View previous topic :: View next topic |
Author |
Message |
Thulle n00b
Joined: 11 Nov 2002 Posts: 70
|
Posted: Sat Jun 26, 2021 2:14 pm Post subject: [Solved] Login issues in graphical environment w kernel 5.12 |
|
|
Has there been any changes related to login in new kernels?
If I boot gentoo-sources 5.12.13 and try to login in via sddm, it fails and I get the following in the log:
Code: | [15:49:16.914] (II) DAEMON: Message received from greeter: Login
[15:49:16.914] (II) DAEMON: Reading from "/usr/share/xsessions/fluxbox.desktop"
[15:49:16.917] (II) DAEMON: Reading from "/usr/share/xsessions/fluxbox.desktop"
[15:49:16.917] (II) DAEMON: Session "/usr/share/xsessions/fluxbox.desktop" selected, command: "startfluxbox"
[15:49:16.931] (II) HELPER: [PAM] Starting...
[15:49:16.931] (II) HELPER: [PAM] Authenticating...
[15:49:16.932] (II) HELPER: [PAM] Preparing to converse...
[15:49:16.932] (II) HELPER: [PAM] Conversation with 1 messages
[15:49:18.853] (WW) HELPER: [PAM] authenticate: Permission denied
[15:49:18.853] (II) HELPER: [PAM] returning.
[15:49:18.853] (WW) DAEMON: Authentication error: "Permission denied"
[15:49:18.854] (II) HELPER: [PAM] Ended.
[15:49:18.868] (WW) DAEMON: Auth: sddm-helper exited with 1
|
Rebooting into 5.10.42 it works as intended and log shows this:
Code: | [15:57:40.708] (II) DAEMON: Message received from greeter: Login
[15:57:40.709] (II) DAEMON: Reading from "/usr/share/xsessions/fluxbox.desktop"
[15:57:40.712] (II) DAEMON: Reading from "/usr/share/xsessions/fluxbox.desktop"
[15:57:40.712] (II) DAEMON: Session "/usr/share/xsessions/fluxbox.desktop" selected, command: "startfluxbox"
[15:57:40.728] (II) HELPER: [PAM] Starting...
[15:57:40.728] (II) HELPER: [PAM] Authenticating...
[15:57:40.729] (II) HELPER: [PAM] Preparing to converse...
[15:57:40.729] (II) HELPER: [PAM] Conversation with 1 messages
[15:57:40.738] (II) HELPER: [PAM] returning.
[15:57:40.739] (II) DAEMON: Authenticated successfully
[15:57:40.772] (II) HELPER: Starting: "/usr/share/sddm/scripts/Xsession \"startfluxbox\""
[15:57:40.774] (II) HELPER: Adding cookie to "/home/user/.Xauthority"
[15:57:40.778] (II) DAEMON: Session started
|
Logging in non-graphically works fine on both kernels.
Last edited by Thulle on Mon Jul 12, 2021 9:47 am; edited 1 time in total |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Sat Jun 26, 2021 6:47 pm Post subject: |
|
|
It doesnt make sense.
Have you rebuilt nvidia-drivers if any and initramfs?
Do you have anything exotic like selinux or apparmor? _________________
|
|
Back to top |
|
|
Thulle n00b
Joined: 11 Nov 2002 Posts: 70
|
Posted: Sat Jun 26, 2021 7:28 pm Post subject: |
|
|
alamahant wrote: | It doesnt make sense.
|
Right? I don't know where to start.
One theory was that something was crashing with updated nvidia-drivers, so I tried the different combinations:
I tried both nvidia-drivers 465.31 and 470.42.01 with kernel 5.12, same issue, can't login.
Tried both nvidia-drivers with kernel 5.10, can login on both, but 470.42.01 can't find one of my monitors.
Everything rebuilt with genkernel for each combination.
edit: No selinux or apparmor.
Last edited by Thulle on Sat Jun 26, 2021 7:37 pm; edited 1 time in total |
|
Back to top |
|
|
Thulle n00b
Joined: 11 Nov 2002 Posts: 70
|
Posted: Sat Jun 26, 2021 7:36 pm Post subject: |
|
|
A diff of the kernel configs: https://pastebin.com/4eY9at1n
Can't see anything that's changed that seems relevant to this.
edit: or, kfence maybe?
edit2: nope, needs more config flags to enable that. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sat Jun 26, 2021 8:27 pm Post subject: |
|
|
Exactly what permission is denied on the bad kernel? Can you increase log verbosity to the point that it shows something actionable? |
|
Back to top |
|
|
GDH-gentoo Veteran
Joined: 20 Jul 2019 Posts: 1530 Location: South America
|
Posted: Sat Jun 26, 2021 8:44 pm Post subject: |
|
|
PAM logs to syslog, so if you have a syslog server installed, you might also get some more information in the logs. Look for the messages involving sddm-helper. |
|
Back to top |
|
|
Thulle n00b
Joined: 11 Nov 2002 Posts: 70
|
Posted: Sun Jun 27, 2021 12:01 pm Post subject: |
|
|
I reemerged pambase with USE=+debug, and on successful logins it spams a ton of stuff. On 5.12 this is what I get:
Code: |
Jun 27 13:44:27 soma sddm-helper[9765]: pam_unix(sddm:auth): username [user] obtained
Jun 27 13:44:27 soma sddm-helper[9765]: pam_unix(sddm:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=user
Jun 27 13:44:27 soma sddm-helper[9765]: gkr-pam: unable to locate daemon control file
Jun 27 13:44:27 soma sddm-helper[9765]: gkr-pam: stashed password to try later in open session
|
The last two lines seem to be a constant error, present on working logins too.
SDDM doesn't seem to have any more verbose logging. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Sun Jun 27, 2021 12:05 pm Post subject: |
|
|
What is the output of
Code: |
cat /etc/pam.d/<sddm-something>
grep POSIX_ACL /usr/src/linux/.config
|
? _________________
|
|
Back to top |
|
|
Thulle n00b
Joined: 11 Nov 2002 Posts: 70
|
Posted: Sun Jun 27, 2021 12:10 pm Post subject: |
|
|
A successful login looks like this:
Code: | Jun 27 13:48:05 soma sddm-helper[11436]: pam_unix(sddm:auth): username [user] obtained
Jun 27 13:48:05 soma sddm-helper[11436]: gkr-pam: unable to locate daemon control file
Jun 27 13:48:05 soma sddm-helper[11436]: gkr-pam: stashed password to try later in open session
Jun 27 13:48:05 soma sddm-helper[11436]: pam_access(sddm:account): cannot determine tty or remote hostname, using service sddm
Jun 27 13:48:05 soma sddm-helper[11436]: pam_access(sddm:account): login_access: user=user from=sddm, file=/etc/security/access.conf
Jun 27 13:48:05 soma sddm-helper[11436]: pam_env(sddm:session): pam_putenv("CASROOT=/usr")
<a ton of other env stuff>
<some pam_limits>
Jun 27 13:48:05 soma sddm-helper[11436]: pam_unix(sddm:session): session opened for user user(uid=1000) by (uid=0)
|
alamahant wrote: | What is the output of /etc/pam.d/<sddm-something>?
|
Code: | # grep -Hriv "^$" /etc/pam.d/sddm*
/etc/pam.d/sddm:#%PAM-1.0
/etc/pam.d/sddm:auth substack system-login
/etc/pam.d/sddm:-auth optional pam_gnome_keyring.so
/etc/pam.d/sddm:-auth optional pam_kwallet5.so
/etc/pam.d/sddm:account substack system-login
/etc/pam.d/sddm:password substack system-login
/etc/pam.d/sddm:-password optional pam_gnome_keyring.so use_authtok
/etc/pam.d/sddm:session optional pam_keyinit.so force revoke
/etc/pam.d/sddm:session substack system-login
/etc/pam.d/sddm:-session optional pam_gnome_keyring.so auto_start
/etc/pam.d/sddm:-session optional pam_kwallet5.so auto_start
/etc/pam.d/sddm-autologin:#%PAM-1.0
/etc/pam.d/sddm-autologin:auth required pam_env.so
/etc/pam.d/sddm-autologin:auth required pam_shells.so
/etc/pam.d/sddm-autologin:auth required pam_nologin.so
/etc/pam.d/sddm-autologin:auth required pam_permit.so
/etc/pam.d/sddm-autologin:-auth optional pam_gnome_keyring.so
/etc/pam.d/sddm-autologin:-auth optional pam_kwallet5.so
/etc/pam.d/sddm-autologin:account include system-local-login
/etc/pam.d/sddm-autologin:password include system-local-login
/etc/pam.d/sddm-autologin:session include system-local-login
/etc/pam.d/sddm-autologin:-session optional pam_gnome_keyring.so auto_start
/etc/pam.d/sddm-autologin:-session optional pam_kwallet5.so auto_start
/etc/pam.d/sddm-greeter:#%PAM-1.0
/etc/pam.d/sddm-greeter:# Load environment from /etc/environment and ~/.pam_environment
/etc/pam.d/sddm-greeter:auth required pam_env.so
/etc/pam.d/sddm-greeter:# Always let the greeter start without authentication
/etc/pam.d/sddm-greeter:auth required pam_permit.so
/etc/pam.d/sddm-greeter:# No action required for account management
/etc/pam.d/sddm-greeter:account required pam_permit.so
/etc/pam.d/sddm-greeter:# Can't change password
/etc/pam.d/sddm-greeter:password required pam_deny.so
/etc/pam.d/sddm-greeter:# Setup session
/etc/pam.d/sddm-greeter:session required pam_unix.so
/etc/pam.d/sddm-greeter:session optional pam_elogind.so
|
alamahant wrote: | What is the output of grep POSIX_ACL /usr/src/linux/.config?
