Comment # 5
on bug 1209741
from Valentin Lefebvre
Thank you for the detailed bug report.
I am not an expert with keyring and even less with cisfcred tool.
Nevertheless I did some research and this is what I found:
Looking on the code of cifscreds [1], it cannot work properly if the user
session key is the same as the specific session key.
`if (ses_key == uses_key)`
And that is the case when you login from GUI:
keyctl show @s # login from consol
115341363 --alswrv 1000 1000 keyring: _ses <<< independant session
key
[...]
keyctl show @s #login from gui
115341363 --alswrv 1000 1000 keyring: _uid_ses.1000 <<< session key =
user key
[...]
key sessions are managed by the module pam_keyinit.so already mentioned. But
when you log from a GUI, dbus-daemon will change the session user keyring.
Each Display Manager (gdm for gnome, sddm for KDE, etc...) will used
systemd-user in the PAM stack. This is why, the login session keyring is
different from the condole login to the gui login.
It was previously discussed here [2], by our previous pam maintainer.
To fix that, you can add the module pam_keyinit.so to revoke the key settings
manage by d-bus in pam.d/systemd-user.
(/usr/lib/pam.d/systemd-user)
```
session required pam_selinux.so close
session required pam_selinux.so nottys open
session required pam_loginuid.so
session optional pam_keyinit.so revoke force debug <<< NEW
session include common-session
```
I made a test and it looks to work in session from GUI login. Can you confirm
if it works for you also ?
What do you think Thorsten about this kind of change ? I don't know what it
would involve to change the pam configuration of systemd in our distribution.
I will inform our systemd maintainer if he has more information.
BTW a previous bug was reported here [3] and closed as WONTFIX
[1]
https://github.com/Distrotech/cifs-utils/blob/distrotech-cifs-utils/cifscreds.c#L491
[2] https://lists.freedesktop.org/archives/systemd-devel/2019-June/042872.html
[3] https://bugzilla.opensuse.org/show_bug.cgi?id=1128835