F27 problems with pam?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

F27 problems with pam?

Gianluca Cecchi
Hello,
an update this morning and after that I register several problems:

1) delay in login session (lightdm)
2) delay/fail of logout/shutdown from inside gui
3) unable to open wifi connections from gui

verified both with mate and cinnamon

For 1) and/or 2) I see
May 15 16:29:12 ope46 journal[4284]: Failed to open CK session: Timeout was reached
May 15 16:29:12 ope46 lightdm[4160]: Error writing to daemon: Bad file descriptor
May 15 16:29:12 ope46 lightdm[4160]: Failed to write utmpx: Permission denied


For 3) I see 
May 15 16:57:15 ope46 NetworkManager[819]: <info>  [1526396235.9934] audit: op="connection-activate" uuid="2f2235c1-a162-48c8-ac14-5c
50d6b1f7a7" name="VodafoneMobileWiFi-04CE26" pid=4679 uid=1000 result="fail" reason="Not authorized to control networking."

Previously I got window where I had to insert root password and then able to start the wifi connection

Packages involved this morning update

  pam-kwallet.x86_64 5.12.5-3.fc27
  systemd-pam.x86_64 234-11.git5f8984e.fc27                                                         
  systemd-udev.x86_64 234-11.git5f8984e.fc27     


Anyone else?

Thanks,
Gianluca

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: F27 problems with pam?

Tom Horsley
On Tue, 15 May 2018 17:05:36 +0200
Gianluca Cecchi wrote:

> Anyone else?

I haven't noticed those specific problems, but pam being
messed up was certainly the reason NIS logins weren't working:

https://bugzilla.redhat.com/show_bug.cgi?id=1575297

Possibly the new authselect stuff has messed up more than
just NIS?
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: F27 problems with pam?

Gianluca Cecchi
In reply to this post by Gianluca Cecchi
On Tue, May 15, 2018 at 5:05 PM, Gianluca Cecchi <[hidden email]> wrote:
Hello,
an update this morning and after that I register several problems:

1) delay in login session (lightdm)
2) delay/fail of logout/shutdown from inside gui
3) unable to open wifi connections from gui

verified both with mate and cinnamon



I decided to update this system from f27 to f28 and all went well from the update itself point of view.
But still the same problems like the lats updates.

From mate I select a wifi network and then select connect I get the error window with:

"
Connection activation failed
(1) Not authorized to control networking
"

Going into /etc/pam.d and comparing with a f27 system not already updated (it is up to date at 06 May), I see this I don't know if can influence my problems

system-auth-ac
old:
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

new:
password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type=



password-auth-ac
old:
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

new:
password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type=


BTW: with latest updates there is also a problem with audio card, not detected any more.
From hwinfo point of view I see this:

snd_hda_codec_hdmi: /devices/pci0000:00/0000:00:1b.0/hdaudioC0D3
snd_hda_codec_hdmi: module = snd_hda_codec_hdmi
snd_hda_codec_generic: module = snd_hda_codec_generic
snd_hda_codec_realtek: module = snd_hda_codec_realtek
snd_hda_codec_realtek: /devices/pci0000:00/0000:00:1b.0/hdaudioC0D0

The pc is an Asus U36SD

Running alsa-info.sh  in the ouptut I see

pcilib: sysfs_read_vpd: read failed: Input/output error

and in the generated file I see

!!Soundcards recognised by ALSA
!!-----------------------------

 0 [PCH            ]: HDA-Intel - HDA Intel PCH
                      HDA Intel PCH at 0xdf000000 irq 34


!!PCI Soundcards installed in the system
!!--------------------------------------

00:1b.0 Audio device: Intel Corporation 6 Series/C200 Series Chipset Family High Definition Audio Controller (rev 05)


!!Advanced information - PCI Vendor/Device/Subsystem ID's
!!-------------------------------------------------------

00:1b.0 0403: 8086:1c20 (rev 05)
        Subsystem: 1043:1ba3

but in mate and cinnamon nothing as hardware device
Up to three days ago I could choose between analog and hdmi

Full output file here:

Any help on these problems?
Thanks in advance,
GIanluca


_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: F27 problems with pam?

stan-3
On Wed, 16 May 2018 10:09:04 +0200
Gianluca Cecchi <[hidden email]> wrote:

