Description of problem:
This is similar to #1165578 and #1174278, only that, in this case SELinux is disabled.
~]# selinuxenabled || echo disabled
Basically, login from GDM results in ~/Private not mounted, while login from console (after ctrl-alt-F2) result in ~/Private mounted.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Upgrade from F20 to F21 having the ecryptfs setup working properly, i.e. automounting ~/Private on login (this required authconfig configuration).
SELinux must be disabled.
Login from GDM
Login succeed, but ~/Private is not mounted.
~/Private should be mounted, after login.
This bug is filed as requested, since in the other mentioned one SELinux is either enabled or in permissive mode, while here is fully disabled.
New GDM in Fedora 21 changed content of PAM configuration which broke things, please add it back.
A long time ago, pam added postlogin pam config, which was designed to be the place where other services can add their hooks if they need to do something during auhtentication or session creation. Before it, it was ugly mess, as services had to add their hooks to too many places and it often broke a thing or two. With postlogin, everyone can decide where exactly it can call postlogin, where it is safe a won't affect the logic. This (postlogin) is used for example for ecryptfs-utils for automatic home or Private folder decryption. It makes sure that it gets automatically decrypted when user authenticates and new session is created. GDM in Fedora 21 removed postlogin and home directory does not decrypt for user when he logs in.
I guess that there is already enough information on this. Just to be sure, I add my experience as well:
Login via GDM (I am using Gnome) fails for me. Instead of logging in, I get back to the GDM login screen. It seems that GDM does not decrypt my home directory. Login via the console works. Logging in first via the console, staying logged in there and then logging in via GDM works too.
Logfiles: see (original) bug #1165578
I reverted this commit
by adding the relevant lines back to the files /etc/pam.d/gdm-* and now ecryptfs-mount-private is run automatically on login. Can this commit be reverted?
I don't think postlogin is the best place for putting pam_ecryptfs, since if I revert the patch mentioned in comment 3, then postlogin will run for smartcard and fingerprint logins too (where there's no password available). imo, it would be better if authconfig used roughly the same logic it uses for pam_mkhomedir for pam_ecryptfs.
I could add postlogin back, but then we need to revisit the last login messages situation.
IMHO, if the problem is only the 'ugly "Last Login" messages', then I would say your suggestion is fine. Revert the change quickly, and let's think in the light of day to a proper solution.
I rather prefer an "ugly message" to a system not properly working...
Thanks a lot,
Postlogin was added there because of ecryptfs, but it should be general place for other modules that need some place where they can add themself safely. It does not matter that in some cases (fingerprint) there will be no password available. It's been that way always and it can handle it well.
(In reply to Piergiorgio Sartor from comment #5)
> Hi Ray,
> IMHO, if the problem is only the 'ugly "Last Login" messages', then I would
> say your suggestion is fine. Revert the change quickly, and let's think in
> the light of day to a proper solution.
> I rather prefer an "ugly message" to a system not properly working...
Its not about the message being ugly but that the delay the login process to show a pointless message 99.99% of the user do not even care about.
gdm-3.14.1-2.fc21 has been submitted as an update for Fedora 21.
tmraz any chance you could disable the message for f21?
I can modify authconfig to change the parameters but it will not affect the existing installs (or installs from DVDs/livecds) unless you rerun authconfig.
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gdm-3.14.1-2.fc21'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
gdm-3.14.1-2.fc21 works for me!
gdm-3.14.1-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.