Bug 1581495 - lightdm + pam-kwallet causes polkit issues
Summary: lightdm + pam-kwallet causes polkit issues
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: lightdm
Version: 27
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Alternative GTK desktop environments
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1580984 1581688 1591002 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-22 23:05 UTC by Rick Stevens
Modified: 2018-11-30 23:43 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-30 23:43:55 UTC


Attachments (Terms of Use)

Description Rick Stevens 2018-05-22 23:05:27 UTC
Description of problem:

Installation of pam-kwallet 5.12.5-3.fc27 causes lightdm to fail starting polkit system, resulting in the inability to perform any action with elevated privileges.

Version-Release number of selected component (if applicable):

lightdm 1.25.2-1.fc27
pam-kwallet 5.12.5-3.fc27

How reproducible:

Consistent

Steps to Reproduce:

1. Install or upgrade to lightdm 1.25.2-1.fc27
2. Install pam-kwallet 5.12.5-3.fc27
3. Log out of session, then log back in
4. You should have no ability to enable/disable wireless network, no access to audio hardware, inability to log out of session completely or reboot the system without dropping to text terminal, logging in as root and issuing a reboot command from there.

Actual results:

As described in item 4, above

Expected results:

Polkit permitting one to elevate permissions to perform normal operations

Additional info:

Commenting out references to pam_kwallet.so and pam_kwallet5.so in the /etc/pam.d/lightdm file, then logging out and back in restores expected functionality.

Comment 1 Ed Greshko 2018-05-22 23:41:57 UTC
Part of the problem may be selinux related.  I just installed lightdm on a fully updated F28/KDE system.  When I enabled lightdm I get the following AVC.

type=AVC msg=audit(1527032185.328:197): avc:  denied  { listen } for  pid=996 comm="lightdm" path="/tmp/kwallet5_egreshko.socket" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0

Comment 2 Ed Greshko 2018-05-23 00:36:52 UTC
I did start the system with the kernel parameter selinux=0 and that did not solve anything.  The problems noted in the original report are present.

Comment 3 Rick Stevens 2018-05-23 00:41:04 UTC
There may be selinux issues also involved, but the machine exhibiting the behavior (the very laptop that I'm composing this on) has SELinux disabled:

[root@golem4 ~]# cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted

[root@golem4 ~]# getenforce
Disabled

It is disabled due to some other work I was doing, and the issue didn't pop up until pam-kwallet got updated on Friday the 18th. Prior to that I had no issues
with any permutation of SELinux (enabled/targeted, in permissive mode or
disabled completely).

Note that the update Friday updated a lot of things (pam-kwallet being just
one of them), however lightdm was NOT one of the updates and removing
references to pam-kwallet in the pam config rectified the problem. Makes it
rather clear it's pam-kwallet that's the culprit.

Comment 4 leigh scott 2018-05-23 06:47:43 UTC
This is at the bottom of my to do list, it is likely f27 will Go EOL first.

Comment 5 Ed Greshko 2018-05-23 07:11:44 UTC
(In reply to leigh scott from comment #4)
> This is at the bottom of my to do list, it is likely f27 will Go EOL first.

See comment #1.  It fails on F28 as well.

Comment 6 leigh scott 2018-05-23 07:52:24 UTC
(In reply to Ed Greshko from comment #5)
> (In reply to leigh scott from comment #4)
> > This is at the bottom of my to do list, it is likely f27 will Go EOL first.
> 
> See comment #1.  It fails on F28 as well.

F28+ lightdm hasn't been touched for months so is unlikely to be the cause of the issue.
The issue is more likely caused by recent pam-kwallet changes/fixes

https://src.fedoraproject.org/cgit/rpms/pam-kwallet.git/log/?h=f27

Comment 7 Rex Dieter 2018-05-23 12:22:41 UTC
*** Bug 1581688 has been marked as a duplicate of this bug. ***

Comment 8 Rex Dieter 2018-05-23 12:40:07 UTC
I'm having trouble reproducing this.

Comment 9 Ed Greshko 2018-05-23 13:15:07 UTC
(In reply to Rex Dieter from comment #8)
> I'm having trouble reproducing this.

Well, all I had to do to reproduce it was to add lightdm to a fully updated F28/KDE system and then enable lightdm.

After that logins took much longer, a popup in the systray shows an authentication error and it is impossible to enter a password for Wifi.

Comment 10 Rex Dieter 2018-05-23 13:35:08 UTC
Things I tried after installing and enabling lightdm on update-to-date (updates-testing enabled) f28 box with selinux defaults (enabled):

1 login to plasma (existing user)
2 login to xfce (new user)
3 login to plasma (new user)


That said, first try to login to plasma (1) after installing lightdm failed (session failed to start).  Rebooting fixed it.

Comment 11 Ed Greshko 2018-05-23 14:37:06 UTC
(In reply to Rex Dieter from comment #10)

Did you install the complete xfce desktop environment?  I just installed lightdm and the 3(?) dependencies.

I'll be enabling "updates-testing" and updating with that in my morning to see if it changes anything.

Comment 12 Rex Dieter 2018-05-23 14:41:16 UTC
I initially installed only lightdm, then re-tried after doing:
dnf install @xfce-desktop
with xfce session

Comment 13 Ed Greshko 2018-05-23 15:01:08 UTC
I stayed up a bit longer.  Enabled updates-testing and updated.  It didn't fix anything.  The journal shows

[root@f28k-b1 ~]# journalctl -b 0 | grep -i authenti
May 23 22:54:46 f28k-b1.greshko.com lightdm[984]: pam_kwallet5(lightdm:auth): (null): pam_sm_authenticate
May 23 22:54:46 f28k-b1.greshko.com audit[984]: USER_AUTH pid=984 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="egreshko" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
May 23 22:55:17 f28k-b1.greshko.com ksmserver[1140]: ksmserver: Starting autostart service  "/etc/xdg/autostart/polkit-kde-authentication-agent-1.desktop" ("/usr/libexec/kf5/polkit-kde-authentication-agent-1")
May 23 22:55:17 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: kf5.kcoreaddons.kaboutdata: Could not initialize the equivalent properties of Q*Application: no instance (yet) existing.
May 23 22:55:17 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-egreshko'
May 23 22:55:18 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-egreshko'
May 23 22:55:20 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: "Cannot create unix session: No session for pid 1288"
May 23 22:55:20 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: "Cannot register authentication agent!"
May 23 22:55:20 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: Couldn't register listener!
May 23 22:55:52 f28k-b1.greshko.com plasmashell[1280]: PK error: "Failed to obtain authentication." type: "not-authorized"
May 23 22:57:14 f28k-b1.greshko.com audit[1810]: USER_AUTH pid=1810 uid=1029 auid=1029 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/bin/su" hostname=f28k-b1.greshko.com addr=? terminal=pts/1 res=success'

Comment 14 Rex Dieter 2018-05-23 15:11:13 UTC
May 23 22:54:46 f28k-b1.greshko.com audit[984]: USER_AUTH pid=984 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5
acct="egreshko" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0
res=success'

This one seems to imply pam_kwallet5 was successful

any other kwallet-related logging ?

Mine (when things are working as expected:

