > > > smbd[3096]: pam_unix(samba:account): helper binary execve failed: Keine > > Berechtigung > > nscd[836]: Prüfe auf überwachte Datei »/etc/nsswitch.conf«: Datei oder > > Verzeichnis nicht gefunden > > according to google translate this message is saying /etc/nsswitch.conf is > missing so no surprise authentication isn't working > > were you doing something else that might have resulted in this file getting > deleted ? (or moved) > > can you verify nsswitch.conf exists ? Ok, I can confirm that there was never a /etc/nsswitch.conf since start of the journal in October 2023, so it was a bit misleading. Nevertheless samba worked until 2024 Feb 14 9am. At approx. 9:10 I had a huge upgrade (>1000 packages) and afterwards it was broken. While browsing through the logs I found the following lines right before it stopped working properly: Feb 14 09:25:25 MYHOST smbd[28626]: PAM unable to dlopen(/usr/lib64/security/pam_systemd.so): /lib64/libm.so.6: version `GLIBC_2.39' not found (required by /usr/lib64/security/pam_systemd.so) Feb 14 09:25:25 MYHOST smbd[28626]: PAM adding faulty module: /usr/lib64/security/pam_systemd.so (In reply to Unger from comment #2) > (In reply to Noel Power from comment #1) > > (In reply to Unger from comment #0) > > > Hi, > > > > > > After an update of a bunch of packages last week, it wasn't possible to log > > > in to / access samba from windows or via smbclient. In log I found: > > > > > > smbd[3096]: pam_unix(samba:account): helper binary execve failed: Keine > > > Berechtigung > > > nscd[836]: Prüfe auf überwachte Datei »/etc/nsswitch.conf«: Datei oder > > > Verzeichnis nicht gefunden > > > > according to google translate this message is saying /etc/nsswitch.conf is > > missing so no surprise authentication isn't working > > > > were you doing something else that might have resulted in this file getting > > deleted ? (or moved) > > > > can you verify nsswitch.conf exists ? > > Ok, I can confirm that there was never a /etc/nsswitch.conf since start of > the journal in October 2023, so it was a bit misleading. erm I can't see how this can be, /etc/nsswitch.conf is a core file it is part of glibc is should be there, unless I am mistaken if not something is really wrong > Nevertheless samba worked until 2024 Feb 14 9am. At approx. 9:10 I had a > huge upgrade (>1000 packages) and afterwards it was broken. > > While browsing through the logs I found the following lines right before it > stopped working properly: > > Feb 14 09:25:25 MYHOST smbd[28626]: PAM unable to > dlopen(/usr/lib64/security/pam_systemd.so): /lib64/libm.so.6: version > `GLIBC_2.39' not found (required by /usr/lib64/security/pam_systemd.so) > Feb 14 09:25:25 MYHOST smbd[28626]: PAM adding faulty module: > /usr/lib64/security/pam_systemd.so really looks like there is some problem with authentication related components on this system and their required version of glibc versus what is installed. Looks likely that something went very wrong during your upgrade (In reply to Noel Power from comment #3) > (In reply to Unger from comment #2) > > (In reply to Noel Power from comment #1) > > > (In reply to Unger from comment #0) > > > > Hi, > > > > > > > > After an update of a bunch of packages last week, it wasn't possible to log > > > > in to / access samba from windows or via smbclient. In log I found: > > > > > > > > smbd[3096]: pam_unix(samba:account): helper binary execve failed: Keine > > > > Berechtigung > > > > nscd[836]: Prüfe auf überwachte Datei »/etc/nsswitch.conf«: Datei oder > > > > Verzeichnis nicht gefunden > > > > > > according to google translate this message is saying /etc/nsswitch.conf is > > > missing so no surprise authentication isn't working > > > > > > were you doing something else that might have resulted in this file getting > > > deleted ? (or moved) > > > > > > can you verify nsswitch.conf exists ? > > > > Ok, I can confirm that there was never a /etc/nsswitch.conf since start of > > the journal in October 2023, so it was a bit misleading. > erm I can't see how this can be, /etc/nsswitch.conf is a core file it is > part of glibc is should be there, unless I am mistaken if not something is > really wrong ok, it seems that server installs apparently don't install /etc/nsswitch.conf anymore (although in the vm I installed to check this it did) nscd apparently has a bug against it for spitting out these errors. So yes, probably a red herring > > > Nevertheless samba worked until 2024 Feb 14 9am. At approx. 9:10 I had a > > huge upgrade (>1000 packages) and afterwards it was broken. > > > > While browsing through the logs I found the following lines right before it > > stopped working properly: > > > > Feb 14 09:25:25 MYHOST smbd[28626]: PAM unable to > > dlopen(/usr/lib64/security/pam_systemd.so): /lib64/libm.so.6: version > > `GLIBC_2.39' not found (required by /usr/lib64/security/pam_systemd.so) > > Feb 14 09:25:25 MYHOST smbd[28626]: PAM adding faulty module: > > /usr/lib64/security/pam_systemd.so > > really looks like there is some problem with authentication related > components on this system and their required version of glibc versus what is > installed. Looks likely that something went very wrong during your upgrade but those errors indeed to look like they indicating some package broken-ness. Question is what errors do you see in samba logs and journal when trying to authenticate say with smbclient. Also smb.conf would be helpful. Meanwhile I will try a fresh install again (just to see why I seem to have a /etc/nsswitch.conf) (In reply to Noel Power from comment #4) > (In reply to Noel Power from comment #3) > > (In reply to Unger from comment #2) > > > (In reply to Noel Power from comment #1) > > > > (In reply to Unger from comment #0) > > > > > Hi, > > > > > > > > > > After an update of a bunch of packages last week, it wasn't possible to log > > > > > in to / access samba from windows or via smbclient. In log I found: > > > > > > > > > > smbd[3096]: pam_unix(samba:account): helper binary execve failed: Keine > > > > > Berechtigung > > > > > nscd[836]: Prüfe auf überwachte Datei »/etc/nsswitch.conf«: Datei oder > > > > > Verzeichnis nicht gefunden > > > > > > > > according to google translate this message is saying /etc/nsswitch.conf is > > > > missing so no surprise authentication isn't working > > > > > > > > were you doing something else that might have resulted in this file getting > > > > deleted ? (or moved) > > > > > > > > can you verify nsswitch.conf exists ? > > > > > > Ok, I can confirm that there was never a /etc/nsswitch.conf since start of > > > the journal in October 2023, so it was a bit misleading. > > erm I can't see how this can be, /etc/nsswitch.conf is a core file it is > > part of glibc is should be there, unless I am mistaken if not something is > > really wrong > ok, it seems that server installs apparently don't install > /etc/nsswitch.conf anymore (although in the vm I installed to check this it > did) nscd apparently has a bug against it for spitting out these errors. So > yes, probably a red herring > > > > > > > Nevertheless samba worked until 2024 Feb 14 9am. At approx. 9:10 I had a > > > huge upgrade (>1000 packages) and afterwards it was broken. > > > > > > While browsing through the logs I found the following lines right before it > > > stopped working properly: > > > > > > Feb 14 09:25:25 MYHOST smbd[28626]: PAM unable to > > > dlopen(/usr/lib64/security/pam_systemd.so): /lib64/libm.so.6: version > > > `GLIBC_2.39' not found (required by /usr/lib64/security/pam_systemd.so) > > > Feb 14 09:25:25 MYHOST smbd[28626]: PAM adding faulty module: > > > /usr/lib64/security/pam_systemd.so > > > > really looks like there is some problem with authentication related > > components on this system and their required version of glibc versus what is > > installed. Looks likely that something went very wrong during your upgrade > > but those errors indeed to look like they indicating some package > broken-ness. Question is what errors do you see in samba logs and journal > when trying to authenticate say with smbclient. Also smb.conf would be > helpful. Meanwhile I will try a fresh install again (just to see why I seem > to have a /etc/nsswitch.conf) This is the smb.conf that worked 2 weeks ago: [global] workgroup = WORKGROUP netbios name = BilderKeller server string = %h min protocol = SMB2 client min protocol = SMB2 security = user log file = /var/log/samba/log.