Spent a bit too long fixing a sudo problem right after an apt-get upgrade on a Debian machine.

The original problem:

# sudo ls
sudo: unable to initialize PAM: No such file or directory
1
2
# sudo ls
sudo: unable to initialize PAM: No such file or directory

Sudo errors are logged with syslog by default. Some message should be in one of the /var/log/xx.log files. If you don’t know which, run

# cd /var/log
# grep pam *.log
auth.log:Nov 21 22:35:14 mach sudo: PAM _pam_load_conf_file: unable to open /etc/pam.d/common-session-noninteractive
auth.log:Nov 21 22:35:14 mach sudo: PAM _pam_init_handlers: error reading /etc/pam.d/sudo
auth.log:Nov 21 22:35:14 mach sudo: PAM _pam_init_handlers: [Critical error - immediate abort]
auth.log:Nov 21 22:35:14 mach sudo: PAM pam_start: failed to initialize handlers
auth.log:Nov 21 22:35:14 mach sudo: PAM pam_end: NULL pam handle passed
1
2
3
4
5
6
7
# cd /var/log
# grep pam *.log
auth.log:Nov 21 22:35:14 mach sudo: PAM _pam_load_conf_file: unable to open /etc/pam.d/common-session-noninteractive
auth.log:Nov 21 22:35:14 mach sudo: PAM _pam_init_handlers: error reading /etc/pam.d/sudo
auth.log:Nov 21 22:35:14 mach sudo: PAM _pam_init_handlers: [Critical error - immediate abort]
auth.log:Nov 21 22:35:14 mach sudo: PAM pam_start: failed to initialize handlers
auth.log:Nov 21 22:35:14 mach sudo: PAM pam_end: NULL pam handle passed

One configuration file was missing. This PAM debian page told me what the file was supposed to contain. Somehow that file was not created in the upgrade.

# cat /etc/pam.d/common-session-noninteractive
session		[default=1]						pam_permit.so
session		requisite						pam_deny.so
session		required						pam_permit.so
session		required						pam_unix.so
1
2
3
4
5
# cat /etc/pam.d/common-session-noninteractive
session		[default=1]						pam_permit.so
session		requisite						pam_deny.so
session		required						pam_permit.so
session		required						pam_unix.so

Fixed.