Leapp preupgrade fails with: The pam_tally2 pam module(s) no longer available

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 7

Issue

  • Leapp preupgrade fails with: 

       Title: The pam_tally2 pam module(s) no longer available
Summary: The services system-auth-ac, system-auth, password-auth-ac using PAM are configured to use pam_tally2 module(s), which is no longer available in Red Hat Enterprise Linux 8.
Remediation: [hint] If you depend on its functionality, it is recommended to migrate to pam_faillock. Otherwise please remove the pam module(s) from all the files under /etc/pam.d/.
Key: ce6abfb001da076686ffdd4ab61d28eb12d1256

Resolution

  • Make sure you have taken a complete system backup/snapshot

  • fetch the "pam_tally" entries from the /etc/pam.d/* path.

       # grep "pam_tally" /etc/pam.d/*

   etc/pam.d/password-ac:auth        required      pam_tally2.so deny=4 onerr=fail
   etc/pam.d/password-ac:account     required      pam_tally2.so
   etc/pam.d/password-auth:auth        required      pam_tally2.so deny=10 onerr=fail
   etc/pam.d/password-auth:account     required      pam_tally2.so
   etc/pam.d/password-auth-21032023:auth        required      pam_tally2.so deny=10 onerr=fail
   etc/pam.d/password-auth-21032023:account     required      pam_tally2.so
   etc/pam.d/password-auth-ac:auth        required      pam_tally2.so deny=10 onerr=fail
   etc/pam.d/password-auth-ac:account     required      pam_tally2.so
   etc/pam.d/password-auth_backup:auth        required      pam_tally2.so deny=4 onerr=fail
   etc/pam.d/password-auth_backup:account     required      pam_tally2.so
   etc/pam.d/system-auth:auth        required      pam_tally2.so deny=6 onerr=fail
   etc/pam.d/system-auth:account     required      pam_tally2.so
   etc/pam.d/system-auth-21032023:auth        required      pam_tally2.so deny=6 onerr=fail
   etc/pam.d/system-auth-21032023:account     required      pam_tally2.so
   etc/pam.d/system-auth-ac:auth        required      pam_tally2.so deny=6 onerr=fail
   etc/pam.d/system-auth-ac:account     required      pam_tally2.so
   etc/pam.d/system-auth_backup:auth        required      pam_tally2.so deny=4 onerr=fail
   etc/pam.d/system-auth_backup:account     required      pam_tally2.so
   etc/pam.d/system-auth_backup.19102020:auth        required      pam_tally2.so deny=10 onerr=fail
   etc/pam.d/system-auth_backup.19102020:account     required      pam_tally2.so

  • Comment or remove the lines containing the pam_tally2.so module.

  • Perform a sanity system reboot and check if you can log in without any issues.

  • After that run the leapp preupgrade again.

Root Cause

  • pam_tally2.so module is unavailable in RHEL 8
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.