Bug 813909

I have analyzed the problem further and found out, that the Policykit profile is correctly configured and dbus is also correct here. The problem was, that the PAM module pam_systemd.so was not used. I don't know why but my common-* PAM files are not symlinks to common-*-pc (e.g. common-session to common-session-pc), therefor the PAM updates had no effect to the used PAM configuration. I moved the files away and symlinked them to the corresponding *-pc files and systemd created a correct active login session (you can see this with an entry in /run/user/<UID>). It would be really nice if you could integrate a warning while installing newer PAM-RPMs that the common-* files are not symlinks and therefor PAM configuration is in a manual mode.
As i read /var/log/zypp/history after upgrades, especially for warnings and errors, this would help a lot and maybe help others trying to upgrade there openSUSE system.

If this symlinking is done than everything Policykit related works again (like using USB thumb drives, reading CDs etc.) because the user session is acknowledged as an active user session.

Kind regards.

I changed that here also so I have now:

# ll /etc/pam.d/common-*
lrwxrwxrwx 1 root root  28 17. Apr 11:50 /etc/pam.d/common-account -> /etc/pam.d/common-account-pc
-rw-r--r-- 1 root root 378 16. Jul 2012  /etc/pam.d/common-account.pam-config-backup
-rw-r--r-- 1 root root 392  7. Feb 10:53 /etc/pam.d/common-account.pam-config-backup-2
-rw-r--r-- 1 root root 460 18. Apr 08:27 /etc/pam.d/common-account-pc
lrwxrwxrwx 1 root root  25 17. Apr 11:50 /etc/pam.d/common-auth -> /etc/pam.d/common-auth-pc
-rw-r--r-- 1 root root 448 16. Jul 2012  /etc/pam.d/common-auth.pam-config-backup
-rw-r--r-- 1 root root 462  7. Feb 10:53 /etc/pam.d/common-auth.pam-config-backup-2
-rw-r--r-- 1 root root 536 18. Apr 08:27 /etc/pam.d/common-auth-pc
lrwxrwxrwx 1 root root  29 17. Apr 11:50 /etc/pam.d/common-password -> /etc/pam.d/common-password-pc
-rw-r--r-- 1 root root 855 16. Jul 2012  /etc/pam.d/common-password.pam-config-backup
-rw-r--r-- 1 root root 509  7. Feb 10:53 /etc/pam.d/common-password.pam-config-backup-2
-rw-r--r-- 1 root root 422 18. Apr 08:27 /etc/pam.d/common-password-pc
lrwxrwxrwx 1 root root  28 17. Apr 11:51 /etc/pam.d/common-session -> /etc/pam.d/common-session-pc
-rw-r--r-- 1 root root 435 16. Jul 2012  /etc/pam.d/common-session.pam-config-backup
-rw-r--r-- 1 root root 450  7. Feb 10:53 /etc/pam.d/common-session.pam-config-backup-2
-rw-r--r-- 1 root root 515 18. Apr 08:27 /etc/pam.d/common-session-pc

But I can't use my usb stick here for example, get the same error as you mentioned in your bug report.

So I also tried to force install the pam* packages again which ends in the following output (don't know if this is helpful). 

# zypper install --force  pam pam-config pam-modules
Daten des Repositories laden ...
Installierte Pakete lesen ...
Installation von 'pam-1.1.6-3.3.1.x86_64' aus Repository 'openSUSE-12.3' wird erzwungen.
Installation von 'pam-config-0.86-1.1.1.x86_64' aus Repository 'openSUSE-12.3' wird erzwungen.
Installation von 'pam-modules-12.1-16.1.1.x86_64' aus Repository 'openSUSE-12.3' wird erzwungen.
Paketabhängigkeiten auflösen ...