%m max log size = 1000 logging = file server role = standalone server obey pam restrictions = yes map to guest = bad user usershare allow guests = No ldap admin dn = passdb backend = smbpasswd wins support = Yes [Bilder] comment = needs username and password to access path = /srv/samba/private/ browseable = yes guest ok = no writable = yes valid users = @samba [scanner] comment = place for scans path = /srv/samba/private/scan browseable = yes guest ok = no writable = yes valid users = @samba,hp-scan Now I removed the following lines: client min protocol = SMB2 - seems to be outdated since 4.15 acc. to https://wiki.samba.org/index.php/Samba_Features_added/changed#smb.conf_changes_6 obey pam restrictions = yes - just a try ldap admin dn = - I don't know why I put it there, so removed Now it works again, but it would be nice to have more detailed information in the log-files. From the log files for my computer before I changed the config: [2024/02/25 16:05:19.010811, 0] ../../source3/auth/pampass.c:592(smb_pam_account) smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: REDACTED [2024/02/25 16:05:19.010867, 0] ../../source3/auth/pampass.c:800(smb_pam_accountcheck) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User REDACTED! (In reply to Unger from comment #5) > (In reply to Noel Power from comment #4) > > (In reply to Noel Power from comment #3) > > > (In reply to Unger from comment #2) > > > > (In reply to Noel Power from comment #1) > > > > > (In reply to Unger from comment #0) > > > > > > Hi, > > > > > > > > > > > > After an update of a bunch of packages last week, it wasn't possible to log > > > > > > in to / access samba from windows or via smbclient. In log I found: > > > > > > > > > > > > smbd[3096]: pam_unix(samba:account): helper binary execve failed: Keine > > > > > > Berechtigung > > > > > > nscd[836]: Prüfe auf überwachte Datei »/etc/nsswitch.conf«: Datei oder > > > > > > Verzeichnis nicht gefunden > > > > > > > > > > according to google translate this message is saying /etc/nsswitch.conf is > > > > > missing so no surprise authentication isn't working > > > > > > > > > > were you doing something else that might have resulted in this file getting > > > > > deleted ? (or moved) > > > > > > > > > > can you verify nsswitch.conf exists ? > > > > > > > > Ok, I can confirm that there was never a /etc/nsswitch.conf since start of > > > > the journal in October 2023, so it was a bit misleading. > > > erm I can't see how this can be, /etc/nsswitch.conf is a core file it is > > > part of glibc is should be there, unless I am mistaken if not something is > > > really wrong > > ok, it seems that server installs apparently don't install > > /etc/nsswitch.conf anymore (although in the vm I installed to check this it > > did) nscd apparently has a bug against it for spitting out these errors. So > > yes, probably a red herring > > > > > > > > > > > Nevertheless samba worked until 2024 Feb 14 9am. At approx. 9:10 I had a > > > > huge upgrade (>1000 packages) and afterwards it was broken. > > > > > > > > While browsing through the logs I found the following lines right before it > > > > stopped working properly: > > > > > > > > Feb 14 09:25:25 MYHOST smbd[28626]: PAM unable to > > > > dlopen(/usr/lib64/security/pam_systemd.so): /lib64/libm.so.6: version > > > > `GLIBC_2.39' not found (required by /usr/lib64/security/pam_systemd.so) > > > > Feb 14 09:25:25 MYHOST smbd[28626]: PAM adding faulty module: > > > > /usr/lib64/security/pam_systemd.so > > > > > > really looks like there is some problem with authentication related > > > components on this system and their required version of glibc versus what is > > > installed. Looks likely that something went very wrong during your upgrade > > > > but those errors indeed to look like they indicating some package > > broken-ness. Question is what errors do you see in samba logs and journal > > when trying to authenticate say with smbclient. Also smb.conf would be > > helpful. Meanwhile I will try a fresh install again (just to see why I seem > > to have a /etc/nsswitch.conf) > This is the smb.conf that worked 2 weeks ago: > [global] > workgroup = WORKGROUP > netbios name = BilderKeller > server string = %h > min protocol = SMB2 > client min protocol = SMB2 > security = user > log file = /var/log/samba/log.%m > max log size = 1000 > logging = file > server role = standalone server > obey pam restrictions = yes > map to guest = bad user > usershare allow guests = No > ldap admin dn = > passdb backend = smbpasswd > wins support = Yes > [Bilder] > comment = needs username and password to access > path = /srv/samba/private/ > browseable = yes > guest ok = no > writable = yes > valid users = @samba > [scanner] > comment = place for scans > path = /srv/samba/private/scan > browseable = yes > guest ok = no > writable = yes > valid users = @samba,hp-scan > > Now I removed the following lines: > > client min protocol = SMB2 - seems to be outdated since 4.15 > acc. to > https://wiki.samba.org/index.php/Samba_Features_added/changed#smb. > conf_changes_6 that is just informational, since (some CVE, can't remember which) client min protocol doesn't need to be specified (except in some strange legacy scenarios) these days the value for this item is calcuated automatically > obey pam restrictions = yes - just a try This is what 'fixed' your problems > ldap admin dn = - I don't know why I put it there, > so removed yep it is unnecessary > > Now it works again, but it would be nice to have more detailed information > in the log-files. I think i > > From the log files for my computer before I changed the config: > > [2024/02/25 16:05:19.010811, 0] > ../../source3/auth/pampass.c:592(smb_pam_account) > smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for > User: REDACTED > [2024/02/25 16:05:19.010867, 0] > ../../source3/auth/pampass.c:800(smb_pam_accountcheck) > smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User > REDACTED! I believe the log entries are telling the problem, pam is rejecting the authentication request (with a higher level it may give even more information), you have turned off obeying pam authentication so yes now it works, but probably not in the most secure way I suppose) I think something else is going on here (In reply to Noel Power from comment #6) > (In reply to Unger from comment #5) > > (In reply to Noel Power from comment #4) > > > (In reply to Noel Power from comment #3) > > > > (In reply to Unger from comment #2) > > > > > (In reply to Noel Power from comment #1) > > > > > > (In reply to Unger from comment #0) > > > > > > > Hi, > > > > > > > > > > > > > > After an update of a bunch of packages last week, it wasn't possible to log > > > > > > > in to / access samba from windows or via smbclient. In log I found: > > > > > > > > > > > > > > smbd[3096]: pam_unix(samba:account): helper binary execve failed: Keine > > > > > > > Berechtigung > > > > > > > nscd[836]: Prüfe auf überwachte Datei »/etc/nsswitch.conf«: Datei oder > > > > > > > Verzeichnis nicht gefunden > > > > > > > > > > > > according to google translate this message is saying /etc/nsswitch.conf is > > > > > > missing so no surprise authentication isn't working > > > > > > > > > > > > were you doing something else that might have resulted in this file getting > > > > > > deleted ? (or moved) > > > > > > > > > > > > can you verify nsswitch.conf exists ? > > > > > > > > > > Ok, I can confirm that there was never a /etc/nsswitch.conf since start of > > > > > the journal in October 2023, so it was a bit misleading. > > > > erm I can't see how this can be, /etc/nsswitch.conf is a core file it is > > > > part of glibc is should be there, unless I am mistaken if not something is > > > > really wrong > > > ok, it seems that server installs apparently don't install > > > /etc/nsswitch.conf anymore (although in the vm I installed to check this it > > > did) nscd apparently has a bug against it for spitting out these errors. So > > > yes, probably a red herring > > > > > > > > > > > > > > > Nevertheless samba worked until 2024 Feb 14 9am. At approx. 