Don't edit /etc/pam.d/common-session directly

This file is autogenerated by pam-auth-update. Instead of commenting out pam_systemd.so, pam-auth-update is invoked to remove it. To prevent a system upgrade from reintroducing pam_systemd.so, the systemd-logind service is masked. If pam_systemd.so reappears, it will simply produce a non-fatal error.
IKIM-Essen · Oct 10, 2023 · f69d384 · f69d384
1 parent 6480e31
commit f69d384
Showing 1 changed file with 13 additions and 8 deletions.
diff --git a/ansible/roles/slurm_install/tasks/slurm_pam_adopt.yml b/ansible/roles/slurm_install/tasks/slurm_pam_adopt.yml
@@ -15,14 +15,19 @@
   loop_control:
     loop_var: slurm_install_item
 
-- name: Comment-out the PAM module pam_systemd as instructed by the pam_slurm_adopt guide
-  ansible.builtin.replace:
-    path: /etc/pam.d/common-session
-    regexp: '^(session.*pam_systemd\.so)\s*$'
-    replace: '# \1  # ANSIBLE-MANAGED: incompatible with pam_slurm_adopt'
-    owner: root
-    group: root
-    mode: "0644"
+- name: Mask the systemd-logind service as instructed by the pam_slurm_adopt guide
+  ansible.builtin.systemd:
+    name: systemd-logind.service
+    masked: true
+    state: stopped
+
+- name: Remove the pam_systemd module given that the systemd-logind service is masked
+  ansible.builtin.command:
+    argv:
+      - pam-auth-update
+      - --remove
+      - systemd
+  changed_when: true
 
 - name: Add the PAM module pam_slurm_adopt at the bottom of the sshd stack
   ansible.builtin.blockinfile: