Bug 453880
| Summary: | pam_gnome_keyring.so doesn't initialize properly on != gnome | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Carl Roth <roth> |
| Component: | gnome-keyring | Assignee: | Tomáš Bžatek <tbzatek> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | andreas.petzold, arkadi.shishlov, ehabkost, Enygma2002_ro, gilboad, hull, ipilcher, kevin, ltinkl, maurizio.antillon, mckieolov, mclasen, mefoster, mhlavink, mike.cloaked, orion, rdieter, redhat2, samflanker, than, tsmetana, twhite, walters, xjakub |
| Target Milestone: | --- | Keywords: | Regression, Reopened, Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 2.28.2-2.fc12 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-01-12 23:40:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Carl Roth
2008-07-03 00:14:43 UTC
Other possible workarounds: rpm -e gnome-keyring-pam or remove the lines containing pam_gnome_keyring.so from /etc/pam.d/kdm. See also: https://bugzilla.redhat.com/show_bug.cgi?id=447245#c10 I'd be tempted to just unpush that update, but unpushing an update from stable is probably a bad idea, if Bodhi even still allows it. I guess we have to push another update reverting the broken change. I would prefer of course to have SSO in some form or another (gnome-keyring-daemon or otherwise) "just work" for KDE. Me too, but as far as I can tell, what we have right now does NOT work. (Grrr, why can't gnome-keyring simply accept passwordless keyrings like KWallet does?) For me, it worked only after resetting/removing the existing gnome-keyring password. (And afaik, this is what gdm/gnome users experience too when moving from not using gnome-keyring to using it). I tried that too, and it didn't work. I started fresh, with an empty gnome-keyring (deleteing everything in .gnome2/keyrings). GKD did set me up with a new login keyring. This system isn't using NetworkManager, so I can verify that the SSO worked as advertised... The first time I tried to use SSH (with an encrypted private key) it still tried to launch gnome-keyring-ask (unsuccessfully) to fill in GKD's keyring. Shrug, dunno, never used ssh with gnome-keyring, I only use it with nm-applet, and it does work there for me. See also: http://fedoraunity.org/Members/thomasj/Gnome-keyring for some tips. The setup there tries first pam_keyring.so (the old (deprecated) pam_keyring) and only if that's not available pam_gnome_keyring.so (the new gnome-keyring-pam). The setup now in kde-settings only tries the new pam_gnome_keyring.so. Maybe that's the difference? I'm still of a mind that there's a subtle user-configuration issue here, related only to gnome-keyring, reassigning there in the hopes that the kind/insightful folks there can comment. I'm having a variation on this problem. I'm using the WindowMaker window manager. When I log in and attempt to use a program which wants to use gnome-keyring-daemon (such as evolution) it fails, and I get the following output in /var/log/messages:
Dec 5 17:28:01 dale gnome-keyring-ask: Gtk: cannot open display:
Dec 5 17:28:01 dale gnome-keyring-daemon[10212]: couldn't write data to ask tool: Broken pipe
Dec 5 17:28:01 dale gnome-keyring-ask: Gtk: cannot open display:
Dec 5 17:28:01 dale gnome-keyring-daemon[10212]: couldn't write data to ask tool: Broken pipe
Running "ps augxeww | egrep gnome-keyring-daemon" reveals that the DISPLAY environment variable is indeed not set.
In trying to figure out where gnome-keyring-daemon was getting started from, I put the following line into /etc/X11/xinit/Xsession:
echo "gnome-keyring-daemon:" $(ps -ef | egrep gnome-keyring-daemon)
and found that multiple gnome-keyring-daemon instances were being started as I logged in, but only the first one (with a PPID of 1, which I'm guessing is the one started by PAM) ended up running once I was able to get a shell window open.
As a workaround for the problem, I put the following in my .xsession file to kill off the existing gnome-keyring-daemon and start a new one:
if pkill -u $UID -f gnome-keyring-daemon; then
echo "restarting gnome-keyring-daemon"
eval $(gnome-keyring-daemon | perl -p -e '$_ = "declare -x ".$_;')
fi
I wonder if, when logging in using gnome, gnome doesn't kill off any existing gnome-keyring-daemon process itself and restart it. I speculate this because of the existence of the file /usr/share/gnome/autostart/gnome-keyring-daemon-wrapper.desktop. However, I am not at all familiar with gnome, so I could be wrong.