9:10 I had a > > > > > huge upgrade (>1000 packages) and afterwards it was broken. > > > > > > > > > > While browsing through the logs I found the following lines right before it > > > > > stopped working properly: > > > > > > > > > > Feb 14 09:25:25 MYHOST smbd[28626]: PAM unable to > > > > > dlopen(/usr/lib64/security/pam_systemd.so): /lib64/libm.so.6: version > > > > > `GLIBC_2.39' not found (required by /usr/lib64/security/pam_systemd.so) > > > > > Feb 14 09:25:25 MYHOST smbd[28626]: PAM adding faulty module: > > > > > /usr/lib64/security/pam_systemd.so > > > > > > > > really looks like there is some problem with authentication related > > > > components on this system and their required version of glibc versus what is > > > > installed. Looks likely that something went very wrong during your upgrade > > > > > > but those errors indeed to look like they indicating some package > > > broken-ness. Question is what errors do you see in samba logs and journal > > > when trying to authenticate say with smbclient. Also smb.conf would be > > > helpful. Meanwhile I will try a fresh install again (just to see why I seem > > > to have a /etc/nsswitch.conf) > > This is the smb.conf that worked 2 weeks ago: > > [global] > > workgroup = WORKGROUP > > netbios name = BilderKeller > > server string = %h > > min protocol = SMB2 > > client min protocol = SMB2 > > security = user > > log file = /var/log/samba/log.%m > > max log size = 1000 > > logging = file > > server role = standalone server > > obey pam restrictions = yes > > map to guest = bad user > > usershare allow guests = No > > ldap admin dn = > > passdb backend = smbpasswd > > wins support = Yes > > [Bilder] > > comment = needs username and password to access > > path = /srv/samba/private/ > > browseable = yes > > guest ok = no > > writable = yes > > valid users = @samba > > [scanner] > > comment = place for scans > > path = /srv/samba/private/scan > > browseable = yes > > guest ok = no > > writable = yes > > valid users = @samba,hp-scan > > > > Now I removed the following lines: > > > > client min protocol = SMB2 - seems to be outdated since 4.15 > > acc. to > > https://wiki.samba.org/index.php/Samba_Features_added/changed#smb. > > conf_changes_6 > > that is just informational, since (some CVE, can't remember which) client > min protocol doesn't need to be specified (except in some strange legacy > scenarios) these days the value for this item is calcuated automatically > > obey pam restrictions = yes - just a try > This is what 'fixed' your problems > > ldap admin dn = - I don't know why I put it there, > > so removed > yep it is unnecessary > > > > Now it works again, but it would be nice to have more detailed information > > in the log-files. > > I think i > > > > From the log files for my computer before I changed the config: > > > > [2024/02/25 16:05:19.010811, 0] > > ../../source3/auth/pampass.c:592(smb_pam_account) > > smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for > > User: REDACTED > > [2024/02/25 16:05:19.010867, 0] > > ../../source3/auth/pampass.c:800(smb_pam_accountcheck) > > smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User > > REDACTED! > > I believe the log entries are telling the problem, pam is rejecting the > authentication request (with a higher level it may give even more > information), you have turned off obeying pam authentication so yes now it > works, but probably not in the most secure way I suppose) I think something > else is going on here apparmor appears to be the culprit the following change would prevent the error you were seeing I believe --- /etc/apparmor.d/usr.sbin.smbd.orig 2024-02-27 11:50:25.093855354 +0000 +++ /etc/apparmor.d/usr.sbin.smbd 2024-02-27 11:57:10.037824269 +0000 @@ -47,6 +47,7 @@ profile smbd /usr/{bin,sbin}/smbd { /usr/share/samba/** r, /usr/{bin,sbin}/smbd mr, /usr/{bin,sbin}/smbldap-useradd Px, + /usr/sbin/unix_chkpwd Px, /var/cache/samba/** rwk, /var/{cache,lib}/samba/printing/printers.tdb mrw, /var/lib/nscd/netgroup r, I have to confess I am a bit confused by the "obey pam restrictions" settings but it seems that it only is necessary for clear text authentication (which presumably is not the case here) Still having it set in your config had the nasty side affect of triggering the 'new' apparmor error. While this seems pretty much an edge case configuration combination the apparmor error is still valid I suppose and we will adjust the samba apparmor profile to deal with this Hi Christian, I notice there has been some additions for unix-chkpwd for some profiles (not yet upstream) I've created https://gitlab.com/apparmor/apparmor/-/merge_requests/1159 and submitted sr https://build.opensuse.org/request/show/1152898 Thanks, SR accepted and forwarded to factory.
For possibly moving your additions to abstractions/authentification upstream, I have a question:
You added the following permissions:
/usr/etc/environment r,
/usr/etc/security/limits.d/ r,
/usr/etc/security/limits.d/*.conf r,
/usr/sbin/unix_chkpwd Px,
owner /proc/@{pid}/loginuid r,
Are these all related to pam authentification? (I've seen unix_chkpwd and /proc/@{pid}/loginuid for the dovecot-auth profile, but the other 3 weren't needed there.)
This is an autogenerated message for OBS integration: This bug (1220032) was mentioned in https://build.opensuse.org/request/show/1153599 Factory / apparmor (In reply to Christian Boltz from comment #10) > Thanks, SR accepted and forwarded to factory. > > For possibly moving your additions to abstractions/authentification > upstream, I have a question: > > You added the following permissions: > > /usr/etc/environment r, > /usr/etc/security/limits.d/ r, > /usr/etc/security/limits.d/*.conf r, > /usr/sbin/unix_chkpwd Px, > owner /proc/@{pid}/loginuid r, > > Are these all related to pam authentification? (I've seen unix_chkpwd and > /proc/@{pid}/loginuid for the dovecot-auth profile, but the other 3 weren't > needed there.) so these denies seems are related to use of pam from within samba, with the samba setting 'obey pam restrictions' I see them triggered looking in /usr/etc/environment top of the file says 'This file is parsed by pam_env module' I am not sure what is looking at the limits, again this doesn't get triggered without the 'pam restriction setting' but I see in a smbd strace that pam_limit.so is opened so it is likely this is doing it (as with /usr/etc/environment above) as I also see pam_env.so opened too (In reply to Noel Power from comment #12) > (In reply to Christian Boltz from comment #10) > > Thanks, SR accepted and forwarded to factory. > > > > For possibly moving your additions to abstractions/authentification > > upstream, I have a question: > > > > You added the following permissions: > > > > /usr/etc/environment r, > > /usr/etc/security/limits.d/ r, > > /usr/etc/security/limits.d/*.conf r, > > /usr/sbin/unix_chkpwd Px, > > owner /proc/@{pid}/loginuid r, > > > > Are these all related to pam authentification? (I've seen unix_chkpwd and > > /proc/@{pid}/loginuid for the dovecot-auth profile, but the other 3 weren't > > needed there.) > > so these denies seems are related to use of pam from within samba, with the > samba setting 'obey pam restrictions' I see them triggered > > looking in /usr/etc/environment top of the file says 'This file is parsed by > pam_env module' > > I am not sure what is looking at the limits, again this doesn't get > triggered without the 'pam restriction setting' but I see in a smbd strace > that pam_limit.so is opened so it is likely this is doing it (as with > /usr/etc/environment above) as I also see pam_env.so opened too note: only the chkpwd DENIES seems to cause a problem and prevent login, the others also happen but *don't* seem to cause an issue that I noticed. However, I squashed them by adding new rules as it seemed reasonable for them to be accessed This is an autogenerated message for OBS integration: This bug (1220032) was mentioned in https://build.opensuse.org/request/show/1154197 Factory / apparmor Noel, thanks for providing the details about the pam modules reading these config files. Fixed in Tumbleweed and upstream. Last remaining upstream bit is https://gitlab.com/apparmor/apparmor/-/merge_requests/1191 |