19:28 < gusi> halfline: the exact error I get is: 19:28 < gusi> gdm-launch-env

1. 19:28 < gusi> halfline: the exact error I get is:
2. 19:28 < gusi> gdm-launch-environment][2550]: in openpam_check_error_code(): pam_sm_acct_mgmt(): unexpected return value 12
3. 19:29 < halfline> gusi: okay so what's going on is..
4. 19:29 < halfline> the login screen is a session like any other
5. 19:30 < halfline> but instead of belonging to a particular real user
6. 19:30 < halfline> it belongs to the "gdm" user
7. 19:30 < halfline> which is a system account
8. 19:30 < halfline> gdm-launch-environment is the pam service used for setting up this session
9. 19:30 < halfline> in the same way the gdm-password pam service is used for setting up a user session
10. 19:30 < halfline> the gdm user doesn't have a password
11. 19:30 < halfline> the pam stack is supposed to be as minimal as possible, basically just enough to do logind registration
12. 19:31 < halfline> the error code you're getting suggests that the pam stack set up for the gdm-launch-environment service thinks that the gdm user has a
13. password
14. 19:31 < halfline> and that that password is expired
15. 19:31 < halfline> and needs to be updated to a new password
16. 19:31 < halfline> of course the gdm user has no way of picking a password
17. 19:32 < halfline> it just expects the pam conversation to silently succeed
18. 19:32 < halfline> because it's not silently succeeding, that suggests the file /etc/pam.d/gdm-launch-environment is misconfigured
19. 19:33 < halfline> or perhaps the gdm user is misdeclared in the /etc/shadow file
20. 19:34 < halfline> gusi: what is the output of sudo grep gdm: /etc/shadow ?
21. 19:35 < halfline> it should be something like gdm:!!:12345::::::
22. 19:35 < halfline> if it's something like gdm::0:0:99999:7::: that's wrong
23. 19:36 < gusi> halfline: let me interrupt you
24. 19:36 < halfline> i'm actually done :-)
25. 19:36 < gusi> :)
26. 19:36 < gusi> mind that it used to work a month ago
27. 19:36 < gusi> and that
28. 19:37 < gusi> we're running FreeBSD
29. 19:37 < halfline> okay so it might be /etc/pam.conf on freebsd? not sure
30. 19:37 < halfline> the point's are still valid though
31. 19:37 < gusi> I've been told that the problem comes from gdm-launch-environment not setting PAM_TTY nor PAM_RHOST
32. 19:37 < gusi> halfline: we have that pam.conf and the gdm-*.pam files in place
33. 19:38 < gusi> but it would appear that a recent commit in our openpam stack broke gdm
34. 19:39 < gusi> the commit fixed a problem were PAM_TTY and PAM_RHOST were not set in pam_login_access
35. 19:39 < gusi> apparently this break gdm-launch-environment
36. 19:40 < halfline> do you have a file /usr/include/security/_pam_types.h ?
37. 19:40 < gusi> /usr/include/security/pam_types.h is in place
38. 19:40 < halfline> can you pastebin it for me?
39. 19:42 < gusi> sure
40. 19:42 < gusi> http://pastebin.com/uAgzB0Ew
41. 19:43 < halfline> ah it's actually pam_constants.h in openpam i guess
42. 19:43 < halfline> https://github.com/aosm/OpenPAM/blob/master/openpam/include/security/pam_constants.h
43. 19:43 < halfline> so 12 is IPAM_AUTHINFO_UNAVAIL
44. 19:43 < gusi> yes
45. 19:44 < halfline> on linux 12 is PAM_NEW_AUTHTOK_REQD
46. 19:44 < halfline> which is why i went down the line of discussion i did before
47. 19:44 < halfline> okay let me look at the code, one moment
48. 19:44 < halfline> i'm pretty sure we do set PAM_TTY
49. 19:44 < halfline> setting PAM_RHOST would be really weird though
50. 19:44 < halfline> it's not a remote connection
51. 19:44 < gusi> I greped and it was at session-worker
52. 19:45 < halfline> right, the code is all in gdm-session-worker.c
53. 19:45 < halfline> so the issue, I guess, is we set PAM_TTY too late
54. 19:46 < halfline> we set it before pam_open_session
55. 19:46 < halfline> but freebsd needs it set before the account stack runs
56. 19:46 < halfline> which is pam_acct_mgmt
57. 19:47 < halfline> that change happened here: https://git.gnome.org/browse/gdm/commit/?id=4cc94727be662fa819f19a4c6d70610380243caf
58. 19:48 < halfline> i assume the person you talked to was saying PAM_RHOST OR PAM_TTY should be set
59. 19:48 < halfline> not both
60. 19:49 < halfline> RHOST if it's a remote connection, and TTY if it's local
61. 19:50 < halfline> so is pam_login_access like pam_loginuid ?
62. 19:50 < halfline> if so it probably shouldn't be run for gdm sessions
63. 19:51 < halfline> since they aren't associated with a human
64. 19:51 < halfline> oh i guess not
65. 19:51 < halfline> http://www.freebsd.org/cgi/man.cgi?query=pam_login_access&sektion=8
66. 19:52 < gusi> yes
67. 19:52 < halfline> can you pastebin your /etc/login.access file?
68. 19:54 < gusi> halfline: it is plain useless in a stock installation, everything is commented out
69. 19:54 < gusi> http://pastebin.com/1Y0yubLT
70. 19:55 < gusi> halfline: I do understand to PAM_TTY or PAM_RHOST should be set (or like a xor)
71. 19:56 < halfline> though, i think it's a bug in the pam module that it requires them to be set for users that aren't confined by the login.access file
72. 19:57 < halfline> if the login.access file says "USER IS ALLOWED TO LOGIN NO MATTER THE TTY OR RHOST" then checking for a TTY or RHOST from the pam module is
73. pretty anti-social
74. 19:58 < halfline> now the question is, i can i fix GDM to work within the wanted constraints given
75. https://git.gnome.org/browse/gdm/commit/?id=4cc94727be662fa819f19a4c6d70610380243caf
76. 19:58 < halfline> s/i can i/can i/
77. 19:58 < gusi> halfline: makes sense, but perhaps we may be missing something
78. 19:58 < gusi> I'm trying to poke our pam maintainer, but he seems unresponsible
79. 20:03 < halfline> it's sort of tricky to fix in GDM
80. 20:03 < halfline> since in some cases we don't know what VT the session is going to be running on until pam_open_session time
81. 20:04 < halfline> so we wouldn't know what PAM_TTY value to use
82. 20:04 < halfline> we could lie
83. 20:04 < halfline> i guess for gdm-launch-environment we know ahead of time
84. 20:05 < halfline> but that won't fix user logins
85. 20:05 < halfline> that'll just get you to a login screen
86. 20:07 < gusi> hmmmm
87. 20:08 < gusi> wouldn't normal users use the system pam stack to login?
88. 20:08 < gusi> hmmmm
89. 20:08 < gusi> do they need the PAM_TTY set?
90. 20:16 < halfline> gusi: normal users do use the system pam stack to login
91. 20:17 < halfline> but the problem is...what tty is their session going to run on?
92. 20:17 < halfline> we don't (necessarily) know until pam_open_session completes
93. 20:17 < halfline> which happens after pam_acct_mgmt is called
94. 20:17 < halfline> if the session runs on the same VT as the login screen then we know
95. 20:17 < halfline> but that's not guaranteed
96. 20:18 < halfline> but the pam module is also a little bit silly
97. 20:18 < halfline> why you would only let tino log in on vt2 and rebecca log in on vt 3 and vt 5 ?
98. 20:21 < halfline> i guess we could call PAM_TTY early on freebsd only and presume that the login screen and user session will run on the same VT in freebsd
99. always
100. 20:21 < halfline> though before committing that i'd be interested in what the pam maintainers take is
101. 20:26 < gusi> halfline: I'm poking him to pass him this conversation
102. 20:27 < gusi> halfline: thanks a lot your help