Die folgenden Pakete werden erneut installiert:
  pam pam-config pam-modules 

3 zu installierende Pakete.
Gesamtgröße des Downloads: 628,5 KiB. Kein zusätzlicher Speicherplatz wird nach dieser Operation belegt oder freigegeben.
Fortfahren? [j/n/?] (j): 
Paket pam-1.1.6-3.3.1.x86_64 wird abgerufen                                                                                                                                            (1/3), 430,5 KiB (  1,5 MiB entpackt)
Abruf: pam-1.1.6-3.3.1.x86_64.rpm ......................................................................................................................................................................[fertig (1,1 MiB/s)]
Paket pam-modules-12.1-16.1.1.x86_64 wird abgerufen                                                                                                                                    (2/3),  99,9 KiB (429,0 KiB entpackt)
Abruf: pam-modules-12.1-16.1.1.x86_64.rpm ..........................................................................................................................................................................[fertig]
Paket pam-config-0.86-1.1.1.x86_64 wird abgerufen                                                                                                                                      (3/3),  98,2 KiB (502,3 KiB entpackt)
Abruf: pam-config-0.86-1.1.1.x86_64.rpm ............................................................................................................................................................................[fertig]
(1/3) Installation von: pam-1.1.6-3.3.1 ............................................................................................................................................................................[fertig]
(2/3) Installation von: pam-modules-12.1-16.1.1 ....................................................................................................................................................................[fertig]
(3/3) Installation von: pam-config-0.86-1.1.1 ......................................................................................................................................................................[fertig]
Zusätzliche rpm-Ausgabe:
*** load_config (/etc/pam.d/common-account-pc, account, ...)
**** [account, required, pam_unix.so, try_first_pass ]
**** def_parse_config [pam_unix.so] (account): 'try_first_pass '
*** load_config (/etc/pam.d/common-auth-pc, auth, ...)
**** [auth, required, pam_env.so, ]
**** def_parse_config [pam_env.so] (auth): ''
**** [auth, required, pam_unix.so, try_first_pass ]
**** def_parse_config [pam_unix.so] (auth): 'try_first_pass '
*** load_config (/etc/pam.d/common-password-pc, password, ...)
**** [password, requisite, pam_cracklib.so, ]
**** def_parse_config [pam_cracklib.so] (password): ''
**** [password, required, pam_unix.so, use_authtok nullok try_first_pass ]
**** def_parse_config [pam_unix.so] (password): 'use_authtok nullok try_first_pass '
*** load_config (/etc/pam.d/common-session-pc, session, ...)
**** [session, required, pam_limits.so, ]
**** def_parse_config [pam_limits.so] (session): ''
**** [session, required, pam_unix.so, try_first_pass ]
**** def_parse_config [pam_unix.so] (session): 'try_first_pass '
**** [session, optional, pam_umask.so, ]
**** def_parse_config [pam_umask.so] (session): ''
**** [session, optional, pam_env.so, ]
**** def_parse_config [pam_env.so] (session): ''
*** write_config (account, /etc/pam.d/common-account-pc, ...)
**** write config for pam_unix2.so (account, disabled)
**** write config for pam_unix.so (account, enabled)
**** write config for pam_krb5.so (account, disabled)
**** write config for pam_localuser.so (account, disabled)
**** write config for pam_sss.so (account, disabled)
**** write config for pam_ldap.so (account, disabled)
**** write config for pam_nam.so (account, disabled)
**** write config for pam_winbind.so (account, disabled)
**** write config for pam_time.so (account, disabled)
*** write_config (auth, /etc/pam.d/common-auth-pc, ...)
**** write config for pam_env.so (auth, enabled)
**** write config for pam_group.so (auth, disabled)
**** write config for pam_pkcs11.so (auth, disabled)
**** write config for pam_fp.so (auth, disabled)
**** write config for pam_fprint.so (auth, disabled)
**** write config for pam_fprintd.so (auth, disabled)
**** write config for pam_thinkfinger.so (auth, disabled)
**** write config for pam_gnome_keyring.so (auth, disabled)
**** write config for pam_ssh.so (auth, disabled)
**** write config for pam_unix2.so (auth, disabled)
**** write config for pam_unix.so (auth, enabled)
**** write config for pam_ecryptfs.so (auth, disabled)
**** write config for pam_krb5.so (auth, disabled)
**** write config for pam_sss.so (auth, disabled)
**** write config for pam_ldap.so (auth, disabled)
**** write config for pam_nam.so (auth, disabled)
**** write config for pam_winbind.so (auth, disabled)
*** write_config (password, /etc/pam.d/common-password-pc, ...)
**** write config for pam_winbind.so (password, disabled)
**** write config for pam_pwcheck.so (password, disabled)
**** write config for pam_passwdqc.so (password, disabled)
**** write config for pam_cracklib.so (password, enabled)
**** write config for pam_pwhistory.so (password, disabled)
**** write config for pam_gnome_keyring.so (password, disabled)
**** write config for pam_unix2.so (password, disabled)
**** write config for pam_unix.so (password, enabled)
**** write config for pam_make.so (password, disabled)
**** write config for pam_exec.so (password, disabled)
**** write config for pam_krb5.so (password, disabled)
**** write config for pam_sss.so (password, disabled)
**** write config for pam_ldap.so (password, disabled)
**** write config for pam_nam.so (password, disabled)
*** write_config (session, /etc/pam.d/common-session-pc, ...)
**** write config for pam_selinux.so (session, disabled)
**** write config for pam_mkhomedir.so (session, disabled)
**** write config for pam_limits.so (session, enabled)
**** write config for pam_unix2.so (session, disabled)
**** write config for pam_unix.so (session, enabled)
**** write config for pam_apparmor.so (session, disabled)
**** write config for pam_krb5.so (session, disabled)
**** write config for pam_sss.so (session, disabled)
**** write config for pam_ldap.so (session, disabled)
**** write config for pam_winbind.so (session, disabled)
**** write config for pam_nam.so (session, disabled)
**** write config for pam_umask.so (session, enabled)
**** write config for pam_ssh.so (session, disabled)
**** write config for pam_systemd.so (session, disabled)
**** write config for pam_selinux.so (session, disabled)
**** write config for pam_gnome_keyring.so (session, disabled)
**** write config for pam_exec.so (session, disabled)
**** write config for pam_ecryptfs.so (session, disabled)
**** write config for pam_env.so (session, enabled)