$ journalctl -b 0 | grep -i kwallet

May 23 08:28:09 localhost.localdomain lightdm[5736]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_close_session
May 23 08:28:09 localhost.localdomain audit[5736]: USER_END pid=5736 uid=0 auid=1001 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_gnome_keyring,pam_kwallet5,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog,pam_umask,pam_lastlog acct="foo" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
May 23 08:28:09 localhost.localdomain audit[5736]: CRED_DISP pid=5736 uid=0 auid=1001 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="foo" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
May 23 08:28:09 localhost.localdomain lightdm[5736]: pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred
May 23 08:28:23 localhost.localdomain lightdm[7504]: pam_kwallet5(lightdm:auth): (null): pam_sm_authenticate
May 23 08:28:23 localhost.localdomain audit[7504]: USER_AUTH pid=7504 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="rdieter" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
May 23 08:28:23 localhost.localdomain lightdm[7504]: pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred
May 23 08:28:23 localhost.localdomain audit[7504]: CRED_ACQ pid=7504 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="rdieter" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
May 23 08:28:23 localhost.localdomain lightdm[7504]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_open_session
May 23 08:28:23 localhost.localdomain lightdm[7517]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_rdieter.socket
May 23 08:28:23 localhost.localdomain audit[7504]: USER_START pid=7504 uid=0 auid=1000 ses=8 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_gnome_keyring,pam_kwallet5,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog,pam_umask,pam_lastlog acct="rdieter" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
May 23 08:28:24 localhost.localdomain ksmserver[7760]: ksmserver: Starting autostart service  "/etc/xdg/autostart/pam_kwallet_init.desktop" ("/usr/libexec/pam_kwallet_init")

Comment 15 Dr. David Alan Gilbert 2018-05-23 16:01:47 UTC
Hmm, looking in yesterdays logs, I can't quite tell whether these messaages were from the bad version or from the rpm upgrade/downgrades themselves, but they do look fishy:

May 23 12:57:27 major lightdm[1791]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_open_session
May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_dg.socket
May 23 12:57:27 major audit[1806]: AVC avc:  denied  { listen } for  pid=1806 comm="lightdm" path="/tmp/kwallet5_dg.socket" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd: Couldn't listen in socket
May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5: Impossible to write walletKey to walletPipe
May 23 12:57:31 major setroubleshoot[1808]: failed to retrieve rpm info for /tmp/kwallet5_dg.socket
May 23 12:57:31 major setroubleshoot[1808]: SELinux is preventing lightdm from listen access on the unix_dgram_socket /tmp/kwallet5_dg.socket. For complete SELinux messages run: sealert -l 2cc25aa8-fde2-4948-812c-2e8a69d90fc1
May 23 12:57:31 major python3[1808]: SELinux is preventing lightdm from listen access on the unix_dgram_socket /tmp/kwallet5_dg.socket.
                                     If you believe that lightdm should be allowed listen access on the kwallet5_dg.socket unix_dgram_socket by default.
May 23 12:59:54 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_close_session
May 23 12:59:54 major lightdm[1806]: pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred
May 23 12:59:58 major lightdm[2621]: pam_kwallet5(lightdm:auth): (null): pam_sm_authenticate
May 23 12:59:58 major audit[2621]: USER_AUTH pid=2621 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix,pam_gnome_keyring,pam_kwallet5 acct="dg" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
May 23 12:59:58 major lightdm[2621]: pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred
May 23 12:59:58 major audit[2621]: CRED_ACQ pid=2621 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix,pam_gnome_keyring,pam_kwallet5 acct="dg" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
May 23 12:59:58 major lightdm[2621]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_open_session
May 23 12:59:58 major lightdm[2621]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_dg.socket
May 23 12:59:58 major audit[2621]: USER_START pid=2621 uid=0 auid=1000 ses=9 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_gnome_keyring,pam_kwallet5,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog,pam_lastlog acct="dg" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'

Comment 16 Rick Stevens 2018-05-23 17:19:22 UTC
If it helps any, in the failing configuration if you run

    /usr/libexec/xfce-polkit -v

you will get the error popup and this will be displayed on the console you ran it
from:

    ** (xfce-polkit:<process-id>): CRITICAL **: polkit_agent_listener_register_with_options: assertion 'POLKIT_IS_SUBJECT (subject)' failed

If you dismiss the popup, you will get:

    (xfce-polkit:<process-id>): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed

on the console you ran it from. It is definitely a lightdm/pam-kwallet
interaction of some sort. As mentioned above, I never had issues regardless of
SELinux status until the pam-kwallet upgrade to 5.12.5-3.fc27 and removing
references to pam_kwallet and pam_kwallet5 in the pam configuration resolves the
problem. Regardless of the EOL status of F27, I've heard this is an issue with
F28 as well. I have F28 in a VM, but have not tried this particular scenario on
it.