I'm seeing the problem described in comment #9 on F10, using KDM and KDE. Oddly, my husband (using basically the same configuration) is *not* seeing the issue -- his NetworkManager passwords are being remembered properly. The only real difference between his laptop and mine is that he installed with the installer and I installed from the LiveCD, but I can't imagine that would make a difference. My suggestion to reset keyrings: yum install gnome-keyring-manager run it menu: view -> keyrings select 'login' keyring menu: keyring -> delete logout/login oh, and: yum install gnome-keyring-pam (to ensure it is installed) ping, any comment/feedback/hints-to-debug from a gnome-keyring maintainer (or other) would be appreciated. I have ssh working fine but I notice that every time I restart X I get the following in the log files:
--------------------- Connections (secure-log) Begin ------------------------
Failed adding users:
rpcuser: 1 Time(s)
haldaemon: 1 Time(s)
**Unmatched Entries**
kdm: :0: gnome-keyring-daemon: couldn't lookup keyring component setting: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gnome.org/projects/gconf/ for information. (Details - 1: Not running within active session)gnome-keyring-daemon: couldn't lookup ssh component setting: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gnome.org/projects/gconf/ for information. (Details - 1: Not running within active session)gnome-keyring-daemon: couldn't lookup pkcs11 component setting: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gnome.org/projects/gconf/ for information. (Details - 1: Not running within active session): 2 Time(s)
---------------------- Connections (secure-log) End -------------------------
I am running Gnome with KDM login manager.
The system is F10 fully up to date, and the hardware is:
http://www.smolts.org/client/show/pub_f0a3719e-b5d0-4662-897a-fbd0f5485b5d
Is this related?
I see same problem with gnome-keyring: 1. Installed Fedora 10 with KDE 2. Connected to WPA protected wireless network 3. NetworkManager applet asked to initialize the keyring 4. Installed GNOME 5. KDM is a login manager 6. Now NetworkManager asks for WEP/WPA passwords every time Removing /lib/security/pam_gnome_keyring.so restored NetworkManager functionality Feb 7 16:10:15 smarty gnome-keyring-ask: Gtk: cannot open display: Feb 7 16:10:15 smarty gnome-keyring-daemon[3107]: missing dialog response from ask tool Feb 7 16:10:15 smarty gnome-keyring-daemon[3107]: the gnome-keyring-daemon process may not have been initialized properly, as its environment is missing the 'DISPLAY' variable. Feb 7 16:10:16 smarty gnome-keyring-ask: Gtk: cannot open display: Feb 7 16:10:16 smarty gnome-keyring-daemon[3107]: couldn't write data to ask tool: Broken pipe Feb 7 16:10:16 smarty gnome-keyring-ask: Gtk: cannot open display: Feb 7 16:10:16 smarty gnome-keyring-daemon[3107]: couldn't write data to ask tool: Broken pipe Feb 7 16:10:16 smarty gnome-keyring-ask: Gtk: cannot open display: Feb 7 16:10:16 smarty gnome-keyring-daemon[3107]: couldn't write data to ask tool: Broken pipe resetting needinfo to pkg maintainer for feedback to comment #13 (In reply to comment #11) > My suggestion to reset keyrings: > yum install gnome-keyring-manager > run it > menu: view -> keyrings > select 'login' keyring > menu: keyring -> delete > logout/login I tried this today on one of the /all:)/ affected machines, but unfortunately it didn't help anyway :( *some* of my users ended up in this state. Others did not. *ping* gnome-keyring maintainers, comment please. It's been quite awhile, with no input. I am having the exact same problem as mentioned in Comment #15. Apr 10 07:41:19 lap0001 gnome-keyring-ask: Gtk: cannot open display: Apr 10 07:41:19 lap0001 gnome-keyring-daemon[6224]: missing dialog response from ask tool Apr 10 07:41:19 lap0001 gnome-keyring-daemon[6224]: the gnome-keyring-daemon process may not have been initialized properly, as its environment is missing the 'DISPLAY' variable. I 'solved' the problem using Comment #11 I think the problem was related to the fact that my keyring was protected by a password. (In reply to comment #11) > My suggestion to reset keyrings: > yum install gnome-keyring-manager > run it > menu: view -> keyrings > select 'login' keyring > menu: keyring -> delete > logout/login This helped me. Though I am using kubuntu jaunty. There was no help from and ubuntu documentation