Errors after stable 2020-08-28 Update | in gdm.service which seem related to PAM changes

After updating to the stable 2020-08-28 on my Gnome install I noticed the following errors when checking the gdm.service:

systemctl status gdm                                                       
gdm.service - GNOME Display Manager
Loaded: loaded (/usr/lib/systemd/system/gdm.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2020-09-04 23:13:19 EDT; 1min 18s ago
Main PID: 1159 (gdm)
 Tasks: 3 (limit: 18866)
 Memory: 9.0M
 CGroup: /system.slice/gdm.service
         └─1159 /usr/bin/gdm

Sep 04 23:13:19 hanna systemd[1]: Starting GNOME Display Manager...
Sep 04 23:13:19 hanna systemd[1]: Started GNOME Display Manager.
Sep 04 23:13:29 hanna gdm-fingerprint][3250]: PAM unable to dlopen(/usr/lib/security/pam_tally.so):>
Sep 04 23:13:29 hanna gdm-fingerprint][3250]: PAM adding faulty module: /usr/lib/security/pam_tally>
Sep 04 23:13:29 hanna gdm-fingerprint][3250]: gkr-pam: no password is available for user 
Sep 04 23:13:36 hanna gdm-password][3249]: gkr-pam: unable to locate daemon control file
Sep 04 23:13:36 hanna gdm-password][3249]: gkr-pam: stashed password to try later in open session
Sep 04 23:13:36 hanna gdm-password][3249]: pam_systemd_home(gdm-password:account): systemd-homed is>
Sep 04 23:13:37 hanna gdm-password][3249]: pam_unix(gdm-password:session): session opened for user >
Sep 04 23:13:37 hanna gdm-password][3249]: gkr-pam: gnome-keyring-daemon started properly and unloc>

I did read through the notes of the release where it was mentioned to correct the /etc/pam.d/system-login file. In my case there were no newpac files created. I had a working fingerprint reader in Gnome. I’ve included both my config files if there are suggestions on what to change. Thank you.

/etc/pam.d/system-login

#%PAM-1.0

auth       required   pam_faillock.so
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_faillock.so
account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
session   optional   pam_systemd.so
session    required   pam_env.so           user_readenv=1

/etc/pam.d/gdm-fingerprint

auth     required  pam_tally.so onerr=succeed file=/var/log/faillog
auth     required  pam_shells.so
auth     requisite pam_nologin.so
auth     required  pam_env.so
auth     required  pam_fprintd.so
auth     optional  pam_permit.so
auth     optional  pam_gnome_keyring.so

account  include   system-local-login

password required  pam_fprintd.so
password optional  pam_permit.so

session  optional  pam_keyinit.so force revoke
session  include   system-local-login
session  optional  pam_gnome_keyring.so  auto_start

/etc/pam.d/gdm-password

auth     include   system-local-login
auth     optional  pam_gnome_keyring.so

account  include   system-local-login

password include   system-local-login
password optional  pam_gnome_keyring.so use_authtok

session  optional  pam_keyinit.so force revoke
session  include   system-local-login
session  optional  pam_gnome_keyring.so auto_start

System Configuration

System: Host: N\A Kernel: 4.19.141-2-MANJARO x86_64 bits: 64 compiler: gcc v: 10.2.0
Desktop: GNOME 3.36.5 tk: GTK 3.24.22 wm: gnome-shell dm: GDM 3.34.1
Distro: Manjaro Linux
Machine: Type: Laptop System: LENOVO product: v: ThinkPad T430s

I’m going to ping this post to see if anyone else has found a solution (plus let Phil know)

@philm

That is your issue. Needs fixing. Was also posted in the troubleshoots. pacdiff is your friend.

Else you can check for pacmarge.

Hi Phil,

The thing is after the update there were no pacnew files created in the /etc/pam.d directory. So this is why I posted on the Manjaro forum. I had seen your release notes of the upstream change to pam.d.