Comment 17 pgaltieri 2018-05-23 17:27:51 UTC
This also affects the mate desktop.  I have 2 systems running F27 with lightdm.  On one system when I try to logout it simply restarts my session and I cannot mount any external USB drives due to authentication errors.  On the other everything works fine.  The difference between the 2 is the failing system has pam-kwallet installed the other doesn't.

Comment 18 Rex Dieter 2018-05-23 17:32:08 UTC
This highlights the issue I think from comment #15 : 

May 23 12:57:27 major audit[1806]: AVC avc:  denied  { listen } for  pid=1806
comm="lightdm" path="/tmp/kwallet5_dg.socket"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
permissive=0
May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session):
pam_kwallet5-kwalletd: Couldn't listen in socket


selinux prevented reading of the kwallet5 socket  (I've only tested on f28 so far, unsuccessful in reproducing the problem)

Comment 19 Dr. David Alan Gilbert 2018-05-23 17:37:16 UTC
(In reply to Rex Dieter from comment #18)
> This highlights the issue I think from comment #15 : 
> 
> May 23 12:57:27 major audit[1806]: AVC avc:  denied  { listen } for  pid=1806
> comm="lightdm" path="/tmp/kwallet5_dg.socket"
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
> permissive=0
> May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session):
> pam_kwallet5-kwalletd: Couldn't listen in socket
> 
> 
> selinux prevented reading of the kwallet5 socket  (I've only tested on f28
> so far, unsuccessful in reproducing the problem)

Curious thing is my c15 is from f28

Comment 20 Rick Stevens 2018-05-23 17:48:02 UTC
As I mentioned before, the polkit problem occurs even with SELinux disabled. That
being said, enabling SELinux may also prevent reading of the kwallet5 socket, but
I see that as a separate (although related) issue.

If I get a chance today, I'll take a whack at the various scenarios on my F28 VM.
Can't guarantee anything. As Dire Straits once lyricized "he's got a daytime job,
he's doing all right." The "doing all right" bit is questionable, however...

Comment 21 Kevin Fenzi 2018-05-23 19:05:43 UTC
*** Bug 1580984 has been marked as a duplicate of this bug. ***

Comment 22 Rex Dieter 2018-05-23 21:55:27 UTC
Re: comment #20

> the polkit problem occurs even with SELinux disabled

there may be multiple problems, and the selinux denial is all we have to go on so far.

Comment 23 Ed Greshko 2018-05-24 01:42:30 UTC
(In reply to Rex Dieter from comment #14)
 
> $ journalctl -b 0 | grep -i kwallet

This is mine, after a login.

May 24 09:33:47 f28k-b1.greshko.com lightdm[985]: pam_kwallet5(lightdm:auth): (null): pam_sm_authenticate
May 24 09:33:47 f28k-b1.greshko.com audit[985]: USER_AUTH pid=985 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="egreshko" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
May 24 09:33:48 f28k-b1.greshko.com lightdm[985]: pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred
May 24 09:33:48 f28k-b1.greshko.com audit[985]: CRED_ACQ pid=985 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="egreshko" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
May 24 09:33:48 f28k-b1.greshko.com lightdm[985]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_open_session
May 24 09:33:48 f28k-b1.greshko.com lightdm[1002]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_egreshko.socket
May 24 09:33:48 f28k-b1.greshko.com audit[1002]: AVC avc:  denied  { listen } for  pid=1002 comm="lightdm" path="/tmp/kwallet5_egreshko.socket" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
May 24 09:33:48 f28k-b1.greshko.com lightdm[1002]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd: Couldn't listen in socket
May 24 09:33:48 f28k-b1.greshko.com lightdm[1002]: pam_kwallet5(lightdm:session): pam_kwallet5: Impossible to write walletKey to walletPipe
May 24 09:33:53 f28k-b1.greshko.com setroubleshoot[1004]: failed to retrieve rpm info for /tmp/kwallet5_egreshko.socket
May 24 09:33:53 f28k-b1.greshko.com setroubleshoot[1004]: SELinux is preventing lightdm from listen access on the unix_dgram_socket /tmp/kwallet5_egreshko.socket. For complete SELinux messages run: sealert -l 30e74a3d-3d22-40a1-aa83-cd2827430e46
May 24 09:33:53 f28k-b1.greshko.com python3[1004]: SELinux is preventing lightdm from listen access on the unix_dgram_socket /tmp/kwallet5_egreshko.socket.
                                                   If you believe that lightdm should be allowed listen access on the kwallet5_egreshko.socket unix_dgram_socket by default.
May 24 09:34:19 f28k-b1.greshko.com ksmserver[1169]: ksmserver: Starting autostart service  "/etc/xdg/autostart/pam_kwallet_init.desktop" ("/usr/libexec/pam_kwallet_init")

I also then tried to connect to a Wifi.  The password seems to have been taken but the connection is made and the journal shows.

May 24 09:36:34 f28k-b1.greshko.com NetworkManager[627]: <info>  [1527125794.7325] wifi-wext: (wlan0): using WEXT for WiFi device control
May 24 09:36:34 f28k-b1.greshko.com NetworkManager[627]: <info>  [1527125794.7467] manager: (wlan0): new 802.11 WiFi device (/org/freedesktop/NetworkManager/Devices/3)
May 24 09:36:34 f28k-b1.greshko.com dbus-daemon[544]: [system] Activating via systemd: service name='fi.w1.wpa_supplicant1' unit='wpa_supplicant.service' requested by ':1.11' (uid=0 pid=627 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0")
May 24 09:36:34 f28k-b1.greshko.com org_kde_powerdevil[1367]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "AllDevices"
May 24 09:36:34 f28k-b1.greshko.com org_kde_powerdevil[1367]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "Devices"
May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors"
May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real"
May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors"
May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real"
May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors"
May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real"
May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors"
May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real"
May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "AllDevices"
May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "Devices"
May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "AllDevices"
May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "Devices"
May 24 09:36:34 f28k-b1.greshko.com NetworkManager[627]: <info>  [1527125794.8570] supplicant: wpa_supplicant running
May 24 09:36:34 f28k-b1.greshko.com NetworkManager[627]: <info>  [1527125794.9789] device (wlp0s11u1): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'external')
May 24 09:36:46 f28k-b1.greshko.com NetworkManager[627]: <warn>  [1527125806.1468] device (wlp0s11u1): set-hw-addr: new MAC address DA:E8:7D:44:04:B1 not successfully set (scanning)
May 24 09:36:46 f28k-b1.greshko.com NetworkManager[627]: <info>  [1527125806.1816] sup-iface[0x55a044100380,wlp0s11u1]: supports 1 scan SSIDs
May 24 09:36:46 f28k-b1.greshko.com NetworkManager[627]: <info>  [1527125806.1841] device (wlp0s11u1): supplicant interface state: starting -> ready
May 24 09:36:46 f28k-b1.greshko.com NetworkManager[627]: <info>  [1527125806.1844] device (wlp0s11u1): state change: unavailable -> disconnected (reason 'supplicant-available', sys-iface-state: 'managed')
May 24 09:36:47 f28k-b1.greshko.com plasmashell[1281]: org.kde.plasmaquick: Applet "Networks" loaded after 0 msec
May 24 09:36:47 f28k-b1.greshko.com plasmashell[1281]: org.kde.plasmaquick: Increasing score for "Networks" to 39
May 24 09:36:48 f28k-b1.greshko.com NetworkManager[627]: <info>  [1527125808.3623] device (wlp0s11u1): supplicant interface state: ready -> inactive
May 24 09:37:08 f28k-b1.greshko.com NetworkManager[627]: <info>  [1527125828.1834] audit: op="connection-add-activate" pid=1281 uid=1029 result="fail" reason="Not authorized to control networking."

Comment 24 Ed Greshko 2018-05-24 01:45:20 UTC
Also, these polkit entries seem wrong.

May 24 09:34:19 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: kf5.kcoreaddons.kaboutdata: Could not initialize the equivalent properties of Q*Application: no instance (yet) existing.
May 24 09:34:19 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-egreshko'
May 24 09:34:19 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-egreshko'
May 24 09:34:22 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: "Cannot create unix session: No session for pid 1287"
May 24 09:34:22 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: "Cannot register authentication agent!"
May 24 09:34:22 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: Couldn't register listener!

Comment 25 Ed Greshko 2018-05-24 02:00:19 UTC
(In reply to Ed Greshko from comment #23)

> I also then tried to connect to a Wifi.  The password seems to have been
> taken but the connection is made and the journal shows.

Should have read....

but the connection is *NOT* made ....

Comment 26 Rex Dieter 2018-05-24 16:47:57 UTC
Assigning to selinux-policy due to known denial:

May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_dg.socket
May 23 12:57:27 major audit[1806]: AVC avc:  denied  { listen } for  pid=1806 comm="lightdm" path="/tmp/kwallet5_dg.socket" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd: Couldn't listen in socket
May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5: Impossible to write walletKey to walletPipe

Comment 27 Rex Dieter 2018-05-24 21:06:27 UTC
anyone experiencing this (at least those who have selinux enabled), I recommend you consider relabelling and rebooting your systems (as root):

touch /.autorelabel
rm -f /tmp/kwallet*.socket
reboot

Comment 28 Ed Greshko 2018-05-24 23:18:53 UTC
(In reply to Rex Dieter from comment #27)

Done, with no change as the result.  :-(

Comment 29 jamie 2018-05-25 02:36:23 UTC
I started having this issue after a recent update.(dnf update). Not sure what changed. I do have 'pam_kwallet.so' in '/etc/pam.d/lightdm'.

Comment 30 jamie 2018-05-25 02:37:08 UTC
I can also confirm that this can happen with SELinux off.

Comment 31 jamie 2018-05-25 14:23:50 UTC
Oh and in case, it means something, with lightdm OFF, when I use 'startx' to start X and then use 'chrome'(not chromium), I get a dialogue asking me to enter the password to my keychain(which is my login password). This seems expected though, as a bet lightdm is supposed to pass the info too KWallet.

Comment 32 Francis.Montagnac 2018-05-27 06:01:25 UTC
> I can also confirm that this can happen with SELinux off.

The same for me.

With SELinux off and using a MATE session, I add those traces in the
journal:

### pam_kwallet fail to listen to its socket:

  lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_fm.socket
  lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd: Couldn't listen in socket
  lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5: Impossible to write walletKey to walletPipe
  lightdm[10869]: pam_kwallet(lightdm:session): pam_kwallet: pam_sm_open_session
  lightdm[10870]: pam_kwallet(lightdm:session): pam_kwallet: final socket path: /tmp/kwallet_fm.socket
  lightdm[10870]: pam_kwallet(lightdm:session): pam_kwallet-kwalletd: Couldn't listen in socket
  lightdm[10870]: pam_kwallet(lightdm:session): pam_kwallet: Impossible to write walletKey to walletPipe

### Fail to create session:

  lightdm[10870]: pam_systemd(lightdm:session): Failed to create session: Access denied
  lightdm[10870]: pam_unix(lightdm:session): session opened for user fm by (uid=1005)