But it stays the same, I don't have anything in /run/user/

# ll /run/user/
insgesamt 0

(zypper dup from 12.2 to 12.3)

(In reply to comment #2)
Hello Hermann,

have you looked into the file /etc/pam.d/common-session-pc?
There needs to be the option:
session optional        pam_systemd.so

most likely as the last line in this file. This leads to correct session handling with systemd. In your installation output I see the following line which makes me curious:
*** write_config (session, /etc/pam.d/common-session-pc, ...)
...
**** write config for pam_systemd.so (session, disabled)

So it is very likely that the PAM module is missing in your configuration.
You should try:
pam-config -a --systemd

and look into the common-session-pc file if the module is now present.
After this you should reboot and test with "ll /run/user/" if there is a directory with your UID.

Now USB handling and all PolicyKit related things should work as expected. I don't know why this bug seems to happen to you, especially if you are coming from openSUSE 12.2 where systemd was already default if not mandatory.

Hope this helps you.

Bye.

Thanks Ronny, that did it!!! I have now my UID in /run/user/ and everything works again.

(The only way I can think of causes this missing pam_systemd.so line in comm-session-pc is I recover the wrong backup from that file and took the 12.1 version and not the 12.2 backup I did)

Bad permissions aren't a kernel issue -> Base system

re-assign to Thorsten who is the maintainer of pam-config.

@Thorsten: does pam-config --update has code for changing a non-systemd config into a systemd config ? Maybe interesting for SLES too.

(In reply to comment #6)
> re-assign to Thorsten who is the maintainer of pam-config.
> 
> @Thorsten: does pam-config --update has code for changing a non-systemd config
> into a systemd config ? Maybe interesting for SLES too.

No, it has not. This is handled by the systemd RPM itself.

This Bug is related to Bug #813907

Kind regards.

*** Bug 813907 has been marked as a duplicate of this bug. ***

duplicate

*** This bug has been marked as a duplicate of bug 812462 ***