A session module is used after a user has been authenticated and performs additional tasks which are needed to allow access, for example, mounting the user's home directory or making their mailbox available.
If your /etc/pam.d/login is indeed the problem I suggest you restore a backup.
Below is the content of a default OL 6.3 installation, which works:
[root@vm023 pam.d]# cat login
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
I have no idea what -session in front of the pam_ck_connector.so is supposed to do, which seems apparent in all 6.x installations, but it does not stop users from login in.
I AM using the default file, have not made any chnages to it, the same one as you post here. I have to comment out the ine before the last one,
#session include system-auth
then I am fine, otherwise, i am not able to.
Please describe how you login, e.g. console, ssh, etc. If you use ssh, try ssh -vv for more verbose information. If you can access the console, check the log files /var/log/messages and /var/log/secure for any clues.
The followings are messages in /var/log/secure. Again, if I commented out the line before the last one in /etc/pam.d/login, then eveything is fine. /etc/security/limits.conf file is the same with the other system and that system is alright:
eb 6 16:35:43 sysxyz login: pam_limits(login:session): cannot read settings from /etc/security/limits.conf: Permission denied
Feb 6 16:35:43 sysxyz login: pam_limits(login:session): error parsing the configuration file: '/etc/security/limits.conf'
Feb 6 16:35:43 sysxyz login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Feb 6 16:35:44 sysxyz login: Error in service module
Feb 6 16:35:49 sysxyz login: pam_limits(login:session): cannot read settings from /etc/security/limits.conf: Permission denied
Feb 6 16:35:49 sysxyz login: pam_limits(login:session): error parsing the configuration file: '/etc/security/limits.conf'
Feb 6 16:35:49 sysxyz login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Feb 6 16:35:49 sysxyz login: Error in service module
Additional symptom: as soon as I enter login id and password on Console, it will get the following message, and very quickly go back to login prompt again. This sumptom doesn't happen if I use putty and ssh to login, only on console.
the issue is fixed by using your first suggested command. What does 'restorecon..' do? this command did not chnage anything in limits.conf file, but got the following output. What changes being made as the result of running this command? Thank you so much for your help!
It was more or less a guess that SElinux was the issue and that limits.conf might be the culprit. Perhaps you renamed or restored the root volume, which can cause SELinux labeling issues. The restorecon command restores the default SELinux security context for the specified file.
root lvm is the same, we did not make changes to it. I don't know much about SELinux. Would you please explain to me on what went wrong here with SELinux? and what changes did restorecon make and fix the issue? We made some changes to limits.conf, had these changes caused the problem? but there are no any change being made after running 'recovercon'. the following are changes we made to limits.conf:
# diff limits.conf limits.conf.orig
< oracle soft nofile 131072
oracle soft nofile 1024
< oracle hard nofile 131072
oracle hard nofile 65536
< oracle hard memlock 50000000
< oracle soft core unlimited
< oracle hard core unlimited
< oracle hard nproc 131072
< oracle soft nproc 131072
If you have time, please let me know, otherwise, this issue is resolved and thank you very much for your times.