[Bug 2075968] Re: cannot login after upgrade from xubuntu 22.04 to 24.04

Nick Rosbrook 2075968 at bugs.launchpad.net
Thu Aug 8 19:12:24 UTC 2024 

I dug into this a bit more, and it seems this issue occurs specifically
for the user `ubuntu`. Before the upgrade, I copied the contents of
/etc/shadow, and compared them to /etc/shadow after the first reboot
after the upgrade.

$ diff -u <(/etc/shadow) /home/ubuntu/before/shadow
--- /dev/fd/63	2024-08-08 14:57:08.366981261 -0400
+++ /home/ubuntu/before/shadow	2024-08-08 14:20:17.158139781 -0400
@@ -1,4 +1,4 @@
-root:$y$j9T$NXJHsSu.l5iqspt5f8zzu/$CaDVSozRbChrGCSerFmv3Ck8lxPAQlj9D7MdG4Wrbm6:19943:0:99999:7:::
+root:!:19934:0:99999:7:::
 daemon:*:19769:0:99999:7:::
 bin:*:19769:0:99999:7:::
 sys:*:19769:0:99999:7:::
@@ -25,6 +25,7 @@
 tss:*:19769:0:99999:7:::
 uuidd:*:19769:0:99999:7:::
 tcpdump:*:19769:0:99999:7:::
+avahi-autoipd:*:19769:0:99999:7:::
 usbmux:*:19769:0:99999:7:::
 dnsmasq:*:19769:0:99999:7:::
 kernoops:*:19769:0:99999:7:::
@@ -39,10 +40,5 @@
 colord:*:19769:0:99999:7:::
 pulse:*:19769:0:99999:7:::
 hplip:*:19769:0:99999:7:::
-ubuntu:!$y$j9T$LreISCn8cWENVi4Mw1/cv.$Kkn9WO6CGCd/QUW8CUJoCHRZE8./VZmCfqDixXr8TU6:19934:0:99999:7:::
+ubuntu:$y$j9T$LreISCn8cWENVi4Mw1/cv.$Kkn9WO6CGCd/QUW8CUJoCHRZE8./VZmCfqDixXr8TU6:19934:0:99999:7:::
 sshd:*:19943:0:99999:7:::
-snapd-range-524288-root:!:19943::::::
-snap_daemon:!:19943::::::
-dhcpcd:!:19943::::::
-cups-browsed:!:19943::::::
-polkitd:!*:19943::::::

We can see that the entry for `ubuntu` changed. Looking at the journal,
from that boot, it seems that cloud-init changed the passwd:

$ journalctl -b -1 --grep ubuntu
Aug 08 14:50:33 xubuntu kernel: Linux version 6.8.0-40-generic (buildd at lcy02-amd64-075) (x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul  5 10:34:03 UTC 2024 (Ubuntu 6.8.0-40.40-generic 6.8.12)
Aug 08 14:50:33 xubuntu kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): c1d57b8f6b743f23ee41f4f7ee292f06eecadfb9'
Aug 08 14:50:33 xubuntu systemd[1]: systemd 255.4-1ubuntu8.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Aug 08 14:50:33 xubuntu systemd[1]: Hostname set to <xubuntu>.
Aug 08 14:50:34 xubuntu cloud-init[564]: Cloud-init v. 24.1.3-0ubuntu3.3 running 'init-local' at Thu, 08 Aug 2024 18:50:34 +0000. Up 4.19 seconds.
Aug 08 14:50:34 xubuntu systemd-resolved[632]: Using system hostname 'xubuntu'.
Aug 08 14:50:35 xubuntu cloud-init[760]: Cloud-init v. 24.1.3-0ubuntu3.3 running 'init' at Thu, 08 Aug 2024 18:50:35 +0000. Up 5.51 seconds.
Aug 08 14:50:36 xubuntu passwd[869]: password for 'ubuntu' changed by 'root'
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:GGMsp52cN8EAJYlqOdJArAxzOEhwfitNlPBgGQCVOTE root at xubuntu
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:TcJuGTUBYjDMo+GVodNfGgE5P5FeszDy/8QddKQanJE root at xubuntu
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:hjnsPHfUrAQbIkiRETrAszNsqZppRrI3dhTU4BGKy5s root at xubuntu

Looking at /etc/cloud/cloud.cfg, I see the lock_passwd[1] option set for
`ubuntu`:

# System and/or distro specific settings
# (not accessible to handlers/transforms)
system_info:
  # This will affect which distro class gets used
  distro: ubuntu
  # Default user name + that default users groups (if added/used)
  default_user:
    name: ubuntu
    lock_passwd: True
    gecos: Ubuntu
    groups: [adm, cdrom, dip, lxd, sudo]
    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
    shell: /bin/bash

The docs even say that cloud-init will apply lock_passwd for existing
users. This seems wrong.

[1]
https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-
and-groups

** Package changed: pam (Ubuntu) => cloud-init (Ubuntu)

** Summary changed:

- cannot login after upgrade from xubuntu 22.04 to 24.04
+ cloud-init locks out user `ubuntu` after upgrade from 22.04 to 24.04

** Changed in: cloud-init (Ubuntu)
   Importance: Critical => High

** Changed in: cloud-init (Ubuntu Noble)
   Importance: Critical => High

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2075968

Title:
  cloud-init locks out user `ubuntu` after upgrade from 22.04 to 24.04

Status in cloud-init package in Ubuntu:
  New
Status in cloud-init source package in Noble:
  New

Bug description:
  After performing an upgrade, and then rebooting, I am no longer able
  to login with my user "ubuntu". I get an authentication failure with
  both the graphical login screen, and when attempting to login on a
  non-graphical tty.

  Dropping to a rescue shell, I can see this in the logs:

  root at xubuntu:~# journalctl -b --grep pam
  Aug 02 11:52:45 xubuntu systemd[1]: systemd 255.4-1ubuntu8.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OP>
  Aug 02 11:53:00 xubuntu lightdm[1422]: pam_unix(lightdm-greeter:session): session opened for user lightdm(uid=115) by (uid=0)
  Aug 02 11:53:00 xubuntu (systemd)[1472]: pam_unix(systemd-user:session): session opened for user lightdm(uid=115) by lightdm(uid=0)
  Aug 02 11:53:00 xubuntu lightdm[1422]: gkr-pam: couldn't unlock the login keyring.
  Aug 02 11:53:01 xubuntu lightdm[1584]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "ubuntu"
  Aug 02 11:53:40 xubuntu lightdm[1584]: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=ubuntu
  Aug 02 11:53:42 xubuntu lightdm[1604]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "ubuntu"
  Aug 02 11:53:49 xubuntu lightdm[1604]: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=ubuntu
  Aug 02 11:53:51 xubuntu lightdm[1605]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "ubuntu"
  Aug 02 11:53:58 xubuntu lightdm[1607]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "root"
  Aug 02 11:53:59 xubuntu lightdm[1607]: gkr-pam: unable to locate daemon control file
  Aug 02 11:53:59 xubuntu lightdm[1607]: gkr-pam: stashed password to try later in open session
  Aug 02 11:53:59 xubuntu lightdm[1422]: pam_unix(lightdm-greeter:session): session closed for user lightdm
  Aug 02 11:53:59 xubuntu lightdm[1607]: pam_unix(lightdm:session): session opened for user root(uid=0) by (uid=0)
  Aug 02 11:54:00 xubuntu (systemd)[1614]: pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)
  Aug 02 11:54:00 xubuntu lightdm[1607]: gkr-pam: unlocked login keyring
  Aug 02 11:54:10 xubuntu (sd-pam)[1473]: pam_unix(systemd-user:session): session closed for user lightdm
  Aug 02 11:55:01 xubuntu CRON[2417]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
  Aug 02 11:55:01 xubuntu CRON[2417]: pam_unix(cron:session): session closed for user root

  Other notes:

  (1) During the upgrade, the screen saver was disabled. I know this has been a bug in the past, but I do not believe it is the cause here.
  (2) A work around for this is to drop into a rescue shell, and from root, run e.g. `passwd ubuntu` to reset the user's password.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: libpam-modules 1.5.3-5ubuntu5.1
  ProcVersionSignature: Ubuntu 6.8.0-39.39-generic 6.8.8
  Uname: Linux 6.8.0-39-generic x86_64
  ApportVersion: 2.28.1-0ubuntu3
  Architecture: amd64
  CasperMD5CheckResult: pass
  CloudArchitecture: x86_64
  CloudID: none
  CloudName: none
  CloudPlatform: none
  CloudSubPlatform: config
  CurrentDesktop: XFCE
  Date: Fri Aug  2 11:55:51 2024
  InstallationDate: Installed on 2024-07-30 (3 days ago)
  InstallationMedia: Xubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240216.1)
  ProcEnviron:
   LANG=en_US.UTF-8
   PATH=(custom, no user)
   SHELL=/bin/bash
   TERM=xterm-256color
   XDG_RUNTIME_DIR=<set>
  SourcePackage: pam
  UpgradeStatus: Upgraded to noble on 2024-08-02 (0 days ago)
  mtime.conffile..etc.init.d.apport: 2024-04-23T07:30:10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2075968/+subscriptions

More information about the foundations-bugs mailing list