regarding to this issue. The key was in deleting the existing default keyring. Under the presence of default keyring pam was not able to create login keyring. Also I borrowed pam kdm settings from http://svn.fedorahosted.org/svn/kde-settings/trunk/etc/pam.d/kdm removing system-auth and pam_console did the trock for me in ubuntu. This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. I can't reopen the bug, but it surely applies to Fedora 10 as well. Reopening and retargeting to F10 based on comment #24. Resetting needinfo, Rex Dieter's ping from almost 6 months ago (comment #13): > ping, any comment/feedback/hints-to-debug from a gnome-keyring maintainer (or > other) would be appreciated. has still not been answered. Is this still an issue in F11? I don't remember seeing the same messages I had in comment #14 once I installed F11 but I will check. Before I forward this bug upstream, can you please check the issue is reproducible on F11 with gnome-keyring-2.26.3-1.fc11? Both F11 and F10 with the latest available gnome-keyring and gnome-keyring-pam packages installed have this issue. The workaround is to uninstall gnome-keyring-pam package and comment out pam_gnome_keyring entries in pam.d/kdm. I also tried pam_keyring and it spawns the keyring daemon which is not used by NetworkManager applet, but also does not harm or influence anything. NetworkManager applet starts its own keyring daemon. this bag have in F12 (rawhide) *** Bug 526023 has been marked as a duplicate of this bug. *** This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Rebasing to F-12, based on comment #30 This comment from gkr-daemon.c explains some of what is going on here:
/*
* The gnome-keyring startup is not as simple as I wish it could be.
*
* It's often started in the primidoral stages of a session, where
* there's no DBus, no GConf, and no proper X display. This is the
* strange world of PAM.
*
* When started with the --login option, we do as little initialization
* as possible. We expect a login password on the stdin, and unlock
* or create the login keyring.
*
* Then later we expect gnome-keyring-dameon to be run again with the
* --start option. This second gnome-keyring-daemon will hook the
* original daemon up with environment variables necessary to initialize
* itself and bring it into the session. This second daemon usually exits.
Matthias seems to have broken the code. I created ~/.kde/Autostart/gnome-keyring-daemon.sh: #!/bin/bash exec /usr/bin/gnome-keyring-daemon --start Rebooted and I was prompted for my keyring password when nm-applet tried to connect to my wireless network. I selected the option to remember/not prompt for my password, rebooted again, and was automatically connected to the wire- less network when I logged in. > Matthias seems to have broken the code.
Thats nice for a change. Usually, I fix the code :)
If gnome-keyring-daemon is expected to be (re)started for the session, why does /etc/xdg/autostart/gnome-keyring-daemon.desktop contain, OnlyShowIn=GNOME; ? Or am I missing something? So, let's take the non-denial of comment #37 as a tacet approval. Anyone still experiencing this, mind removing OnlyShowIn=GNOME; from /etc/xdg/autostart/gnome-keyring-daemon.desktop to see if that helps any? I just hit this bug, on a fully updated F12 64bit. (installed from a F11 KDE livecd, then updated to F12 with preupgrade) I added GNOME (yum groupinstall "GNOME Desktop Environment" ), and after that NetworkManager in KDE no longer used gnome keyring to remember my wireless passwords. So i removed OnlyShowIn=GNOME as suggested in comment #38, now it works again! Thank you! gnome-keyring-2.26.3-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/gnome-keyring-2.26.3-2.fc11 gnome-keyring-2.28.2-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/gnome-keyring-2.28.2-2.fc12 Fwiw, sounds fine to me. Thanks for looking into this, Rex. gnome-keyring-2.26.3-2.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update gnome-keyring'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0191 gnome-keyring-2.28.2-2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update gnome-keyring'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0195 gnome-keyring-2.26.3-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. gnome-keyring-2.28.2-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 531345 has been marked as a duplicate of this bug. *** |