Can't log in with gnome-keyring 3.12

[manjaro]

MDM seems not to work in Arch Linux and Manjaro with current packages. Using normal login with user name and password you will land on a grey screen with mouse pointer. This was tested with several DEs like Cinnamon, XFCE, KDE, Openbox in both distributions.

However: if you use autologin, it works. You will land on your desktop.

Can this be a permission issue with our custom used PAM files?

mdm.pam

#%PAM-1.0
auth            requisite       pam_nologin.so
auth            required        pam_env.so

auth            required        pam_unix.so
-auth       optional    pam_gnome_keyring.so

account         required        pam_unix.so

session         required        pam_limits.so
session         required        pam_unix.so
session         required        pam_systemd.so

password        required        pam_unix.so

-session    optional    pam_gnome_keyring.so auto_start

mdm-autologin.pam

#%PAM-1.0
auth            requisite       pam_nologin.so
auth            required        pam_env.so

auth            required        pam_permit.so

auth            sufficient      pam_succeed_if.so uid >= 1000 quiet
auth            required        pam_deny.so

account         required        pam_access.so
account         required        pam_time.so
account         required        pam_unix.so

password        required        pam_unix.so
password        required        pam_deny.so

session         required        pam_limits.so
session         required        pam_unix.so
session         required        pam_systemd.so

session         optional        pam_keyinit.so revoke
session         required        pam_limits.so
session         required        pam_unix.so

Any help on this issue is appreciated.

Se also issue #87

[tarakbumba]

Just have same problem with Mageia Cauldron. It used to work with Mageia 4 and until March in Cauldron. I suspect some changes with systemd-logind but can not get a clue from journalctl. Using Mate Desktop.

[tarakbumba]

Here is the journalctl -xb output with mdm debug option enabled from mdmsetup:

May 10 01:15:27 localhost mdm-binary[23532]: pam_tcb(mdm:session): Session opened for atilla by atilla(uid=0)
May 10 01:15:27 localhost mdm-binary[23532]: DEBUG: mdm_slave_wait_for_login: end verify for 'atilla'
May 10 01:15:27 localhost mdm-binary[23532]: DEBUG: mdm_slave_wait_for_login: got_login for 'atilla'
May 10 01:15:27 localhost mdm-binary[23532]: DEBUG: Sending LOGGED_IN == 1 for slave 23532
May 10 01:15:27 localhost mdm-binary[15340]: DEBUG: Got logged in == TRUE
May 10 01:15:27 localhost mdm-binary[23532]: DEBUG: Sending LOGIN == <secret> for slave 23532
May 10 01:15:27 localhost mdm-binary[15340]: DEBUG: Got LOGIN == atilla
May 10 01:15:27 localhost mdm-binary[23532]: DEBUG: mdm_slave_session_start: Attempting session for user 'atilla'
May 10 01:15:27 localhost mdm-binary[23532]: DEBUG: Initial setting: session: '10MATE' language: 'tr_TR.utf8'
May 10 01:15:27 localhost mdm-binary[23532]: DEBUG: mdm_slave_session_start: Authentication completed. Whacking greeter
May 10 01:15:27 localhost mdm-binary[23532]: DEBUG: slave_waitpid: waiting on 23544

And messages end. Any ideas?

[tarakbumba]

I' ve found the problem. The problem is gnome-keyring. Something have changed in pam_gnome_keyring.so and it can not get username from mdm-binary. I' ve removed gnome-keyring and installed mate-keyring. It suddenly started to work as expected.

EDIT: I think i workaround the problem by commenting any reference to pam_gnome_keyring.so in mdm.pam.

Then mdm started to work as expected with gnome-keyring installed; mate-keyring uninstalled system. Here is my mdm.pam:

%PAM-1.0

auth required pam_env.so auth sufficient pam_succeed_if.so user ingroup nopasswdlogin auth substack system-auth

auth optional pam_gnome_keyring.so

account required pam_nologin.so account include system-auth password include system-auth session required pam_loginuid.so session optional pam_console.so session optional pam_keyinit.so force revoke session required pam_namespace.so session include system-auth

session optional pam_gnome_keyring.so auto_start

[manjaro]

Great. We will test it also in Manjaro. Nice catch.

[manjaro]

Removing gnome_keyring from our pam file also helped to get MDM going. I still have to check why no XFCE desktop-files get displayed in WhiskerMenu anymore. Only happens with using MDM, but not with LXDE as an example. Related to NotShownIn=XFCE. Seems MDM doesn't send the running session ID properly anymore ...

[kyrios123]

We have a similar problem with Linux Mint 16 64-bit KDE and Luinux Mint 17 64-bit Cinnamon (running on different computers) : when we switch between user sessions, it works fine the first times then after some swtiches, we get black screen with only the mouse pointer working instead of MDM. CTRL-ALT-BACKSPACE and CTRL-ALT-Fx don't work. All we can do holding the power button of the computer to turn it off then reboot it.

[clefebvre]

@manjaro if you remove that from the pam file though... MDM no longer starts gnome-keyring right? Is that ok? Do you have that covered by XDG autostart? or does that removal results in the GNOME keyring not being unlocked automatically after you log in?

[manjaro]

Something has changed in pam_gnome_keyring.so. Username seems not to been found, so gnome-keyring blocks the login somehow. Using an older gnome-keyring than 3.12 it works as expected. Same does the mate-keyring, as it is older source-based. For autologin.pam we don't use gnome_keyring at all. So we removed it also for normal login. It works as wanted since more than one month now. You can find my current pam files here: mdm-autologin.pam, mdm.pam

[clefebvre]

ok there seems to be 2 different issues then...

@kyrios123 you seem to have a different issue. Can you create a separate issue for this?

@manjaro I'll check the changes upstream in gnome-keyring 3.12. I'm confused though... I understand that you can log in now that you removed gnome_keyring autostart from the pam file... but that means you no longer get the keyring unlocked though? For instance if you want to join a WPA wireless network... it's going to ask you for your password again instead of remembering it?

[clefebvre]

@manjaro can you confirm it works with gnome-keyring 3.10?

[clefebvre]

I updated the issue title.

Looking upstream, there's only a couple of commits between gnome-keyring 3.10 and gnome-keyring 3.12.

Is there any chance you could bissect gnome-keyring, removing the commits one by one to identify which one is responsible for the regression?

https://github.com/GNOME/gnome-keyring/commits/master

[manjaro]

gnome-keyring 3.10 works. When I find time, I can do a bissect ... I didn't test WPA yet ...

[Rayonant]

@clefebvre under @manjaro with gnome-keyring 3.12 the the keyring does not get unlocked once you are logged in, because of the removal of "auth optional pam_gnome_keyring.so" and "session optional pam_gnome_keyring.so auto_start" , as commented above if you include them the session fails to start. ¿could you look into the issue?

[monsta]

Ah dammit, I'm joining the club. Debian Testing now has gnome-keyring 3.12 and I can't login (unless I enable automatic login in mdmsetup). MDM is 1.6.9.

[monsta]

Weird... another VM with the same setup (Debian Testing, MATE 1.8, MDM 1.6.9, gnome-keyring 3.12) - and I can log in manually. What's going on...?

[monsta]

@manjaro: any luck with bisecting it?

[ccasar]

I'm using Manjaro and since there was no update from @manjaro so far, I did a bisect and found that starting from this commit the login problem occurs (I added the removed lines to /etc/pam.d/mdm): https://github.com/GNOME/gnome-keyring/commit/2ca51a0aef5b1bc41f2e71d2b65edc8478dab69d

But the problem only occurs if ./configure is used with parameters like they are used in the arch repositories

Also, when I compiled the keyring without any configure parameters and I could login successfully, the keyring was not unlocked automatically (keyring password == user password)

[clefebvre]

@ccasar can you bisect further and identify the commit which stops the keyring from unlocking on a successful login?

Congrats for finding the first regression already. I looked into MDM and couldn't find code referring to anything related to that change though.. I get the feeling the regression is between PAM and gnome-keyring and if that's the case I'm not sure how to fix it.

Also, can you tell me what the situation is with LightDM? Does it work with a vanilla gnome-keyring 3.12/14? Did they remove the lines in their pam config? Does the keyring unlock when re-adding them?

[ccasar]

Okay, so the unlock problem seems to be linked to wrong ./configure parameters (and thus is probably more an issue for the arch/manjaro maintainers than MDM). Compiling with (wiki)

./configure --prefix=/usr --sysconfdir=/etc --enable-pam --with-pam-dir=/lib/security

enables the unlock with MDM & gkr 3.10.0, with gkr >= 3.12.0 the login is still impossible.

With LightDM I can always login, no matter what gkr version or configure parameters I used. But the unlocking only works with the configure parameters from above.

LightDM pam config looks like this:

#%PAM-1.0
auth        include     system-login
-auth       optional    pam_gnome_keyring.so
account     include     system-login
password    include     system-login
session     include     system-login
-session    optional    pam_gnome_keyring.so auto_start

I tried to use these settings for MDM with gkr >= 3.12.0 as well but the login problem persists. I guess for now I'll stay with gkr 3.10.0

[monsta]

Wait, but does that mean there are no "right" ./configure parameters when gnome-keyring is 3.12.x?

[clefebvre]

Ok, I'm on this one as well. Here's what I found so far (working on Betsy):

• The problem doesn't occur on Betsy because at the moment it's missing libpam-gnome-keyring. Installing it re-creates the issue.
• I bissected gnome-keyring and I can confirm @ccasar 's findings: the regression is caused by https://github.com/GNOME/gnome-keyring/commit/2ca51a0aef5b1bc41f2e71d2b65edc8478dab69d

[clefebvre]

The issue was in libpam-gnome-keyring.

https://bugzilla.gnome.org/show_bug.cgi?id=745673

It's now fixed upstream.

https://github.com/GNOME/gnome-keyring/commit/a942c8f458e337d90101e6a81654478fda6ccfa9