KDE lockscreen does not accept root/user password

neumann · 10 July 2023 17:57

After a the latest update (which I did with “sudo pacman -Syu”) my password is not accepted on the lockscreen, but it is accepted on the login screen after reboot or on tty3. This is not a “oops my capslock was on” problem. What could cause this? I did not do anything with any settings, except I turned off the screen lock. Beside this problem everything is working fine. It would be nice if this would work, I love seeing my lockscreen
Thank you for any help and patience.

I use nvidia driver 535.54.03, KDE, Xorg. Kernel: 6.1.38-1

papajoke · 10 July 2023 21:11

not sure,
look if you got with this update a pacnew pam sddm.
If yes and not yet managed, you can do it

neumann · 10 July 2023 22:14

I wish if I knew what to do but sadly i don’t.
I have found these in /var/log/pacman.log

[2023-07-02T23:10:33+0200] [ALPM] upgraded pam (1.5.2-2 -> 1.5.3-1)
[2023-07-02T23:10:35+0200] [ALPM] upgraded lib32-pam (1.5.2-1 -> 1.5.3-1)

And these in /etc/pam.d

cat sddm && cat sddm-autologin && cat sddm-greeter && cat sddm.pacnew 
#%PAM-1.0

auth            include         system-login
auth            optional        pam_kwallet5.so
account         include         system-login
password        include         system-login
session         include         system-login
session         optional        pam_kwallet5.so auto_start
#%PAM-1.0
auth        required    pam_env.so
auth        required    pam_faillock.so preauth
auth        required    pam_shells.so
auth        required    pam_nologin.so
auth        required    pam_permit.so
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so
account     include     system-local-login
password    include     system-local-login
session     include     system-local-login
-session    optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so auto_start
#%PAM-1.0

# Load environment from /etc/environment and ~/.pam_environment
auth            required pam_env.so

# Always let the greeter start without authentication
auth            required pam_permit.so

# No action required for account management
account         required pam_permit.so

# Can't change password
password        required pam_deny.so

# Setup session
session         required pam_unix.so
session         optional pam_systemd.so
#%PAM-1.0

auth        include     system-login
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so

account     include     system-login

password    include     system-login
-password   optional    pam_gnome_keyring.so    use_authtok

session     optional    pam_keyinit.so          force revoke
session     include     system-login
-session    optional    pam_gnome_keyring.so    auto_start
-session    optional    pam_kwallet5.so         auto_start
 neumann@borg  /etc/pam.d  cat system-auth                                                      
#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

Takakage · 10 July 2023 22:31

papajoke is looking for something like the output of the following to see if any .pacnew files were created.

pacdiff -o

neumann · 10 July 2023 23:06

pacdiff -o   
/etc/pacman.conf.pacnew
/etc/pam.d/sddm.pacnew

Should I compare these?

Takakage · 10 July 2023 23:54

Always an important part of general system maintenance, but I am not under the impression that either is directly connected to kscreenlocker.

A common troubleshooting technique is to try creating a new user and seeing if the problem is reproduced.

papajoke · 11 July 2023 01:00

yes, this file

ydar · 11 July 2023 03:15

You compare the etc/pam.d/sddm to etc/pam.d/sddm.pacnew

I’m on the unstable branch and when I got this update, I made a backup of the old file and then replaced etc/pam.d/sddm with the contents of the new one. You should notice the new version is quite a bit different.

To compare I use kompare some people prefer to use meld, and others like kdiff3 but that one is not as simple as the other two I mentioned.

neumann · 11 July 2023 09:12

Added new user–> same issue
Changed passwd myuser → same issue

neumann · 11 July 2023 09:41

I used sudo DIFFPROG=diff pacdiff|result= with no result of this command.
Then using kompare /etc/pam.d/sddm /etc/pam.d/sddm.pacnew there are some differences. Should I use apply differences or apply all?
Backup the original sddm file should i use cp /etc/pad.d/sddm /etc/pam.d/sddm.bak ?

Here is the 2 file:

cat sddm.pacnew             
#%PAM-1.0

auth        include     system-login
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so

account     include     system-login

password    include     system-login
-password   optional    pam_gnome_keyring.so    use_authtok

session     optional    pam_keyinit.so          force revoke
session     include     system-login
-session    optional    pam_gnome_keyring.so    auto_start
-session    optional    pam_kwallet5.so         auto_start

cat sddm       
#%PAM-1.0

auth            include         system-login
auth            optional        pam_kwallet5.so
account         include         system-login
password        include         system-login
session         include         system-login
session         optional        pam_kwallet5.so auto_start

Sorry if I’m such a noob.

murrayo · 12 July 2023 08:54

I am a fellow noob and had the same issue. I solved it in the following way. I did a backup of /ect/pam.d/sddm and replaced it with the content of sddm.pacnew. That is:

mv /etc/pam.d/sddm /etc/pam.d/sddm.bak
mv /etc/pam.d/sddm.pacnew /etc/pam.d/sddm

It then worked after a reboot.
(I then restored my system to before the update with timeshift, but that’s unrelated)

There is a discussion on the stable update anouncement thread about the use of pacdiff -s. I haven’t parsed it yet but it might be of use.

neumann · 12 July 2023 15:41

Thank you for your reply.
I have tried but it does not work for me.
On the other hand I can unlock my screen if I press Alt+Ctrl+F3, there I login with my username, then sudo loginctl unlock-session 2, where 2 is the session ID.
To get the session ID use loginctl list-sessions.

It would be nice to know what cause this problem.

neumann · 12 July 2023 16:59

I found this in journalctl -b

júl 12 18:42:02 borg dbus-daemon[527]: [system] Failed to activate service 'org.bluez': timed out (service_start_timeout=25000ms)
júl 12 18:42:08 borg ktraderclient5[2883]: kf.service.services: KMimeTypeTrader: MIME type "x-scheme-handler/microsoft-edge" not found
júl 12 18:42:13 borg plasmashell[2565]: Fontconfig error: Cannot load default config file: No such file: (null)
júl 12 18:42:13 borg plasmashell[2565]: [2559:2559:0712/184213.690331:ERROR:CONSOLE(1)] "Refused to frame 'https://login.microsoftonline.com/' because it violates the following Content Security Policy directive: "frame-src 'none'".
júl 12 18:42:13 borg plasmashell[2565]: ", source: https://www.bing.com/rp/V_fBQ_iVmAgE_Ta_T-6BNXc0ZY4.br.js (1)
júl 12 18:43:00 borg rtkit-daemon[705]: Supervising 10 threads of 5 processes of 1 users.
júl 12 18:43:00 borg rtkit-daemon[705]: Supervising 10 threads of 5 processes of 1 users.
júl 12 18:43:24 borg rtkit-daemon[705]: Supervising 10 threads of 5 processes of 1 users.
júl 12 18:43:24 borg rtkit-daemon[705]: Supervising 10 threads of 5 processes of 1 users.
júl 12 18:44:00 borg rtkit-daemon[705]: Supervising 10 threads of 5 processes of 1 users.
júl 12 18:44:00 borg rtkit-daemon[705]: Supervising 10 threads of 5 processes of 1 users.
júl 12 18:44:27 borg kscreenlocker_greet[3155]: Qt: Session management error: networkIdsList argument is NULL
júl 12 18:44:28 borg kscreenlocker_greet[3155]: kf.kirigami: Failed to find a Kirigami platform plugin
júl 12 18:44:28 borg kscreenlocker_greet[3155]: file:///usr/share/plasma/look-and-feel/org.kde.breeze.desktop/contents/lockscreen/MediaControls.qml:82:9: QML Image: Blocked request.
júl 12 18:44:30 borg dbus-daemon[527]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.123' (uid=1000 pid=3155 comm="/usr/lib/kscreenlocker_greet --immediateLock --gra")
júl 12 18:44:30 borg dbus-daemon[527]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
júl 12 18:44:30 borg kscreenlocker_greet[3155]: pam_systemd_home(kde:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
júl 12 18:44:30 borg systemd[1]: Starting Cleanup of Temporary Directories...
júl 12 18:44:30 borg systemd[1]: systemd-tmpfiles-clean.service: Deactivated successfully.
júl 12 18:44:30 borg systemd[1]: Finished Cleanup of Temporary Directories.
júl 12 18:44:30 borg systemd[1]: run-credentials-systemd\x2dtmpfiles\x2dclean.service.mount: Deactivated successfully.
júl 12 18:44:33 borg kscreenlocker_greet[3155]: pam_unix(kde:auth): authentication failure; logname=neumann uid=1000 euid=1000 tty= ruser= rhost=  user=neumann
júl 12 18:44:35 borg systemd[1]: Started Getty on tty3.

Takakage · 12 July 2023 19:05

I doubt that this will help you much, but just for your information, I tried entering a deliberately wrong password in my lockscreen, but got a slightly different response in my journal. Right before the kscreenlocker_greet[nnnn]: pam_unix(kde:auth): authentication failure... line, I have an entry that says unix_chkpwd[mmmm]: password check failed for user (uuuu). So it would seem that whatever is causing your process to fail is some mysteriously different mechanism.