|
Code: | # grep POSIX_ACL /usr/src/linux/.config
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_9P_FS_POSIX_ACL=y
|
Not sure that's relevant, root fs is ZFS. 2.0.5 on both kernel versions. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Sun Jun 27, 2021 12:20 pm Post subject: |
|
|
Would you try also with lightdm instead?
Quote: |
Not sure that's relevant, root fs is ZFS. 2.0.5 on both kernel versions.
|
Your install is root-on-zfs?
I think it is very relevant...
zfs is notorious of breaking symlinks....
This i have experienced myself.
But i cant see if its the issue here. _________________
|
|
Back to top |
|
|
GDH-gentoo Veteran
Joined: 20 Jul 2019 Posts: 1530 Location: South America
|
Posted: Sun Jun 27, 2021 7:27 pm Post subject: |
|
|
Thulle wrote: | On 5.12 this is what I get:
Code: |
Jun 27 13:44:27 soma sddm-helper[9765]: pam_unix(sddm:auth): username [user] obtained
Jun 27 13:44:27 soma sddm-helper[9765]: pam_unix(sddm:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=user |
|
Thulle wrote: | A successful login looks like this:
Code: | Jun 27 13:48:05 soma sddm-helper[11436]: pam_unix(sddm:auth): username [user] obtained
...
Jun 27 13:48:05 soma sddm-helper[11436]: pam_access(sddm:account): login_access: user=user from=sddm, file=/etc/security/access.conf |
|
OK, so module pam_unix its failing to authenticate you on 5.12, but not on 5.10. Or, at least, when loaded by sddm-helper. Is that a filtered output? Are there any more messages between the "username obtained" one and the "authentication failure" one? |
|
Back to top |
|
|
wwdev16 n00b
Joined: 29 Aug 2018 Posts: 52
|
Posted: Mon Jun 28, 2021 8:11 am Post subject: |
|
|
When you say the login fails, do you mean 'sddm accepts the password, and then it returns
to the login screen'? I have seen this with slim+xfce on kernel/xorg upgrades. Did you also
upgrade any X related packages too?
If you get desperate, a brute force approach that seems to fix things: Code: | emerge --ask --verbose --oneshot $(qlist -IC x11- dev-libs media-libs sddm <de-pkgs>) |
|
|
Back to top |
|
|
wwdev16 n00b
Joined: 29 Aug 2018 Posts: 52
|
Posted: Tue Jun 29, 2021 8:42 am Post subject: |
|
|
Do you use systemd? Maybe the systemd logind is sensitive to kernel configs or
interfaces, so rebuilding it from the console w/o a GUI might help. |
|
Back to top |
|
|
Thulle n00b
Joined: 11 Nov 2002 Posts: 70
|
Posted: Sun Jul 11, 2021 3:36 pm Post subject: |
|
|
GDH-gentoo wrote: |
OK, so module pam_unix its failing to authenticate you on 5.12, but not on 5.10. Or, at least, when loaded by sddm-helper. Is that a filtered output? Are there any more messages between the "username obtained" one and the "authentication failure" one? |
There is a filter so I don't log the temperature-polling of my PSU:
destination messages { file("/var/log/messages"); };
filter hid-generic {
not message("hid-generic 0003:1B1C") ;
} ;
log { source(src); filter(hid-generic); destination(messages); };
But nothing that should affect this, and there's nothing more in log than what i posted.
wwdev16 wrote: | When you say the login fails, do you mean 'sddm accepts the password, and then it returns
to the login screen'? I have seen this with slim+xfce on kernel/xorg upgrades. Did you also
upgrade any X related packages too?
If you get desperate, a brute force approach that seems to fix things: Code: | emerge --ask --verbose --oneshot $(qlist -IC x11- dev-libs media-libs sddm <de-pkgs>) |
Do you use systemd? Maybe the systemd logind is sensitive to kernel configs or
interfaces, so rebuilding it from the console w/o a GUI might help.
|
I don't use systemd. pambase built with +elogind.
SDDM says "Login failed", so it doesn't try to start anything at all. |
|
Back to top |
|
|
Thulle n00b
Joined: 11 Nov 2002 Posts: 70
|
Posted: Sun Jul 11, 2021 3:38 pm Post subject: |
|
|
I tried with gentoo-sources-5.13.1 too, same thing.
edit: /etc/pam.d/sddm seems to redirect everything to system-login:
Quote: |
auth substack system-login
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet5.so
account substack system-login
password substack system-login
-password optional pam_gnome_keyring.so use_authtok
session optional pam_keyinit.so force revoke
session substack system-login
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet5.so auto_start
|
and system-login looks like this:
Code: |
auth required pam_env.so debug
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so nullok debug try_first_pass
auth [default=die] pam_faillock.so authfail
auth optional pam_cap.so
account required pam_unix.so debug
account required pam_faillock.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow debug
session required pam_limits.so debug
session required pam_env.so debug
session required pam_unix.so debug |
There we got the pam_unix-auth. It's got the debug parameter already, so not sure how to get more info. |
|
Back to top |
|
|
wwdev16 n00b
Joined: 29 Aug 2018 Posts: 52
|
Posted: Mon Jul 12, 2021 7:34 am Post subject: |
|
|
A wild guess, but sys-fs/eudev, sys-apps/sysvint and sys-apps/openrc
depend on virtual/os-headers. Might be worth reinstalling them since the problem
appears to be kernel version dependent. Make sure the /usr/src/linux symlink
points to the kernel version you want to boot into before doing any resintalls.
To see what log files change use ls -lrt /var/log before and after trying to login.
If there isn't any more information, I would rebuild all the packages that sddm
depends on (lddtree, equery u), and everything with an elogind or pam use flag
(euse -I) and then reboot.
As I have mentioned before, I solved this issue by reinstalling packages. I don't know
what the minium set of packages to reinstall is.
You could also try using strace on the sddm daemon. You might get a specific path
or syscall name where the permissions check fails.
You rebooted to test the new kernel so we know sddm+elogind restarted, right? |
|
Back to top |
|
|
Thulle n00b
Joined: 11 Nov 2002 Posts: 70
|
Posted: Mon Jul 12, 2021 9:46 am Post subject: |
|
|
wwdev16 wrote: | A wild guess, but sys-fs/eudev, sys-apps/sysvint and sys-apps/openrc
depend on virtual/os-headers. Might be worth reinstalling them since the problem
appears to be kernel version dependent. Make sure the /usr/src/linux symlink
points to the kernel version you want to boot into before doing any resintalls.
To see what log files change use ls -lrt /var/log before and after trying to login.
If there isn't any more information, I would rebuild all the packages that sddm
depends on (lddtree, equery u), and everything with an elogind or pam use flag
(euse -I) and then reboot.
As I have mentioned before, I solved this issue by reinstalling packages. I don't know
what the minium set of packages to reinstall is.
You could also try using strace on the sddm daemon. You might get a specific path
or syscall name where the permissions check fails.
You rebooted to test the new kernel so we know sddm+elogind restarted, right? |
I rebuilt everything with
Quote: | emerge --ask --verbose --oneshot $(qlist -IC x11- dev-libs media-libs sddm <de-pkgs>) |
+ rebuilt everything with pam and elogind use-flags, every dependency of sddm, and sddm itself. All in all 450+ packages.
Rebooting after this and compensating for US keyboard layout when typing my password I finally was able to login. I have to figure out how to add swedish layout to sddm, but other than that I'm good. No clue what fixed it. No config files needed to be updated. I ruled out that keyboard layout was an issue earlier, as I tried with the same compensation, also changed it to one without special characters, and also made a new account with an easy to type password just to rule out some other account issue. |
|
Back to top |
|
|
|