### Fail to register in lastlog and btmp 

  lightdm[10870]: pam_lastlog(lightdm:session): unable to open /var/log/lastlog: Permission denied
  lightdm[10870]: pam_lastlog(lightdm:session): unable to open /var/log/btmp: Permission denied

In /etc/pam.d/lightdm we have:

    auth       substack    system-auth
    -auth       optional    pam_gnome_keyring.so
    -auth       optional    pam_kwallet5.so
    -auth       optional    pam_kwallet.so
    ..
    -session    optional    pam_gnome_keyring.so auto_start
    -session    optional    pam_kwallet5.so
    -session    optional    pam_kwallet.so
    session    include     system-auth

I tried to put system-auth before the pam_kwallet* in the session
part: nmcli works, but logout no. In this case the socket is put under
/run/user/$UID that is created before, but still "Couldn't listen in socket"

I haven't tried to put the pam_kwallet* last in the session part.

sddm is perhaps subject to this bug since it includes also the
pam_kwallet* modules.  I haven't tested it.

I can make more tests if you need.

Comment 33 leigh scott 2018-05-27 10:17:41 UTC
@rdieter Maybe this upstream commit could mitigate the pam-kwallet issue.

https://github.com/CanonicalLtd/lightdm/pull/13

IMO lingering apps should be killed by logind/systemd on logout.

Comment 34 Fedora Update System 2018-05-27 10:20:06 UTC
lightdm-1.26.0-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c2587fb84

Comment 35 Fedora Update System 2018-05-27 10:20:26 UTC
lightdm-1.26.0-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-bd8b0fc678

Comment 36 Rex Dieter 2018-05-27 12:12:02 UTC
Re: comment #33

Possible, to test set
KillUserProcesses=yes
in /etc/systemd/logind.conf to see if that helps any

Comment 37 Fedora Update System 2018-05-27 20:29:50 UTC
lightdm-1.26.0-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bd8b0fc678

Comment 38 Fedora Update System 2018-05-27 22:13:55 UTC
lightdm-1.26.0-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c2587fb84

Comment 39 Ed Greshko 2018-05-28 00:23:15 UTC
lightdm-1.26.0-1.fc28 does not fix this BZ

Comment 40 Martin B. 2018-05-28 22:04:19 UTC
(In reply to Ed Greshko from comment #39)
> lightdm-1.26.0-1.fc28 does not fix this BZ

I agree, tested (LightDM + Xmonad) with:

~~~
$ rpm -qa | grep lightdm                                                        
lightdm-gtk-2.0.5-1.fc28.x86_64                                                 
lightdm-gobject-1.26.0-1.fc28.x86_64                                            
lightdm-1.26.0-1.fc28.x86_64
~~~

Comment 41 Francis.Montagnac 2018-05-29 12:05:17 UTC
(In reply to Francis.Montagnac from comment #32)
> With SELinux off and using a MATE session, I add those traces in the
> journal:
 
> ### pam_kwallet fail to listen to its socket:
> 
>   lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket
> path: /tmp/kwallet5_fm.socket
>   lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd:
> Couldn't listen in socket

Looking at the source in pam_kwallet.c, execute_kwallet
drop_privileges first, and does a return and not an exit after having
emitted this "Couldn't listen in socket". Then the calling function,
start_kwallet does:

    //Child fork, will contain kwalletd
    case 0:
        execute_kwallet(pamh, userInfo, toWalletPipe, fullSocket);
        /* Should never be reached */
        break;

    //Parent
    default:
        waitpid(pid, &status, 0);

thus the child continues, but with dropped privileges while the parent
waits.

This explain the following errors:

> ### Fail to create session:
> 
>   lightdm[10870]: pam_systemd(lightdm:session): Failed to create session:
> Access denied

> ### Fail to register in lastlog and btmp 

>   lightdm[10870]: pam_lastlog(lightdm:session): unable to open
> /var/log/lastlog: Permission denied
>   lightdm[10870]: pam_lastlog(lightdm:session): unable to open
> /var/log/btmp: Permission denied

I think one should replace the break above by an exit. That will fix
the problem for the subsequent pam modules.

One should perhaps instrument execute_kwallet to understand why it
fails to listen.

Comment 42 Rex Dieter 2018-05-30 21:34:16 UTC
If you believe this to indeed be an issue with pam-kwallet, please engage upstream at:
https://bugs.kde.org/enter_bug.cgi?product=kwallet-pam
(best if this were done by someone who case reproduce the issue, which I cannot unfortunately)

Comment 43 Rex Dieter 2018-05-31 19:43:03 UTC
Let's triage this back to pam-kwallet then

Comment 44 Marcin Juszkiewicz 2018-06-13 21:45:53 UTC
*** Bug 1591002 has been marked as a duplicate of this bug. ***

Comment 45 Rex Dieter 2018-09-26 14:52:05 UTC
Thanks to enterprising sluething user, this may be a lightdm issue after all.

See also related problem with gnome-keyring not opening in bug #1631220 , can anyone verify if adjusting snippet in /etc/pam.d/lightdm from

-session    optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so
-session    optional    pam_kwallet.so
session    include     system-auth

to
session    include     system-auth
-session    optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so
-session    optional    pam_kwallet.so

ie, moving the 'session ... system-auth' line to before those of pam_gnome_keyring and pam_kwallet, helps?

Comment 46 Fedora Update System 2018-09-28 17:43:39 UTC
lightdm-1.28.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-9d3a142b3e

Comment 47 Fedora Update System 2018-09-28 17:44:17 UTC
lightdm-1.28.0-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e0507831aa

Comment 48 Fedora Update System 2018-09-28 17:44:48 UTC
lightdm-1.28.0-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-227b29d323

Comment 49 Fedora Update System 2018-09-30 00:24:44 UTC
lightdm-1.28.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-9d3a142b3e

Comment 50 Fedora Update System 2018-09-30 00:47:35 UTC
lightdm-1.28.0-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-227b29d323

Comment 51 Fedora Update System 2018-09-30 03:03:18 UTC
lightdm-1.28.0-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e0507831aa

Comment 52 Fedora Update System 2018-10-08 15:38:57 UTC
lightdm-1.28.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 53 Fedora Update System 2018-10-10 21:53:13 UTC
lightdm-1.28.0-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 54 Fedora Update System 2018-10-10 22:45:49 UTC
lightdm-1.28.0-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 55 Matt Fagnani 2018-11-11 01:16:31 UTC
When I've logged in to Plasma 5.14.3 from lightdm 1.28.0-2 in Fedora 29, I saw the following messages related to pam-kwallet 5.14.3-1 in the journal.

pam_kwallet5(lightdm:auth): (null): pam_sm_authenticate
pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred
pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_open_session
pam_kwallet5: final socket path: /run/user/1000/kwallet5.socket
pam_kwallet5-kwalletd: Couldn't listen in socket
pam_kwallet5(lightdm:session): pam_kwallet5: Couldn't fork to execv kwalletd

The same messages occurred with Plasma/pam-kwallet 5.13.5 and earlier versions.
kwallet was not unlocked when logging in likely related to those errors "Couldn't listen in socket" and "Couldn't fork to execv kwalletd". When I started kwalletmanager and clicked open, a pop up window asked for the password.
The error "Couldn't listen in socket" was noted above. I couldn't find the error "Couldn't fork to execv kwalletd" above. I've reported this issue with more details at https://bugs.kde.org/show_bug.cgi?id=400929

Comment 56 Ben Cotton 2018-11-27 13:35:17 UTC
This message is a reminder that Fedora 27 is nearing its end of life.
On 2018-Nov-30  Fedora will stop maintaining and issuing updates for
Fedora 27. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora  'version' of '27'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 27 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 57 Ben Cotton 2018-11-30 23:43:55 UTC
Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.