On Mon, May 13, 2019, at 2:24 PM, Timothy Sample wrote:
> If I turn on debugging output, I can see that the issue has to do with
> the way PAM is configured. Digging a little deeper, I found that our
> auto-login PAM service is
>
> auth [success=ok default=1] pam_gdm.so
> auth sufficient pam_permit.so
>
> What this means is that if “pam_gdm.so” is not successful, the
> “pam_permit.so” line will be skipped, and auto-login will not work. The
> “pam_gdm.so” module does some sort of cached password lookup using the
> “keyutils” library (presumably for an encrypted home directory). Our
> build of GDM does not support this (we don’t include “keyutils” in its
> inputs), so the module never succeeds. As a result, auto-login fails.
I tried adding keyutils to the GDM package and it made no difference. I
confirmed that it linked correctly, but didn't look into it further.
> It looks like this particular way of doing things was cribbed from Red
> Hat, where the module that gets skipped by “default=1” is
> “pam_gnome_keyring.so” (and not “pam_permit.so”). Other distros simply
> mark it as optional. I suggest we either omit the first rule, since it
> will never do anything anyway, or follow other distros and change its
> control field to “optional”.
I can confirm that changing the control value to "optional" satisfies PAM, but
I ran into another problem. GDM continually crashes and restarts about 40 times
once autologin is enabled. If I switch to another tty and run `herd restart
xorg-server`, then GDM starts fine and automatically logs me in.
I've attached a file with a bunch of log messages. Not full log files, but
snippets from a bunch of logs that I thought looked relevant.
> My experience with PAM is limited, so I would appreciate a second
> opinion before committing anything.
This bug was my introduction to PAM, so perhaps my opinion isn't very
reassuring, but changing pam_gdm.so to optional seems harmless in this case.
Even if it somehow screws something up, it will only affect people who went out
of their way to make their system less secure by enabling auto-login.
--
Alex Griffin
/var/log/gdm/greeter.log:
(II) systemd-logind: took control of session /org/freedesktop/login1/session/c82
(II) xfree86: Adding drm device (/dev/dri/card0)
(II) systemd-logind: got fd for /dev/dri/card0 226:0 fd 13 paused 0
(--) PCI:*(0@0:2:0) 8086:5916:8086:2212 rev 2, Mem @ 0xd0000000/16777216,
0xc0000000/268435456, I/O @ 0x00001c00/64, BIOS @ 0x????????/131072
(WW) Open ACPI failed (/var/run/acpid.socket) (No such file or directory)
(WW) xf86OpenConsole: VT_ACTIVATE failed: Operation not permitted
(EE)
Fatal server error:
(EE) xf86OpenConsole: Switching VT failed
(EE)
(EE)
Please consult the The X.Org Foundation support
at http://wiki.x.org
for help.
(EE) Please also check the log file at
"/var/lib/gdm/.local/share/xorg/Xorg.1.log" for additional information.
(EE)
(WW) xf86CloseConsole: KDSETMODE failed: Operation not permitted
(WW) xf86CloseConsole: VT_SETMODE failed: Operation not permitted
(WW) xf86CloseConsole: VT_ACTIVATE failed: Operation not permitted
(EE) Server terminated with error (1). Closing log file.
Unable to run X server
/var/lib/gdm/.local/share/xorg/Xorg.0.log:
[ 22.122] (II) xfree86: Adding drm device (/dev/dri/card0)
[ 22.123] (II) systemd-logind: got fd for /dev/dri/card0 226:0 fd 12 paused 0
[ 22.124] (--) PCI:*(0@0:2:0) 8086:5916:8086:2212 rev 2, Mem @
0xd0000000/16777216, 0xc0000000/268435456, I/O @ 0x00001c00/64, BIOS @
0x????????/131072
[ 22.124] (WW) Open ACPI failed (/var/run/acpid.socket) (No such file or
directory)
[ 22.159] (EE) xf86OpenConsole: Cannot open virtual console 7 (Permission
denied)
/var/log/messages:
Nov 1 09:44:01 localhost dbus-daemon[585]: [system] Activating service
name='org.freedesktop.Accounts' requested by ':1.5' (uid=0 pid=636
comm="/gnu/store/4jgjnzy36bpf8csnzafzd9sc44dwjvkl-gdm-3.") (using servicehelper)
Nov 1 09:44:01 localhost gdm: Child process -861 was already dead.
Nov 1 09:44:02 localhost gdm: GdmDisplay: display lasted 0.403221 seconds
Nov 1 09:44:02 localhost vmunix: [ 22.570716] broken atomic modeset
userspace detected, disabling atomic
/var/log/secure:
Nov 1 09:44:01 localhost gdm-session-worker: pam_unix(gdm-autologin:session):
session opened for user ajgrf by (uid=0)
Nov 1 09:44:01 localhost gdm-session-worker:
pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
Nov 1 09:44:01 localhost gdm-session-worker:
pam_unix(gdm-launch-environment:session): session closed for user gdm
Nov 1 09:44:01 localhost gdm-session-worker: pam_unix(gdm-autologin:session):
session closed for user ajgrf
/var/log/debug:
Nov 1 09:43:55 localhost gdm: Enabling debugging
Nov 1 09:43:56 localhost gdm: Changing user:group to gdm:gdm
Nov 1 09:43:57 localhost gdm: Successfully connected to D-Bus
Nov 1 09:43:58 localhost gdm: GdmManager: GDM starting to manage displays
Nov 1 09:43:58 localhost gdm: GdmLocalDisplayFactory: enumerating seats from
logind
Nov 1 09:44:00 localhost gdm: GdmLocalDisplayFactory: X11 login display for
seat seat0 requested
Nov 1 09:44:00 localhost gdm: GdmLocalDisplayFactory: Adding display on seat
seat0
Nov 1 09:44:01 localhost gdm: GdmDisplay: id: (null)
Nov 1 09:44:01 localhost gdm: GdmDisplay: seat id: (null)
Nov 1 09:44:01 localhost gdm: GdmDisplay: session class: greeter
Nov 1 09:44:01 localhost gdm: GdmDisplay: initial: no
Nov 1 09:44:01 localhost gdm: GdmDisplay: allow timed login: yes
Nov 1 09:44:01 localhost gdm: GdmDisplay: local: yes
Nov 1 09:44:01 localhost gdm: GdmDisplay: seat id: seat0
Nov 1 09:44:01 localhost gdm: GdmDisplay: initial: yes
Nov 1 09:44:01 localhost gdm: GdmDisplayStore: Adding display
/org/gnome/DisplayManager/Displays/19165744 to store
Nov 1 09:44:01 localhost gdm: GdmDisplay: Managing display:
/org/gnome/DisplayManager/Displays/19165744
Nov 1 09:44:01 localhost gdm: GdmDisplay: Preparing display:
/org/gnome/DisplayManager/Displays/19165744
Nov 1 09:44:01 localhost dbus-daemon[585]: [system] Activating service
name='org.freedesktop.Accounts' requested by ':1.5' (uid=0 pid=636
comm="/gnu/store/4jgjnzy36bpf8csnzafzd9sc44dwjvkl-gdm-3.") (using servicehelper)
Nov 1 09:44:01 localhost gdm: GdmDisplay: Checking kernel command buffer
BOOT_IMAGE=/gnu/store/grdqxrnj6lx4bgczhckbmx0p3fyc8d42-linux-5.3.8/bzImage
--root=1f1bdd00-3aa2-476f-8b5d-4a8200737eb9
--system=/gnu/store/v0171qbxgnafq0zgw14ljc600d6b1l84-system
--load=/gnu/store/v0171qbxgnafq0zgw14ljc600d6b1l84-system/boot quiet
Nov 1 09:44:01 localhost gdm: GdmDisplay: Failed to read kernel commandline:
Could not match gnome.initial-setup= in kernel cmdline
Nov 1 09:44:01 localhost gdm: doing initial setup? no
Nov 1 09:44:01 localhost gdm: GdmDisplay: prepare display
Nov 1 09:44:01 localhost gdm: GdmDisplay: Got automatic login details for
display: 1 ajgrf
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: trying to track
new user with username ajgrf
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: finding user
'ajgrf' state 1
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: waiting for
user manager to load before finding user 'ajgrf'
Nov 1 09:44:01 localhost gdm: GdmLocalDisplayFactory: display status changed:
1
Nov 1 09:44:01 localhost gdm: GdmLocalDisplayFactory: received VT change event
Nov 1 09:44:01 localhost gdm: GdmLocalDisplayFactory: VT is tty1 at startup
Nov 1 09:44:01 localhost gdm: AccountsService: Failed to identify the current
session: No data available
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: seat unloaded,
so trying to set loaded property
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: Seat wouldn't
load, so giving up on it and setting loaded property
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: user manager
now loaded, proceeding with fetch user request for user 'ajgrf'
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: finding user
'ajgrf' state 2
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: Looking for
user 'ajgrf' in accounts service
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: already loaded,
so not setting loaded property
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: Found object
path of user 'ajgrf': /org/freedesktop/Accounts/User1000
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: finding user
'ajgrf' state 3
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: user 'ajgrf'
fetched
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: user ajgrf is
now loaded
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: user ajgrf was
not yet known, adding it
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: tracking user
'ajgrf'
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: not yet loaded,
so not emitting user-added signal
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: no pending
users, trying to set loaded property
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: already loaded,
so not setting loaded property
Nov 1 09:44:01 localhost gdm: GdmSession: Creating D-Bus server for worker for
session
Nov 1 09:44:01 localhost gdm: GdmSession: D-Bus server for workers listening
on unix:abstract=/tmp/dbus-GXJUTiEa
Nov 1 09:44:01 localhost gdm: GdmSession: Creating D-Bus server for greeters
and such for session (null) (0x127f160)
Nov 1 09:44:01 localhost gdm: GdmSession: D-Bus server for greeters listening
on unix:abstract=/tmp/dbus-sgM0OF2T
Nov 1 09:44:01 localhost gdm: GdmSession: Setting display device: (null)
Nov 1 09:44:01 localhost gdm: GdmSession: Created user session for user 0 on
display /org/gnome/DisplayManager/Displays/19165744 (seat seat0)
Nov 1 09:44:01 localhost gdm: GdmManager: Starting automatic login
conversation
Nov 1 09:44:01 localhost gdm: GdmSession: starting conversation gdm-autologin
for session (0x127f160)
Nov 1 09:44:01 localhost gdm: GdmSessionWorkerJob: Starting worker...
Nov 1 09:44:01 localhost gdm: GdmSessionWorkerJob: Running session_worker_job
process: gdm-session-worker [pam/gdm-autologin]
/gnu/store/4jgjnzy36bpf8csnzafzd9sc44dwjvkl-gdm-3.30.3/libexec/gdm-session-worker
Nov 1 09:44:01 localhost gdm: GLib: posix_spawn avoided (fd close requested)
(child_setup specified)
Nov 1 09:44:01 localhost gdm: GdmSessionWorkerJob: : SessionWorkerJob on pid
843
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: finished
handling request for user 'ajgrf'
Nov 1 09:44:01 localhost gdm: AccountsService: ActUserManager: unrefing
manager owned by fetch user request
