Comment # 3 on bug 1209741 from
(In reply to Fabian Vogt from comment #1)
> I see that /usr/lib/pam.d/login has pam_keyinit.so before common-session,
> while /etc/pam.d/sddm has it the other way around. Maybe that makes a
> difference?
> 
> Does it work with xdm?

I just tried it with xdm and it is the same issue as with sddm.

(In reply to Thorsten Kukuk from comment #2)
> 
> It looks like the common usage on various distros is:
> 
> session required pam_loginuid.so
> session optional pam_keyinit.so ...
> session include common-session

I just tried modifying /etc/pam.d/sddm, /etc/pam.d/sddm-greeter, and
/etc/pam.d/sddm-autologin to switch them to that order and it still has the
issue.

I reboot after any change and when it does not resolve the issues, I put things
back to they way the were before the test.

So far the ONLY 2 ways that resolve the issue are 

1) Use keyctl session after logging into GUI

2) Modify /etc/pam.d/common-session-pc to add pam_keyinit.so revoke force as
the 
   last line.

Obviously both of those methods are working around the issue by creating a new
session keyring later in the process flow but neither of those is a permanent
solution to the problem.

Not sure if you looked at the URL from 2012 that seems very similar but one of
the comments said:

  Recompiling 3.4.8 kernel with the patch applied (plus another one
  mentioned in that patch description) solved the problem - in Xfce
  session opened from GDM the session keyring exists and "cifscreds add
  server" works. (And mounting CIFS shares with multiuser option as well.)

Since logging in via Ctrl-Alt-F1 does not have the issue and since logging in
via the GUI does seem to create a session keyring, could it be that the owning
process or location of that keyring is different which is why the Ctrl+Alt+F1
login can use the session keyring and the GUI login cannot ?

I'm not up to the task of recompiling the kernel, but it seems like someone
that is capable of that could review that OLD patch to see if it was somehow
removed from more current kernels which is why the problem is occurring again.

It seems pretty clear that the issues is some sort of sequencing issue with the
GUI login that is the source of the problem.

Possibly someone could debug cifscreds add to see why it is not finding the
session keyring that pam_keyinit.so is creating when using the GUI login method
but does when using the Ctrl+Alt+F1 login method ?

I suspect that would point to exactly what the problem is.

Holler if there are other tests you'd like me to try.


You are receiving this mail because: