From f69d3842660972b12e595aff2d0b6e1b7924456c Mon Sep 17 00:00:00 2001 From: Enrico Nasca Date: Tue, 10 Oct 2023 10:27:55 +0000 Subject: [PATCH] Don't edit /etc/pam.d/common-session directly This file is autogenerated by pam-auth-update. Instead of commenting out pam_systemd.so, pam-auth-update is invoked to remove it. To prevent a system upgrade from reintroducing pam_systemd.so, the systemd-logind service is masked. If pam_systemd.so reappears, it will simply produce a non-fatal error. --- .../slurm_install/tasks/slurm_pam_adopt.yml | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/ansible/roles/slurm_install/tasks/slurm_pam_adopt.yml b/ansible/roles/slurm_install/tasks/slurm_pam_adopt.yml index 7d8dce60..c753f6a6 100644 --- a/ansible/roles/slurm_install/tasks/slurm_pam_adopt.yml +++ b/ansible/roles/slurm_install/tasks/slurm_pam_adopt.yml @@ -15,14 +15,19 @@ loop_control: loop_var: slurm_install_item -- name: Comment-out the PAM module pam_systemd as instructed by the pam_slurm_adopt guide - ansible.builtin.replace: - path: /etc/pam.d/common-session - regexp: '^(session.*pam_systemd\.so)\s*$' - replace: '# \1 # ANSIBLE-MANAGED: incompatible with pam_slurm_adopt' - owner: root - group: root - mode: "0644" +- name: Mask the systemd-logind service as instructed by the pam_slurm_adopt guide + ansible.builtin.systemd: + name: systemd-logind.service + masked: true + state: stopped + +- name: Remove the pam_systemd module given that the systemd-logind service is masked + ansible.builtin.command: + argv: + - pam-auth-update + - --remove + - systemd + changed_when: true - name: Add the PAM module pam_slurm_adopt at the bottom of the sshd stack ansible.builtin.blockinfile: