View previous topic :: View next topic |
Author |
Message |
Joseph K. Guru
Joined: 07 Jun 2006 Posts: 436 Location: Sydney, Australia
|
Posted: Sun Apr 18, 2021 2:31 am Post subject: [SOLVED] KDE Plasma lock screen won't unlock but I can login |
|
|
Yeah, so as the subject says, after I have logged in, if I lock the screen, I can't unlock it. But if I choose "login as a different user" and login again -- it's just the same as unlocking.
But, you know, it's annoying.
I also have this reasonably well known error in my X log:
Code: | Information [ 44034.245] (EE) Failed to open authorization file "/var/run/sddm/{46393379-c12c-4a00-8720-0c6be7dcb433}": No such file or directory
|
I use openrc and elogind, and I'll mention that I have an encrypted home directory although I'm not sure it is relevant.
I tried re-emering all the pam-related security packages as someone advised somewhere, but to no avail.
I just realized that i haven't re-emerged sddm for a long time, so I better try that once my current update world finishes.
Any thoughts or advice on what the cause could be? It kinda just started happening out of nowhere. :\
Cheers.
Last edited by Joseph K. on Tue May 04, 2021 11:38 am; edited 1 time in total |
|
Back to top |
|
|
tomtom69 Apprentice
Joined: 09 Nov 2010 Posts: 245 Location: Bavaria
|
Posted: Mon Apr 19, 2021 5:41 pm Post subject: |
|
|
Had the same on one computer. Re-emerging pam did the trick there.
The affected system was cloned from a different computer, and I found the cause for the issue here:
[url]
https://forum.kde.org/viewtopic.php?f=289&t=152045
[/url]
I still do not understand what "fancy security capabilities" can not be copied by tar, but they seem not to be used generally because cloning with tar worked all the time except this issue. |
|
Back to top |
|
|
Joseph K. Guru
Joined: 07 Jun 2006 Posts: 436 Location: Sydney, Australia
|
Posted: Sun Apr 25, 2021 11:22 am Post subject: |
|
|
tomtom69 wrote: | Had the same on one computer. Re-emerging pam did the trick there.
The affected system was cloned from a different computer, and I found the cause for the issue here:
[url]
https://forum.kde.org/viewtopic.php?f=289&t=152045
[/url]
I still do not understand what "fancy security capabilities" can not be copied by tar, but they seem not to be used generally because cloning with tar worked all the time except this issue. |
Thanks, that was an interesting read.
I assume the fancy security capabilities are, well, actually called "capabilities": https://linux.die.net/man/7/capabilities
I already tried re-emering pam, so not sure it will help me. Might be something in my pam config, though, I guess.
Cheers. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sun Apr 25, 2021 4:20 pm Post subject: |
|
|
To confirm that you have picked up the fix that person needed, what is the output of getcap /sbin/unix_chkpwd ; ls -l /sbin/unix_chkpwd? |
|
Back to top |
|
|
Joseph K. Guru
Joined: 07 Jun 2006 Posts: 436 Location: Sydney, Australia
|
Posted: Wed Apr 28, 2021 11:09 am Post subject: |
|
|
Hu wrote: | To confirm that you have picked up the fix that person needed, what is the output of getcap /sbin/unix_chkpwd ; ls -l /sbin/unix_chkpwd? |
Thanks for asking. Let's see...
Code: | /sbin/unix_chkpwd cap_dac_override=ep
|
Now, something I notice is that mine is =ep versus +ep in that article.
Code: | -rwx--x--x 1 root root 38696 Apr 8 17:48 /sbin/unix_chkpwd
|
The filename is black text on a red background. Is that good or bad? :\
It's not flashing red text, so I assume it is OK.
Cheers. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Wed Apr 28, 2021 3:45 pm Post subject: |
|
|
Your results match mine, and my system works as intended here. I think you applied that fix correctly, which is unfortunate, since that would have been an easy explanation.
When the unlock fails, are there any messages logged to system logs, such as /var/log/secure, /var/log/auth.log, etc.? |
|
Back to top |
|
|
Joseph K. Guru
Joined: 07 Jun 2006 Posts: 436 Location: Sydney, Australia
|
Posted: Sun May 02, 2021 5:31 am Post subject: |
|
|
Hu wrote: | Your results match mine, and my system works as intended here. I think you applied that fix correctly, which is unfortunate, since that would have been an easy explanation.
When the unlock fails, are there any messages logged to system logs, such as /var/log/secure, /var/log/auth.log, etc.? |
Hmm, interestingly, I don't have either of those log files! Are they from systemd? I run openrc + elogind.
