Comment # 5 on bug 1209741 from
Thank you for the detailed bug report.

I am not an expert with keyring and even less with cisfcred tool.
Nevertheless I did some research and this is what I found:

Looking on the code of cifscreds [1], it cannot work properly if the user
session key is the same as the specific session key.
  `if (ses_key == uses_key)`
And that is the case when you login from GUI:

  keyctl show @s # login from consol
    115341363 --alswrv   1000  1000  keyring: _ses   <<< independant session
key
    [...]
  keyctl show @s #login from gui
    115341363 --alswrv   1000  1000  keyring: _uid_ses.1000   <<< session key =
user key
    [...]

key sessions are managed by the module pam_keyinit.so already mentioned. But
when you log from a GUI, dbus-daemon will change the session user keyring.
Each Display Manager (gdm for gnome, sddm for KDE, etc...) will used
systemd-user in the PAM stack. This is why, the login session keyring is
different from the condole login to the gui login.
It was previously discussed here [2], by our previous pam maintainer.

To fix that, you can add the module pam_keyinit.so to revoke the key settings
manage by d-bus in pam.d/systemd-user.
(/usr/lib/pam.d/systemd-user)

```
session  required pam_selinux.so close
session  required pam_selinux.so nottys open
session  required pam_loginuid.so
session  optional pam_keyinit.so revoke force debug   <<< NEW
session  include  common-session
```

I made a test and it looks to work in session from GUI login. Can you confirm
if it works for you also ?

What do you think Thorsten about this kind of change ? I don't know what it
would involve to change the pam configuration of systemd in our distribution.
I will inform our systemd maintainer if he has more information.

BTW a previous bug was reported here [3] and closed as WONTFIX

[1]
https://github.com/Distrotech/cifs-utils/blob/distrotech-cifs-utils/cifscreds.c#L491
[2] https://lists.freedesktop.org/archives/systemd-devel/2019-June/042872.html
[3] https://bugzilla.opensuse.org/show_bug.cgi?id=1128835


You are receiving this mail because: