Bug 1961746

Summary: systemd --user fails to start if user's password expired
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: systemdAssignee: Jan Macku <jamacku>
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: abroy, chaithco, christopher.a.neylan, dtardon, nsuryawa, systemd-maint-list, zbyszek
Target Milestone: rcKeywords: Bugfix, Patch, Reproducer, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: systemd-239-59.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:49:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2021-05-18 15:45:51 UTC 
Description of problem:

When a user enabled "lingering" and the user's password expired, the "systemd --user" instance for the user fails to start and enters failed state.
To recover, it's necessary for some admin to reset the state, which is problematic.


Version-Release number of selected component (if applicable):

systemd-239 (tested on latest from 8.3.0)

How reproducible:

Always


Steps to Reproduce:
1. Create a user, set a password and set lingering

  # useradd user
  # echo "redhat" | passwd --stdin user
  # loginctl enable-linger user

2. Expire the password

  # passwd -e user

3. Reboot the system and check user@<id> state

  # systemctl status user@$(id -u user).service

Actual results:

May 18 16:23:28 vm-rhel8 systemd[1]: Starting User Manager for UID 1009...
May 18 16:23:28 vm-rhel8 systemd[1247]: pam_unix(systemd-user:account): expired password for user user (root enforced)
May 18 16:23:28 vm-rhel8 systemd[1247]: PAM failed: Authentication token is no longer valid; new one required
May 18 16:23:28 vm-rhel8 systemd[1247]: user: Failed to set up PAM session: Operation not permitted
May 18 16:23:28 vm-rhel8 systemd[1247]: user: Failed at step PAM spawning /usr/lib/systemd/systemd: Oper>
May 18 16:23:28 vm-rhel8 systemd[1]: user: Failed with result 'protocol'.
May 18 16:23:28 vm-rhel8 systemd[1]: Failed to start User Manager for UID 1009.

Expected results:

instance starts anyway? of maybe not but no failed state then.


Additional info:
Comment 1 Zbigniew Jędrzejewski-Szmek 2021-06-01 14:24:49 UTC 
https://github.com/systemd/systemd/pull/19773
Comment 2 Plumber Bot 2021-11-19 15:10:45 UTC 
fix merged to github master branch -> https://github.com/redhat-plumbers/systemd-rhel8/pull/225
Comment 21 errata-xmlrpc 2022-11-08 10:49:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (systemd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7727
Comment 24 Christopher Neylan 2022-11-15 19:30:08 UTC 
Why does the actual package (systemd-239-68.el8) deploy an /etc/pam.d/systemd-user that contains the lines "account include system-auth" and "session include system-auth", when the template containing this fix (https://github.com/redhat-plumbers/systemd-rhel8/blob/master/src/login/systemd-user.m4) does not?
Comment 25 David Tardon 2022-12-01 12:57:04 UTC 
(In reply to Christopher Neylan from comment #24)
> Why does the actual package (systemd-239-68.el8) deploy an
> /etc/pam.d/systemd-user that contains the lines "account include
> system-auth" and "session include system-auth", when the template containing
> this fix
> (https://github.com/redhat-plumbers/systemd-rhel8/blob/master/src/login/
> systemd-user.m4) does not?

Because the upstream file is generic, while the one we ship is tailored for the PAM setup used by Fedora/RHEL.