So I performed a failed unlock followed a few seconds later by a successful login. Here are the relevant logs I could find.
Firstly, from sddm:
Code: | [13:58:43.501] (II) DAEMON: Adding new display on vt 8 ...
[13:58:43.501] (II) DAEMON: Loading theme configuration from ""
[13:58:43.501] (II) DAEMON: Display server starting...
[13:58:43.501] (II) DAEMON: Running: /usr/bin/X -nolisten tcp -auth /var/run/sddm/{56869115-7b51-47b4-b402-f5140025d474} -background none -noreset -displayfd 18 -seat seat0 vt8
[13:58:44.359] (II) DAEMON: Setting default cursor
[13:58:44.413] (II) DAEMON: Running display setup script "/usr/share/sddm/scripts/Xsetup"
[13:58:44.415] (II) DAEMON: Display server started.
[13:58:44.415] (II) DAEMON: Socket server starting...
[13:58:44.415] (II) DAEMON: Socket server started.
[13:58:44.415] (II) DAEMON: Loading theme configuration from "/usr/share/sddm/themes/breeze/theme.conf"
[13:58:44.415] (II) DAEMON: Greeter starting...
[13:58:44.415] (II) DAEMON: Adding cookie to "/var/run/sddm/{56869115-7b51-47b4-b402-f5140025d474}"
[13:58:44.420] (II) HELPER: [PAM] Starting...
[13:58:44.420] (II) HELPER: [PAM] Authenticating...
[13:58:44.420] (II) HELPER: [PAM] returning.
[13:58:44.425] (II) DAEMON: Greeter session started successfully
[13:58:44.448] (II) DAEMON: Message received from greeter: Connect
[13:58:47.660] (II) DAEMON: Message received from greeter: Login
[13:58:47.660] (II) DAEMON: Reading from "/usr/share/xsessions/plasma.desktop"
[13:58:47.662] (II) DAEMON: Reading from "/usr/share/xsessions/plasma.desktop"
[13:58:47.662] (II) DAEMON: Session "/usr/share/xsessions/plasma.desktop" selected, command: "/usr/bin/startplasma-x11"
[13:58:47.669] (II) HELPER: [PAM] Starting...
[13:58:47.669] (II) HELPER: [PAM] Authenticating...
[13:58:47.670] (II) HELPER: [PAM] Preparing to converse...
[13:58:47.670] (II) HELPER: [PAM] Conversation with 1 messages
[13:58:47.675] (II) HELPER: [PAM] returning.
[13:58:47.676] (II) DAEMON: Authenticated successfully
[13:58:47.677] (II) HELPER: [PAM] Ended.
[13:58:47.678] (II) DAEMON: Auth: sddm-helper exited successfully
[13:58:47.678] (II) DAEMON: Greeter stopping...
[13:58:47.678] (II) DAEMON: Socket server stopping...
[13:58:47.678] (II) DAEMON: Socket server stopped.
[13:58:47.678] (II) DAEMON: Display server stopping...
[13:58:47.984] (II) DAEMON: Display server stopped.
[13:58:47.984] (II) DAEMON: Running display stop script "/usr/share/sddm/scripts/Xstop"
[13:58:47.985] (II) DAEMON: Removing display ":1" ...
[13:58:47.985] (II) DAEMON: Jumping to VT 7
[13:58:47.985] (II) DAEMON: VT mode didn't need to be fixed
[13:58:47.985] (II) DAEMON: Greeter stopping...
[13:58:47.985] (WW) DAEMON: QProcess: Destroyed while process ("/usr/libexec/sddm-helper") is still running.
|
What I notice is that it is starting a new display on vt 8 -- is that right? Should it be simply showing the lockscreen on vt 7, where I originally logged in?
It looks like PAM is trying to authenticate the unlock but it fails?
Next is messages, and I probably should have looked in here first:
Code: | May 2 13:58:40 EliteChook2 kcheckpass[24488]: PAM _pam_load_conf_file: unable to open config for system-login
May 2 13:58:40 EliteChook2 kcheckpass[24488]: PAM _pam_load_conf_file: unable to open config for system-login
May 2 13:58:40 EliteChook2 kcheckpass[24488]: PAM _pam_load_conf_file: unable to open config for system-login
May 2 13:58:40 EliteChook2 kcheckpass[24488]: PAM _pam_load_conf_file: unable to open config for system-login
May 2 13:58:44 EliteChook2 sddm-helper[24504]: pam_unix(sddm-greeter:session): session opened for user sddm(uid=105) by (uid=0)
May 2 13:58:44 EliteChook2 kernel: elogind-daemon[3353]: New session c6 of user sddm.
May 2 13:58:47 EliteChook2 sddm-helper[24533]: gkr-pam: unable to locate daemon control file
May 2 13:58:47 EliteChook2 sddm-helper[24533]: gkr-pam: stashed password to try later in open session
May 2 13:58:47 EliteChook2 sddm-helper[24533]: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
May 2 13:58:47 EliteChook2 dbus-daemon[3321]: [system] Activating service name='org.kde.powerdevil.backlighthelper' requested by ':1.45' (uid=1000 pid=29059 comm="/usr/lib64/libexec/org_kde_powerdevil " label="kernel") (using servicehelper)
May 2 13:58:47 EliteChook2 dbus-daemon[3321]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
May 2 13:58:47 EliteChook2 kernel: elogind-daemon[3353]: Removed session c6.
|
Looks like PAM is misconfigured? My configuration is non-standard, as I have an encrypted home directory that requires adding pam_mount.so in a few places but I'll admit that I'm no expert and so I have probably not added to the right stop for unlocking.
I'll come back later after I play with the config a bit.
Cheers. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sun May 02, 2021 3:48 pm Post subject: |
|
|
Joseph K. wrote: | Hu wrote: | When the unlock fails, are there any messages logged to system logs, such as /var/log/secure, /var/log/auth.log, etc.? | Hmm, interestingly, I don't have either of those log files! Are they from systemd? I run openrc + elogind. | They are not, but their names are configurable via your system logger. Perhaps your logger is configured differently than mine. Joseph K. wrote: | What I notice is that it is starting a new display on vt 8 -- is that right? Should it be simply showing the lockscreen on vt 7, where I originally logged in? | I don't know how your environment should work in this regard. I use text login -> startx -> xscreensaver. In my flow, xscreensaver is just a window that monopolizes the X server's display, so no extra X servers are created. Your flow might need this extra work since you have the option of logging in again as another user. I don't. Joseph K. wrote: | It looks like PAM is trying to authenticate the unlock but it fails? | I don't get such a conclusion from the sddm log, but the content in messages seems to agree with that conclusion. Joseph K. wrote: | Next is messages, and I probably should have looked in here first: Code: | May 2 13:58:40 EliteChook2 kcheckpass[24488]: PAM _pam_load_conf_file: unable to open config for system-login |
| This alone is a sign of a problem, in my opinion. Please post the output of grep -Hn -e include -e substack /etc/pam.d/*; for f in /etc/pam.d/{*pass*,*screen*,*sddm*,*system*}; do ls -l "$f"; cat -n "$f"; done. We need to see whether kcheckpass has a configuration file, and if so, what it is told to do. One interpretation of your error message would be that you have no file system-login, and that its absence breaks kcheckpass. I have such a file, and it appears to be standard. Perhaps you lost that file in your customizations, or perhaps you accidentally broke it, such that it exists but cannot be parsed. |
|
Back to top |
|
|
Joseph K. Guru
Joined: 07 Jun 2006 Posts: 436 Location: Sydney, Australia
|
Posted: Tue May 04, 2021 11:38 am Post subject: |
|
|
Code: | -rw-r--r-- 1 root root 661 Apr 8 17:52 system-auth
-rw-r--r-- 1 root root 121 Apr 8 17:52 system-local-login
-rw------- 1 root root 595 May 2 15:34 system-login
-rw-r--r-- 1 root root 121 Apr 8 17:52 system-remote-login
-rw-r--r-- 1 root root 232 Apr 8 17:52 system-services
-rw-r--r-- 1 root root 108 Dec 29 17:24 vlock
|
Suffice to say, I fixed it!
Thanks for your help, Hu, sending you a virtual high five!
Cheers.
Jeremy |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Tue May 04, 2021 3:22 pm Post subject: |
|
|
Well done. What was the problem? A misspelled directive in a configuration file, a permissions problem on the file itself, a missing USE flag / package? |
|
Back to top |
|
|
Joseph K. Guru
Joined: 07 Jun 2006 Posts: 436 Location: Sydney, Australia
|
Posted: Wed May 05, 2021 10:24 am Post subject: |
|
|
Hu wrote: | Well done. What was the problem? A misspelled directive in a configuration file, a permissions problem on the file itself, a missing USE flag / package? |
Ah, sorry, I left it implied in the directory listing: system-login was lacking read permission for group and world. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Wed May 05, 2021 7:09 pm Post subject: |
|
|
I saw that, but I thought that output was from after you fixed it, and that the affected programs would have the ability to read restricted files anyway, in which case the mode 600 should not have hurt anything. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|