So with no pacnew files I did not have anything to merge. Just reviewed your example you gave to another end user.

pam_tally.so is depreciated. So the line can be replaced by pam_faillock.so preauth from pam_tally.so file=/var/log/faillog onerr=succeed

See also here for changes:

Which gdm package do you use anyway?

Presently I am using “gdm-prime” version “3.36.2-1” which was configured to match the Nvidia Optimus laptops which in my case uses the older Nvidia 390 driver.

Based on your recommendation then my “gdm-fingerprint” file should really be as follows:

/etc/pam.d/gdm-fingerprint

auth     required  pam_shells.so
auth     requisite pam_nologin.so
auth     required  pam_faillock.so preauth

auth     required  pam_env.so
auth     required  pam_fprintd.so  
auth     optional  pam_permit.so
auth     optional  pam_gnome_keyring.so

account  include   system-local-login

password required  pam_fprintd.so
password optional  pam_permit.so

session  optional  pam_keyinit.so force revoke
session  include   system-local-login
session  optional  pam_gnome_keyring.so  auto_start

It seems the only remaining error I see is this:

journalctl -r | grep gkr-pam

Sep 07 19:36:38 hanna gdm-password][1900]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
Sep 07 19:36:38 hanna gdm-password][1900]: gkr-pam: stashed password to try later in open session
Sep 07 19:36:38 hanna gdm-password][1900]: gkr-pam: unable to locate daemon control file
Sep 07 19:36:32 hanna gdm-fingerprint][1901]: gkr-pam: no password is available for user

Please double-check and use the files from revision 6 as you still have some mixture, which is not working!

etc/pam.d/gdm-autologin
etc/pam.d/gdm-fingerprint
etc/pam.d/gdm-launch-environment
etc/pam.d/gdm-password
etc/pam.d/gdm-smartcard

sudo pacman -U http://mirror.easyname.at/manjaro/pool/sync/gdm-3.36.3-6-x86_64.pkg.tar.zst

As some is totally off on your end.

Hi Phil,

I figured out the problem. On a high level the “gdm-prime” package from the AUR is not compatible with the PAM changes which would have come in the “gdm” 3.36.3-6. One of the configuration files “etc/pam.d/gdm-launch-environment” merged changes prevented the gdm-prime front end from loading.

I would like to suggest we add this to the release notes as gdm-prime has not been updated with the parent gdm package changes.

To fix the issue:

• I replaced the ‘gdm-prime’ aur package with the ‘gdm’ Arch package.
• This change also fixed the issue of X11 crashing to command line when I choose to log out of my session (where Nvidia Graphics card is disabled in the Thinkpad T430s bios and the Intel 4000 Graphics was being used).

Perhaps when the ‘gdm-prime’ package is updated I can give the Optimus setup a try again.

Note:

I still see this error which I will live with and monitor on future releases:

systemctl status gdm
● gdm.service - GNOME Display Manager
Loaded: loaded (/usr/lib/systemd/system/gdm.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2020-09-07 21:22:57 EDT; 16min ago
Main PID: 618 (gdm)
Tasks: 3 (limit: 18866)
Memory: 8.7M
CGroup: /system.slice/gdm.service
└─618 /usr/bin/gdm

Sep 07 21:22:57 hanna systemd[1]: Starting GNOME Display Manager…
Sep 07 21:22:57 hanna systemd[1]: Started GNOME Display Manager.
Sep 07 21:23:49 hanna gdm-password][2020]: gkr-pam: unable to locate daemon control file
Sep 07 21:23:49 hanna gdm-password][2020]: gkr-pam: stashed password to try later in open session
Sep 07 21:23:49 hanna gdm-password][2020]: pam_systemd_home(gdm-password:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Sep 07 21:23:49 hanna gdm-password][2020]: pam_unix(gdm-password:session): session opened for user rsruser(uid=1001) by (uid=0)
Sep 07 21:23:49 hanna gdm-password][2020]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.