Bugzilla – Bug 1176338
lightdm: "authentificataion failure" after moving xdm{,-np} PAM files from /etc/pam.d to /usr/etc/pam.d
Last modified: 2021-03-02 20:17:16 UTC
I received "authentificataion failure" in lightdm after moving xdm{,-np} PAM files from /etc/pam.d to /usr/etc/pam.d. It was my understanding the moving would be possible now with latest pam package in Tumbleweed. rpm --changelog -q pam [...] * Mo Aug 19 2019 kukuk@suse.de - usr-etc-support.patch: Add support for /usr/etc/pam.d Could it also be an issue in lightdm?
https://en.opensuse.org/openSUSE:Packaging_UsrEtc#pam.2Fpam-config
We have many files in /usr/etc/pam.d already, including login. They all work fine. Must be something special with the xdm configuration.
It works fine with xdm itself. I've tested xdm, sddm, ligthdm as displaymanagers so far. The issue only happened with lightdm. Reassigning to maintainer of lightdm. @Thorsten In case you have any hints, what could be the issue, please let us know. Thanks! Reproduction is rather easy. Just use Tumbleweed, which includes pam package with /usr/etc/pam.d support. Then move /etc/pam.d/xdm* files to /usr/etc/pam.d and restart lightdm. When trying to login lighdm shows you "authentificataion failure"
The issue is pretty simple, even before moving the files it can be identified: > ls -lad /etc/pam.d/lightdm* lrwxrwxrwx 1 root root 3 Aug 25 22:35 /etc/pam.d/lightdm -> xdm lrwxrwxrwx 1 root root 6 Aug 25 22:35 /etc/pam.d/lightdm-autologin -> xdm-np -rw-r--r-- 1 root root 267 May 2 2013 /etc/pam.d/lightdm-greeter once gdm moves the files to /usr/etc, there are dangling symlinks in place for lightdm's pam stack
(of course, once XDM moves the files - gdm is not involved)
Thanks for the hint. With that change diff -u 50-suse-defaults.conf.orig 50-suse-defaults.conf --- 50-suse-defaults.conf.orig 2020-09-14 18:17:53.338642637 +0200 +++ 50-suse-defaults.conf 2020-09-14 18:18:15.942642637 +0200 @@ -1,6 +1,6 @@ [Seat:*] -pam-service = lightdm -pam-autologin-service = lightdm-autologin +pam-service = xdm +pam-autologin-service = xdm-np pam-greeter-service = lightdm-greeter xserver-command=/usr/bin/X session-wrapper=/etc/X11/xdm/Xsession in package sources and no longer using any symlinks it no longer matters where the xdm PAM files are located - in /etc/pam.d or /usr/etc/pam.d. I'm not sure why such symlink are being used ... therefore it would be better to let the maintainer doing such a change ... Oh. There is something in changelog for this ... ------------------------------------------------------------------- Mon Nov 3 21:48:38 UTC 2014 - gber@opensuse.org - use symlinks to the xdm PAM service files again, using a different PAM service name breaks automatic unlocking of gnome-keyring via PAM (bnc#903744)
Attempted to submit a fix: 835190 State:new By:dimstar When:2020-09-17T12:25:44 submit: home:dimstar:Factory/lightdm@3 -> X11:Utilities Descr: - Follow XDM's change of moving the default pam config file to /usr/etc (boo#1176338). - Add pre/posttrans scripts to ensure user modified /etc/pam.d/lightdm* survives our move to /usr/etc (and user modification in /etc/pam.d wins over /usr/etc/pam.d). will fail to build in devel prj, as it needs to be step-lock updated together with xdm, but that's ok
Thanks. Already accepted for the devel project and submitted for factory https://build.opensuse.org/request/show/835216
Will be fixed once it has been checked in. Closing.
This is an autogenerated message for OBS integration: This bug (1176338) was mentioned in https://build.opensuse.org/request/show/854312 Backports:SLE-15-SP3 / lightdm
This is an autogenerated message for OBS integration: This bug (1176338) was mentioned in https://build.opensuse.org/request/show/874803 Backports:SLE-15-SP2 / lightdm
openSUSE-RU-2021:0368-1: An update that has four recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1176338,1177197,1179613,1181778 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): lightdm-1.30.0-bp152.4.3.1