Description of problem: System entirely unusable after upgrade from Fedora 42 to Fedora 43. GDM crashes repeatedly. systemd attempts to restart it so attempting to use a console for recovery does not work. System entirely unusable. There are errors in dmesg about failures that appear to be regarding the new dynamic user assignments for gdm sessions. Root cause seems be this system predates authselect, and authselect provides configuration required for GDM 49 to function. No authselect config was applied at any upgrades over the last few years. gdm crashing renders the text-mode consoles unusable as it attempts to restart. Version-Release number of selected component (if applicable): gdm.x86_64 1:49.0.1-7.fc43 authselect.x86_64 1.6.2-1.fc43 Reproducible: Always Steps to Reproduce: 1. Upgrade using `dnf system-upgrade`, starting from Fedora 25 or 26 in 2017, through to Fedora 43. Before authselect was used. 2. Reboot system after finishing upgrade to F43 Actual Results: No graphics displayed, no consoles working Expected Results: GDM works, CTRL-ALT-F3 provides a working console if required Additional Information: This system was installed with Fedora 25 or 26 in 2017. It has been promptly upgraded to each new version (sometimes in beta). Actual steps to resolve: * authselect select local --force * touch /.autorelabel I had to perform these steps from a chroot on a livecd as the system was not usable after upgrade. I suspect if I did the authselect before upgrading, I would have no issues. There were selinux issues after the authselect (likely due to the chroot stuff), which was resolved by the auto-relabel Note that I have the updated version of authselect noted in #2397255, but authselect-apply-changes.service is disabled (preset: enabled, but it didn't actually get enabled in real life). I'm unsure if the `authselect apply-changes --upgrade` would be sufficient due needing to use `authselect local --force` to override pre-existing configuration first.
Created attachment 2110724 [details] Pre-authselect nsswitch.conf
Created attachment 2110725 [details] Pre-authselect pam.d/postlogin
Created attachment 2110726 [details] Pre-authselect pam.d/smartcard-auth
Created attachment 2110727 [details] Pre-authselect pam.d/fingerprint-auth
Created attachment 2110728 [details] Pre-authselect pam.d/password-auth
Created attachment 2110729 [details] Pre-authselect pam.d/system-auth
I've attached the files that were replaced by authselect, from the backup it made in /var/lib/authselect/backups/2025-10-24-08-35-33.Y3Pc5E
Created attachment 2110735 [details] All journalctl output of a reproduced example If you wish to reproduce the issue, you can use the following steps to place the pre-authselect configuration onto a current F43 system to replicate the post-upgrade experience for older systems: 1. Install Fedora 43 beta in a VM 2. Upgrade Fedora 43 beta to current 3. Copy my pre-authselect files from this ticket into /etc/authselect You could remove the symlinks and place the files in /etc/ and /etc/pam.d/ as appropriate instead. It wasn't necessary to demonstrate the error. 4. Reboot Once the system comes up, you have a blank screen with a _ cursor in the top left. You can not activate a console to work on the issue. I have attached the journalctl output for that entire boot.
Hi, the underlying cause is likely https://fedoraproject.org/wiki/Changes/Migrate_to_lastlog2 that replaces pam_lastlog with pam_lastlog2. (In reply to Chris Irwin from comment #7) > I've attached the files that were replaced by authselect, from the backup it > made in /var/lib/authselect/backups/2025-10-24-08-35-33.Y3Pc5E I am confused here. I assume that this update was created when upgrading to F43, not before, right? So you had non-authselect configuration on F42? Is there any chance, you can attach the configuration that was *NOT* working?
(In reply to Chris Irwin from comment #8) > Created attachment 2110735 [details] > All journalctl output of a reproduced example > > If you wish to reproduce the issue, you can use the following steps to place > the pre-authselect configuration onto a current F43 system to replicate the > post-upgrade experience for older systems: > > 1. Install Fedora 43 beta in a VM > 2. Upgrade Fedora 43 beta to current > 3. Copy my pre-authselect files from this ticket into /etc/authselect > > You could remove the symlinks and place the files in /etc/ and > /etc/pam.d/ as appropriate instead. It wasn't necessary to demonstrate the > error. > > 4. Reboot This actually means that you will boot up with the pre-authselect configuration that still has pam_lastlog. > > Once the system comes up, you have a blank screen with a _ cursor in the top > left. You can not activate a console to work on the issue. > > I have attached the journalctl output for that entire boot. I think the backup you have was created by calling `authselect select local --force` manually from the livecd, not by any automation from the scriptlet since I already removed forceful override of non-authselect configuration. When you updated to F36, your non-authselect configuration should have been updated to authselect configuration to prevent this kind of issues. Maybe this did not work, or maybe you reverted it later. I'm not sure why authselect-apply-changes.service is disabled, unless you manually changed it it should use the preset. I will update to F43 soon and will check. But this service is only important for Silverblue and rpm-ostree systems. It does not need to be enabled for Workstation.
> I am confused here. I assume that this update was created when upgrading to F43, not before, right? So you had non-authselect configuration on F42? Is there any chance, you can attach the configuration that was *NOT* working? When I manually ran authselect, it placed the old files (that it replaced) in a backup directory. The files I attached are the non-authselect files that were used by F42, I just retrieved them from that backup. I could retrieve them from a F42 btrfs snapshot, but they're the same files. > This actually means that you will boot up with the pre-authselect configuration that still has pam_lastlog. Correct. I was just trying to provide a steps to reproduce the state I was in, in case it helped for troubleshooting (I'm not a pam expert) > When you updated to F36, your non-authselect configuration should have been updated to authselect configuration to prevent this kind of issues. Maybe this did not work, or maybe you reverted it later. I think I removed fingerprint from sudo via pam at somepoint in the past. However, I've never messed with authselect previously, either enabling/disabling/bypassing. I'd never hard of authselect before this. > I'm not sure why authselect-apply-changes.service is disabled, unless you manually changed it it should use the preset. I will update to F43 soon and will check. But this service is only important for Silverblue and rpm-ostree systems. It does not need to be enabled for Workstation. I have not made any changes to the authselect services. Glad it isn't needed for Workstation, but not sure why it was disabled.
Just to clarify, are you on Workstation or Silverblue?
Workstation. I don't think Silverblue was available when I installed originally.
Documented as common issue: https://discussion.fedoraproject.org/t/171961
Closing as won't fix as this is really not an authselect problem and it was resolved by documenting it as an common issue: https://discussion.fedoraproject.org/t/171961 Using authselect will prevent this kind of issues in the future.