> BTW: with latest updates there is also a problem with audio card, not
> detected any more.
> From hwinfo point of view I see this:
>
> snd_hda_codec_hdmi: /devices/pci0000:00/0000:00:1b.0/hdaudioC0D3
> snd_hda_codec_hdmi: module = snd_hda_codec_hdmi
> snd_hda_codec_generic: module = snd_hda_codec_generic
> snd_hda_codec_realtek: module = snd_hda_codec_realtek
> snd_hda_codec_realtek: /devices/pci0000:00/0000:00:1b.0/hdaudioC0D0
>
> The pc is an Asus U36SD
>
> Running alsa-info.sh  in the ouptut I see
>
> pcilib: sysfs_read_vpd: read failed: Input/output error
>
> and in the generated file I see
>
> !!Soundcards recognised by ALSA
> !!-----------------------------
>
>  0 [PCH            ]: HDA-Intel - HDA Intel PCH
>                       HDA Intel PCH at 0xdf000000 irq 34
>
>
> !!PCI Soundcards installed in the system
> !!--------------------------------------
>
> 00:1b.0 Audio device: Intel Corporation 6 Series/C200 Series Chipset
> Family High Definition Audio Controller (rev 05)
>
>
> !!Advanced information - PCI Vendor/Device/Subsystem ID's
> !!-------------------------------------------------------
>
> 00:1b.0 0403: 8086:1c20 (rev 05)
>         Subsystem: 1043:1ba3
>
> but in mate and cinnamon nothing as hardware device
> Up to three days ago I could choose between analog and hdmi
>
> Full output file here:
> https://drive.google.com/file/d/1ZXEwzHM9XgOsqiUv-OF2zJ-UqbZrbGHG/view?usp=sharing
>
> Any help on these problems?

Can't help with the network permissions problem, but for the sound
problem, you can install pavucontrol, and check which device is set as
default.  Since non-deterministic instantiation of drivers is the norm,
it is possible that the order of your sound devices has changed, and
the old default now points to the hdmi device.  An easy try, at least.
alsa-info shows that the pci device is there.  If you have a wav file,
you can try
aplay --D plughw:1,0 [wav file]
to see if the device is working.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: F27 problems with pam?

Gianluca Cecchi
In reply to this post by Gianluca Cecchi
Thanks Stan for your feedback.
Actually it seems I've narrowed the origin of the problem.
I have been using Mate as DE for many months without any problem.
Only recently (when still in F27 and some days before the start of the problems described in this thread) I switched from gdm to lghtdm because I had some lagging events and I tried to eliminate at all gnome/gdm/gnome-shell dependency

Now (I'm in F28) it is simply sufficient to re-enable gdm and connectusing Gnome as DE to see that all is ok:
- logout/shutdown buttons without problems (previously a logout originated an automatic relogin...)
- switch wifi on/off and other components (such as external usb disks) without getting authorization errors
- audio adapter is seen ok with its analog and hdmi settings (and it works too... ;-)

So it seems that the problem doesn't show with default Fedora environment but only with the combination I outlined above.
I also tried Cinnamon (with lightdm) and same problems.

Possibly gdm in its start enables some permission for  normal users that lightdm (at least in latest updates) doesn't provide?
I'm going also to test other combinations, to narrow down better (eg lightdm with gnome DE session, ecc...)

Gianluca

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: F27 problems with pam?

stan-3
On Thu, 17 May 2018 10:54:57 +0200
Gianluca Cecchi <[hidden email]> wrote:

> Thanks Stan for your feedback.
> Actually it seems I've narrowed the origin of the problem.
> I have been using Mate as DE for many months without any problem.
> Only recently (when still in F27 and some days before the start of the
> problems described in this thread) I switched from gdm to lghtdm
> because I had some lagging events and I tried to eliminate at all
> gnome/gdm/gnome-shell dependency
>
> Now (I'm in F28) it is simply sufficient to re-enable gdm and
> connectusing Gnome as DE to see that all is ok:
> - logout/shutdown buttons without problems (previously a logout
> originated an automatic relogin...)
> - switch wifi on/off and other components (such as external usb disks)
> without getting authorization errors
> - audio adapter is seen ok with its analog and hdmi settings (and it
> works too... ;-)
> So it seems that the problem doesn't show with default Fedora
> environment but only with the combination I outlined above.
> I also tried Cinnamon (with lightdm) and same problems.
>
> Possibly gdm in its start enables some permission for  normal users
> that lightdm (at least in latest updates) doesn't provide?
> I'm going also to test other combinations, to narrow down better (eg
> lightdm with gnome DE session, ecc...)

Excellent!  And you know you have a working fallback, which is always
nice when testing.  It's strange that a desktop manager would affect
this, since it is the desktop that performs the actions that are having
problems.  Maybe you eliminated some gnome dependency that cinnamon and
mate were depending on?  Or maybe you are right, and it is some
permission or configuration that lightdm is not completing as gdm does.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@.../message/ZNW3BQRSGEOEW7FG46F6QBTIL6CHV4PK/
Reply | Threaded
Open this post in threaded view
|

Re: F27 problems with pam?

Francis.Montagnac

Hi.

On Thu, 17 May 2018 10:19:52 -0700 stan wrote:

> On Thu, 17 May 2018 10:54:57 +0200
> Gianluca Cecchi <[hidden email]> wrote:

>> Now (I'm in F28) it is simply sufficient to re-enable gdm and
>> connectusing Gnome as DE to see that all is ok:
>> - logout/shutdown buttons without problems (previously a logout
>> originated an automatic relogin...)
>> - switch wifi on/off and other components (such as external usb disks)
>> without getting authorization errors
>> - audio adapter is seen ok with its analog and hdmi settings (and it
>> works too... ;-)

>> Possibly gdm in its start enables some permission for normal users
>> that lightdm (at least in latest updates) doesn't provide?

I don't think it's that. See below.

We are using lightdm and noticed also this problem.

> It's strange that a desktop manager would affect this, since it is
> the desktop that performs the actions that are having problems.

This is normal since those actions rely on having a proper
session/seat defined to be authorized by polkit and that is the
desktop manager that setup that.

I found that the culprit is the RPM pam-kwallet-5.12.5-3.fc27: if you
erase it this problem disappear.  You indicated this RPM in your
initial post.

With pam-kwallet installed, the journal shows:

  lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_fm.socket
  lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd: Couldn't listen in socket
  lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5: Impossible to write walletKey to walletPipe
  lightdm[10869]: pam_kwallet(lightdm:session): pam_kwallet: pam_sm_open_session
  lightdm[10870]: pam_kwallet(lightdm:session): pam_kwallet: final socket path: /tmp/kwallet_fm.socket
  lightdm[10870]: pam_kwallet(lightdm:session): pam_kwallet-kwalletd: Couldn't listen in socket
  lightdm[10870]: pam_kwallet(lightdm:session): pam_kwallet: Impossible to write walletKey to walletPipe

### Fail to create session:

  lightdm[10870]: pam_systemd(lightdm:session): Failed to create session: Access denied
  lightdm[10870]: pam_unix(lightdm:session): session opened for user fm by (uid=1005)

### Fail to register in lastlog and btmp

  lightdm[10870]: pam_lastlog(lightdm:session): unable to open /var/log/lastlog: Permission denied
  lightdm[10870]: pam_lastlog(lightdm:session): unable to open /var/log/btmp: Permission denied

It works with gdm since it doesn't include pam_kwallet in its pam
configuration files (of course :-) ), unlike lightdm:

  /etc/pam.d/lightdm:

    auth       substack    system-auth
    -auth       optional    pam_gnome_keyring.so
    -auth       optional    pam_kwallet5.so
    -auth       optional    pam_kwallet.so
    ..
    -session    optional    pam_gnome_keyring.so auto_start
    -session    optional    pam_kwallet5.so
    -session    optional    pam_kwallet.so
    session    include     system-auth

I tried to put system-auth before the pam_kwallet* in the session
part: nmcli works, but logout no. In this case the socket is put under
/run/user/$UID that is created before, but still "Couldn't listen insocket"

I haven't tried to put the pam_kwallet* last in the session part.

sddm is perhaps subject to this bug since it includes also the
pam_kwallet* modules.  I haven't tested it.

It is safe to suppress the pam_kwallet RPM since it fails anyway to
spawn kwalletd and no other RPM depends ont it.

Nice side effect for an optional module :-(

--
francis
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@.../message/IV24MZCXW4PIMKHSEBI75VRZKFM2HVL7/
Reply | Threaded
Open this post in threaded view
|

Re: F27 problems with pam?

Gianluca Cecchi
On Mon, May 21, 2018 at 3:36 PM, <[hidden email]> wrote:

Hi.

On Thu, 17 May 2018 10:19:52 -0700 stan wrote:

> On Thu, 17 May 2018 10:54:57 +0200
> Gianluca Cecchi <[hidden email]> wrote:

>> Now (I'm in F28) it is simply sufficient to re-enable gdm and
>> connectusing Gnome as DE to see that all is ok:
>> - logout/shutdown buttons without problems (previously a logout
>> originated an automatic relogin...)
>> - switch wifi on/off and other components (such as external usb disks)
>> without getting authorization errors
>> - audio adapter is seen ok with its analog and hdmi settings (and it
>> works too... ;-)

>> Possibly gdm in its start enables some permission for normal users
>> that lightdm (at least in latest updates) doesn't provide?

I don't think it's that. See below.

We are using lightdm and noticed also this problem.

So I'm not alone...

Perhaps I didn't express clear enough.
With lightdm I had the problem (as you confirmed you had too)
With gdm I don't have the problem at all
 

I found that the culprit is the RPM pam-kwallet-5.12.5-3.fc27: if you
erase it this problem disappear.  You indicated this RPM in your
initial post.

I can try and verify if it is the same for my environment

In the mean time I took the occasion to switch back again to gdm as DM and gnome-session as DE
I have to say that it seems more usable and less cpu consuming as in the time when I abandoned it (especially gnome-shell process that often became mad...)
Also, after disabling tracker related things (see the other thread), it seems to me that all in all this configuration in F28 on my laptop (Asus U36SD) consumes less (battery lasts more) than the previous F27+lightdm+Mate DE
I will continue to test and eventually switch again if not satisfied.
The important is to preserve the power of choice and ability to change if needed ;-)
 

It is safe to suppress the pam_kwallet RPM since it fails anyway to
spawn kwalletd and no other RPM depends ont it.

Nice side effect for an optional module :-(


Indeed!

Thanks for your comments and help

Gianluca 


_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@.../message/4YJSDVXBFH4X3E3ZLI2CM5EXG6D2PJ2I/