[opensuse-factory] New Tumbleweed snapshot 20160514 released!
Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20160514 Packages changed: cmis-client gawk gnome-calculator (3.20.0 -> 3.20.1) gnome-disk-utility (3.20.1 -> 3.20.2) gtkspell3 (3.0.6 -> 3.0.8) installation-images-openSUSE (14.240 -> 14.243) lftp (4.6.5 -> 4.7.1) libproxy libproxy-plugins libvirt (1.3.3 -> 1.3.4) mariadb mc (4.8.16 -> 4.8.17) ncurses ostree pam (1.2.1 -> 1.3.0) pam-modules pam_ldap perl-Bootloader (0.912 -> 0.913) perl-List-MoreUtils (0.413 -> 0.415) perl-XML-XPath (1.35 -> 1.36) phonon4qt5 (4.8.3 -> 4.9.0) phonon4qt5-backend-gstreamer (4.8.2 -> 4.9.0) rubygem-cfa_grub2 (0.4.0 -> 0.4.1) tomcat webkit2gtk3 wireless-regdb (2016.02.08 -> 2016.05.02) xalan-c xdm xorg-x11-server yast2-bootloader (3.1.179 -> 3.1.183) yast2-firstboot (3.1.12 -> 3.1.13) === Details === ==== cmis-client ==== - Simplify autoreconf call and add patch to mark Makefile as foreign: * declare-automake-foreign.patch ==== gawk ==== - new gawk_ppc64le_ignore_transient_test_time_failure.patch ==== gnome-calculator ==== Version update (3.20.0 -> 3.20.1) Subpackages: gnome-shell-search-provider-gnome-calculator - Update to version 3.20.1: + Fix: precedence of root operator. + Updated translations. ==== gnome-disk-utility ==== Version update (3.20.1 -> 3.20.2) - Update to version 3.20.2: + Fix window menu placement under Wayland. + Updated translations. ==== gtkspell3 ==== Version update (3.0.6 -> 3.0.8) - Update to version 3.0.8: + Fix cases where check_word is called on an empty range. + Add gtk_spell_checker_check_word. + Add gtk_spell_checker_get_suggestions. + Updated translations. ==== installation-images-openSUSE ==== Version update (14.240 -> 14.243) - Mount efivarfs automatically (bsc#978593) - 14.243 - add modules needed for httpboot installation (fate#320134) - 14.242 - include and load efivarfs module (bsc#978593) - 14.241 ==== lftp ==== Version update (4.6.5 -> 4.7.1) - lftp 4.7.0: * ftp: add MODE Z support. * ftp: new settings ftp:use-mode-z, ftp:compressed-re, ftp:mode-z-level. * ftp: add MFF support for chmod. * ftp: prefer EPSV by default. * ftp: prefer CWD-relative paths. * ftp: enable MLSD by default (when supported). * ftp: assume AUTH is supported based on other newer features. * http: add support for digest authentication. * http: fixed webdav directory listing. * http: fixed a coredump when using a proxy for https. * sftp: fixed mirror to sftp with xfer:use-temp-file set. * ssl: optimized ssl for speed and lower syscall count. * ssl: log server's certificate fingerprint. * ssl: allow disabling certificate verification by its fingerprint. * get: rename backup file back if new file cannot be retrieved. * get: new settings xfer:backup-suffix and xfer:keep-backup. * get/put/mget/mput/pget/get1: add -q (quiet) option. * edit: allow creating a new file. * new debug option -T (truncate output file). * new mirror options: --{in,ex}clude-{rx,glob}-from. * new mirror options: --Remove-source-dirs, --Move. - lftp 4.7.1: * http: fixed authentication for proxy, transient errors, max-retries=1. * http: fixed put with authentication not to use HEAD request. * translations updated (cs, ru). ==== libproxy ==== Subpackages: libproxy-devel libproxy1 - Require libqt5-qttools by libproxy1-config-kde: the plugin spawns qtpaths to find the right config files (boo#979232). - Trigger libproxy1-config-kde for installation when plasma5-session and libproxy1 are installed. - Fix condition to not build KDE plugin for SLE. ==== libproxy-plugins ==== Subpackages: libproxy1-config-gnome3 libproxy1-config-kde libproxy1-networkmanager libproxy1-pacrunner-webkit - Require libqt5-qttools by libproxy1-config-kde: the plugin spawns qtpaths to find the right config files (boo#979232). - Trigger libproxy1-config-kde for installation when plasma5-session and libproxy1 are installed. - Fix condition to not build KDE plugin for SLE. ==== libvirt ==== Version update (1.3.3 -> 1.3.4) Subpackages: libvirt-client libvirt-daemon libvirt-daemon-config-network libvirt-daemon-config-nwfilter libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-uml libvirt-daemon-driver-vbox libvirt-daemon-lxc libvirt-daemon-qemu libvirt-daemon-xen - Remove unknown locales to fix build in old dists - Update to libvirt 1.3.4 - Add support for migration data compression in QEMU driver - Drop libvirtd.socket - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: 216650f1-libxl-build-fix.patch, 6d8b6d28-mark-implicit-video-primary.patch, 03e8d5fb-qemu-perf-memory-corruption.patch, libvirtd-systemd-socket.patch ==== mariadb ==== Subpackages: libmysqlclient-devel libmysqlclient18 libmysqlclient18-32bit libmysqlclient_r18 libmysqld18 mariadb-client mariadb-errormessages - fix constraints conditions for 32bit architectures ==== mc ==== Version update (4.8.16 -> 4.8.17) Subpackages: mc-lang - Update to 4.8.17: === Core === * Minimal version of Gettext is 0.18.1 (#1885) * Optimization of copy/move operations (use adaptive buffer as in coreutils) (#2193) * Recognize csh as tcsh (#2742) * ?entered scrolling of file panel (#3130) * Internals: * Switch to new high-level mouse API (#3571) === VFS === * FISH helpers: remove executable bit (#3610) === Editor === * Improvements of syntax highlighting: * F90 (#3618) * Java (MidnightCommander/mc#95) === Misc === * Code cleanup (#3598, #3607) * Install mc.keymap as a symlink to mc.default.keymap (#3609) * File highlight: add more common file formats === Fixes === * Segfault due to incorrect value of SHELL environment variable (#3606) * Segfault when copying files under FreeBSD 9.3 (#3617) * Segfault when entering into some cpio archives (#3621) * Subshell output lost on window resize under tmux, GNU screen (#3639) * Subshell cursor position lost after window resizing (#3640) * Listbox no longer scrolls when dragging outside widget (#3559) * VFS: extfs: incorrect date parsing in unzip (#3622) * VFS: extfs: buffer overflow (#3605) * VFS: patchfs: syntax error (#3620) * VFS: fish: mistakes in ls Perl helper (#3611) - remove upstreamed Patch99: mc-patchfs_lzip-syntax-error.patch ==== ncurses ==== Subpackages: libncurses5 libncurses6 libncurses6-32bit ncurses-devel ncurses-utils tack terminfo terminfo-base - Add ncurses patch 20160423 + modify test/ncurses.c 'd' edit-color menu to optionally read xterm color palette directly from terminal, as well as handling KEY_RESIZE and screen-repainting with control/L and control/R. + add 'oc' capability to xterm+256color, allowing palette reset for xterm -TD - Add ncurses patch 20160416 + add workaround in configure script for inept transition to PIE vs PIC builds documented in https://fedoraproject.org/wiki/Changes/Harden_All_Packages + add "reset" to list of programs whose names might change in manpages due to program-transformation configure options. + drop long-obsolete "-n" option from tset. - Add ncurses patch 20160409 + modify test/blue.c to use Unicode values for card-glyphs when available, as well as improving the check for CP437 and CP850. - Add ncurses patch 20160402 + regenerate HTML manpages. + improve manual pages for utilities with respect to POSIX versus X/Open Curses. - Add ncurses patch 20160326 + regenerate HTML manpages. + improve test/demo_menus.c, allowing mouse-click on the menu-headers to switch the active menu. This requires a new extension option O_MOUSE_MENU to tell the menu driver to put mouse events which do not apply to the active menu back into the queue so that the application can handle the event. - Add ncurses patch 20160319 + improve description of tgoto parameters (report by Steffen Nurpmeso). + amend workaround for Solaris line-drawing to restore a special case that maps Unicode line-drawing characters into the acsc string for non-Unicode locales (Debian #816888). - Add ncurses patch 20160312 + modified test/filter.c to illustrate an alternative to getnstr, that polls for input while updating a clock on the right margin as well as responding to window size-changes. - Add ncurses patch 20160305 + omit a redefinition of "inline" when traces are enabled, since this does not work with gcc 5.3.x MinGW cross-compiling (cf: 20150912). ==== ostree ==== - Add ostree-grub2-location.patch: Fix path to find grub-mkconfig_lib. openSUSE installs those files to /usr/share/grub2, upstream would do /usr/share/grub (boo#974714). ==== pam ==== Version update (1.2.1 -> 1.3.0) Subpackages: pam-32bit pam-devel - Remove obsolete README.pam_tally [bsc#977973] - Update Linux-PAM to version 1.3.0 - Rediff encryption_method_nis.diff - Link pam_unix against libtirpc and external libnsl to enable IPv6 support. - Add /sbin/unix2_chkpwd (moved from pam-modules) - Remove (since accepted upstream): - 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch - 0002-Remove-enable-static-modules-option-and-support-from.patch - 0003-fix-nis-checks.patch - 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch - 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch - Add 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch - Replace IPv4 only functions - Fix typo in common-account.pamd [bnc#959439] - Add 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch - readd PAM_EXTERN for external PAM modules - Add 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch - Add 0002-Remove-enable-static-modules-option-and-support-from.patch - Add 0003-fix-nis-checks.patch ==== pam-modules ==== Subpackages: pam-modules-32bit - remove unix2_chkpwd (moved to pam), to be able to drop this obsolete package in the near future. - Link against external (non-glibc) libnsl. ==== pam_ldap ==== Subpackages: pam_ldap-32bit - Add reproducible.patch to drop build date to make build-compare work ==== perl-Bootloader ==== Version update (0.912 -> 0.913) - Don't install grub2-efi during installation (bsc#979145) - 0.913 ==== perl-List-MoreUtils ==== Version update (0.413 -> 0.415) - updated to 0.415 see /usr/share/doc/packages/perl-List-MoreUtils/Changes 0.415 2016-05-01 - Release 0.414_001 as 0.415 without further changes 0.414_001 2016-04-13 - fix RT#75727 - after's XS implementation call XSRETURN(-1) when it doesn't find an element (2nd patch provided by Reini Urban, regression test provided by Tony Cook) - fix RT#113117 - XS's minmax() sometimes return undef (perl >= 5.20), thanks PERLANCAR and SREZIC - explicit test for thesis in RT#110998 - XS implementation of pairwise fails with memory allocation error when there are more return values than in original lists -- thesis is proven wrong - efficiency improvements by bulk88 - improve some tests to get clearer reports - distinguish between "Makefile.PL find's a .git directory" and "Makefile.PL runs in maintainer mode" ==== perl-XML-XPath ==== Version update (1.35 -> 1.36) - updated to 1.36 see /usr/share/doc/packages/perl-XML-XPath/Changes 1.36 2016-04-14 MANWAR - Fixed issue RT #68932 (/usr/bin/xpath outputs unwanted text when quiet mode ist set). ==== phonon4qt5 ==== Version update (4.8.3 -> 4.9.0) Subpackages: libphonon4qt5 phonon4qt5-devel - Update to 4.9.0 * Changes * Builsystem helpers are now installed to CMAKE_INSTALL_DATAROOTDIR * CMake 2.8.9 is required to use GNUInstallDirs and for the Qt5 code branches * automoc4 support was removed. Building always use the cmake built-in solution now. * Qt5 and Qt4 builds use different CMake configurations now Qt4 is as it always has been * Qt5 moved away from crudely ported Qt4 configurations to using extra-cmake-modules' KDE compiler and cmake flags. * Installation paths and so forth are still jointly configured as to retain backwards compatibility (i.e. Qt5 build does not follow ECM's KDEInstallationPaths) * Bug Fixes * VolumeSlider has seen async behavior improvements making the slider not hop around when changing the volume rapidly and the backend is lagging a bit behind. * The volume change now occurs upon slider release rather than instantly. * Fixed a duble encoding issue with local paths that contain percent encoded characters being double-encoded [kde#356218] * New API * New AudioOutputInterface49 for backends to implement. This interface implements long-existing frontend interfaces for muting, giving the backend easier access and control. * setMuted(bool) mutes an AudioOuput (without the 4.9 interface this is done via setVolume(0.0) on the backend) * mutedChanged(bool) signal emitted by the backend to asyncronuously notify of the mute application * The interface is only used if PulseSupport is not intercepting calls * New methods to differntiate states of PulseSupport * request(bool) is used by backends to request PulseAudio usage but no interception, this essentially enables device listing but lets everything else fall through to the backend (the existing isActive() method will not return true after request(true), which makes it different from enable(true)) * isRequested() is a getter for request()'s state * isUsable() is part of the previouys isActive() behavior, it is true iff pulseaudio can be used (daemon running, connected etc) * isUsed() is a combination of isRequested() and isUsable() (i.e. active but not intercepting) * The existing isActive() communicates the same state as before (active and intercepting) but now also takes requested into consideration * Enabling always implies requsting automatically, so request(false) and enable(true) will ultimately still restul in isRequested==true - Drop upstreamed 0001-tear-cmake-logic-for-qt4-and-qt5-apart.patch ==== phonon4qt5-backend-gstreamer ==== Version update (4.8.2 -> 4.9.0) - Update to 4.9.0 * No changelog provided - Drop upstreamed Fix-finding-recent-versions-of-GStreamer.patch ==== rubygem-cfa_grub2 ==== Version update (0.4.0 -> 0.4.1) - fix value for GRUB_ENCRYPTED_DISK attribute (bnc#976315) - 0.4.1 ==== tomcat ==== Subpackages: tomcat-admin-webapps tomcat-el-3_0-api tomcat-jsp-2_3-api tomcat-lib tomcat-servlet-3_1-api tomcat-webapps - fix maven fragments paths to build in multiple distribution versions ==== webkit2gtk3 ==== Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 typelib-1_0-JavaScriptCore-4_0 typelib-1_0-WebKit2-4_0 webkit2gtk-4_0-injected-bundles - handle s390 like s390x ==== wireless-regdb ==== Version update (2016.02.08 -> 2016.05.02) - Update to 2016.05.02 ==== xalan-c ==== - Cleanup a bit with spec-cleaner - Disable ICU as no other distro does build with it - Add patches to build with paralel make and respect ldflags - Remove test/sample binaries instalation, not needed on resulting systems - Add condition for aarch64 build - Added patches: * fix-ftbfs-ld-as-needed.diff * fix-testxslt-segfault.diff * xalan-c-parallel-build.patch - Removed patches, no longer needed: * xalan-c-1.11-fix_build.patch * xalan-c-1.11-fixes.patch * xalan-c-1.11-gcc4.patch * xalan-c-1.11-lib64.patch ==== xdm ==== Subpackages: xdm-xsession - Make SUSEconfig handler for DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN robust against changes to the default setting of -listen/-nolisten tcp (boo#978262). - Prevent xdm.service from being built. We've got display-manager.service instead (bsc#978458). ==== xorg-x11-server ==== Subpackages: xorg-x11-server-extra xorg-x11-server-sdk - modesetting.ids: Add file for PCI IDs of ASICs which the modesetting rather than the native driver should be used for. This includes all Intel Gen9+ hardware (boo#978954). ==== yast2-bootloader ==== Version update (3.1.179 -> 3.1.183) - fix grub2 settings for lvm encrypted boot partition (bsc #976315) - 3.1.183 - do not crash when stage1 is set to extended partition (thanks to mvidner for catch, also fix bnc#978284) - 3.1.182 - do not crash with uninitialized variable 'extended' (bnc#978284) - 3.1.181 - Disable secure boot on AArch64 (bsc#978157) - Generate grub2 as removable on non-nvram efi systems (bsc#978593) - 3.1.180 ==== yast2-firstboot ==== Version update (3.1.12 -> 3.1.13) - Remove kbd service restart because it does not exist anymore (bsc#974489) - Fixed firstboot.xml to call the correct client for registration (bsc#970572) (lslezak@suse.cz) - 3.1.13 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
hi, Am 2016-05-16 um 13:43 schrieb Ludwig Nussel:
pam (1.2.1 -> 1.3.0) pam-modules pam_ldap
after upgrading pam to 1.3.0 from tumbleweed repo and plasma workspace 5 from KDE frameworks5 repo from 5.6.3 to 5.6.4 i can't use kscreenlocker/kcheckpass any more. i have an upgraded openSUSE x86_64 system since 12.3 and therefor i have to preserve my pam config files common-session-pc common-password-pc common-auth-pc common-account-pc which use pam_unix2.so instead of pam_unix.so whenever i update pam packages. i learned this from tumbleweed update 2015-09-24. there was a thread about this in this list named "tumbleweed update 2015-09-24 unlock screensaver failed". after updating pam today i could not even login any more. i solved this by restoring my old pam config files. but kscreenlocker/kcheckpass do not work any more even after this restore. they always report "unlock failed". when starting journalctl i see: Authentication failure for rainer (invoked by uid 1000) could it be, that kscreenlocker/kcheckpass internally rely on pam_unix.so which does not work on my machine? i downgraded all required plasma5 packages to 5.6.3 and now it works again. so it must have something to do with 5.6.4 versions of plasma5.... -- Best Regards | Freundliche Grüße | Cordialement | Cordiali Saluti | *DI Rainer Klier* Research & Development, Technical Sales Consultant -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Dienstag, 17. Mai 2016, 13:49:05 schrieb Rainer Klier:
i downgraded all required plasma5 packages to 5.6.3 and now it works again.
so it must have something to do with 5.6.4 versions of plasma5....
For the record, there has been no change in Plasma5 regarding that AFAIK... Maybe the pam update caused this? But just to be clear: from the KDE side, we do rely on pam_unix, and replace pam_unix2 on purpose, see: https://bugzilla.opensuse.org/show_bug.cgi?id=931296 Nothing new with the latest update though... Kind Regards, Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 2016-05-17 um 16:32 schrieb Wolfgang Bauer:
so it must have something to do with 5.6.4 versions of plasma5....
For the record, there has been no change in Plasma5 regarding that AFAIK...
Maybe the pam update caused this?
yes. it has to be like that. but not alone. as said, i updated pam and plasma5 at the same time. after this, logon did not work any more. i fixed this by reverting my old pam config files. but screenlock did not work even after reverting my old pam config files. then i downgraded all needed packages to use plasma5 screenlocker from plasma 5.6.3. the screenlock worked again. then, just to try out, i again upgraded everything to plasma 5.6.4, and then, to my surprise, it worked again... :-D so it must have something to do with installation order, or, with the pam config situation at the time the plasma packages are installed. so, the next time, pam is updated at the same time plasma is updated (if i ever will update this again...) i will fix my pam config files after pam update, and then update plasma... never again at the same time..... -- Best Regards | Freundliche Grüße | Cordialement | Cordiali Saluti | *DI Rainer Klier* Research & Development, Technical Sales Consultant -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Mittwoch, 18. Mai 2016, 10:47:53 CEST schrieb Rainer Klier:
but screenlock did not work even after reverting my old pam config files. then i downgraded all needed packages to use plasma5 screenlocker from plasma 5.6.3. the screenlock worked again. then, just to try out, i again upgraded everything to plasma 5.6.4, and then, to my surprise, it worked again... :-D
The kscreenlocker package will switch your PAM config to use pam_unix on every installation (also updates). As mentioned it does require pam_unix so that unlocking works correctly. With pam_unix2, kscreenlocker_greet just doesn't have the necessary permissions, making unlocking the session fail. A workaround is to make /usr/lib64/libexec/kcheckpass suid root, that should prevent such problems in the future. Updates will change the file permissions again of course, so you should rather add an entry to /etc/permissions.local and run chkstat to apply it. We cannot ship kcheckpass suid root, because the security team declined it (see https://bugzilla.opensuse.org/show_bug.cgi?id=926267), that's why we had to resort to this PAM config change. If you want to prevent your PAM config from being changed, convert the symlinks common-session and so on to proper files, pam-config should not touch them any more then. But if you don't have a very specific need to use pam_unix2, it's probably easier to just stick to pam_unix. Just because your system is updated since 13.2 is not a good reason though, mine is updated since 8.1 and still I am happily using pam_unix now... ;-) Kind Regards, Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 2016-05-18 um 18:56 schrieb Wolfgang Bauer:
Am Mittwoch, 18. Mai 2016, 10:47:53 CEST schrieb Rainer Klier:
but screenlock did not work even after reverting my old pam config files. then i downgraded all needed packages to use plasma5 screenlocker from plasma 5.6.3. the screenlock worked again. then, just to try out, i again upgraded everything to plasma 5.6.4, and then, to my surprise, it worked again... :-D
The kscreenlocker package will switch your PAM config to use pam_unix on every installation (also updates).
ah, then this was responsible for the trouble.
As mentioned it does require pam_unix so that unlocking works correctly. With pam_unix2, kscreenlocker_greet just doesn't have the necessary permissions, making unlocking the session fail.
the strange thing is, that it works now, after i restored my pam config files (to versions which use pam_unix2), and reinstalled kscreenlocker. so, why does this work now? i just checked the files and they use pam_unix.so again but it still works, and now i am completely confused.... :-( the chronology was: 1. updated pam and kscreenlocker with yast. 2. rebooted 3. could not login any more. 4. rebooted in maintenance mode and restored old pam config files. (using pam_unix2) 5. rebooted and logged in. 6. kscreenlocker didn't work any more. 7. tried different pam config files. without success. 8. restored old pam config files. 9. downgraded kscreenlocker to 5.6.3 10. rebooted and logged in. 11. old kscreenlocker works. 12. updated kscreenlocker with yast again to 5.6.4. (expecting to live without kscreenlocker) 13. tried kscreenlocker, but to my surprise, it worked. 14. i was assuming that pam config files are still the old ones, because everything is working. 15. checked pam config files, and noticed, that they are using pam_unix.so.
A workaround is to make /usr/lib64/libexec/kcheckpass suid root, that should prevent such problems in the future. Updates will change the file permissions again of course, so you should rather add an entry to /etc/permissions.local and run chkstat to apply it.
i know this since 2015-09-24. i discussed this in these days in this list under the subject "tumbleweed update 2015-09-24 unlock screensaver failed". it was you who helped me in this thread.
If you want to prevent your PAM config from being changed, convert the symlinks common-session and so on to proper files, pam-config should not touch them any more then.
ah, because of thread "tumbleweed update 2015-09-24 unlock screensaver failed" i have it this way since 2015-09-24: common-account -> common-account-pc common-auth -> common-auth-pc common-password -> common-password-pc common-session -> common-session-pc so, you suggest to remove the links and make normal files? so, copy the *-pc files over the appropriate links? so that afterwards i simply have: common-account common-auth common-password common-session
But if you don't have a very specific need to use pam_unix2, it's probably easier to just stick to pam_unix.
i thought, i can't do this. i assumed this by interpreting your answers in the "tumbleweed update 2015-09-24 unlock screensaver failed" thread. so maybe i misinterpreted your answers. because to my surprise it works now.
Just because your system is updated since 13.2 is not a good reason though, mine is updated since 8.1 and still I am happily using pam_unix now... ;-)
ok, it seems, that my system also works now with pam_unix. but now i completely don't know WHY i could not login after updating pam and kscreenlocker.... and WHY it all works now after reinstalling kscreenlocker. -- Best Regards | Freundliche Grüße | Cordialement | Cordiali Saluti | *DI Rainer Klier* Research & Development, Technical Sales Consultant -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Donnerstag, 19. Mai 2016, 10:48:55 schrieb Rainer Klier:
the chronology was: 1. updated pam and kscreenlocker with yast.
Why with YaST? And what packages exactly? Maybe there was some mixture of packages then. pam_unix2 is part of pam- modules, not pam itself (unlike pam_unix). Might have been caused by the order in which you installed the packages too, though.
2. rebooted 3. could not login any more. 4. rebooted in maintenance mode and restored old pam config files.
What do you mean with "maintenance mode"? Booting to recovery mode should not have any influence on the PAM config. I.e. if the PAM config was broken (causing you not to be able to login), booting to recovery mode won't fix it. Or do you mean you logged in in text mode?
(using pam_unix2) 5. rebooted and logged in. 6. kscreenlocker didn't work any more.
That's to be expected as explained, and the reason why we added this "workaround" to enforce pam_unix in the first place. As mentioned, if using pam_unix2, you need to make kcheckpass suid root for unlocking to work.
A workaround is to make /usr/lib64/libexec/kcheckpass suid root, that should prevent such problems in the future. Updates will change the file permissions again of course, so you should rather add an entry to /etc/permissions.local and run chkstat to apply it. i know this since 2015-09-24. i discussed this in these days in this list under the subject "tumbleweed update 2015-09-24 unlock screensaver failed".
it was you who helped me in this thread.
I vaguely remember that thread, but not the details. But that was before we added the forced PAM change to pam_unix to the Plasma packages (which was done on 2015-10-23, a month later). At that point, pam_unix2 was not changed to pam_unix automatically, causing the screenlocker to fail on upgraded systems (pam_unix is the default since 12.3 IIRC, but that only affects new installations).
If you want to prevent your PAM config from being changed, convert the symlinks common-session and so on to proper files, pam-config should not touch them any more then.
ah, because of thread "tumbleweed update 2015-09-24 unlock screensaver failed" i have it this way since 2015-09-24: common-account -> common-account-pc common-auth -> common-auth-pc common-password -> common-password-pc common-session -> common-session-pc
so, you suggest to remove the links and make normal files? so, copy the *-pc files over the appropriate links? so that afterwards i simply have: common-account common-auth common-password common-session
Basically yes. pam-config only modifies the common-xxx-pc files, but the actual config is read from common-xxx. If the latter are not symlinks to common-xxx-pc, the actual config will not be changed automatically (and pam-config will even bail out if it notices this). But again, this is only necessary if you have some custom PAM configuration that you don't want to be changed automatically.
But if you don't have a very specific need to use pam_unix2, it's probably easier to just stick to pam_unix.
i thought, i can't do this.
i assumed this by interpreting your answers in the "tumbleweed update 2015-09-24 unlock screensaver failed" thread. so maybe i misinterpreted your answers. because to my surprise it works now.
As I wrote, back then the PAM config was not changed to pam_unix automatically. So you had to either change it manually or make kcheckpass suid root (which should still work even with pam_unix, but should not be necessary in that case).
ok, it seems, that my system also works now with pam_unix.
but now i completely don't know WHY i could not login after updating pam and kscreenlocker.... and WHY it all works now after reinstalling kscreenlocker.
Well, I can only suppose something got messed up in the (automatically generated) PAM config somehow then (reinstalling kscreenlocker will regenerate the config). But I cannot tell you what and why. Kind Regards, Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 2016-05-19 um 15:58 schrieb Wolfgang Bauer:
Am Donnerstag, 19. Mai 2016, 10:48:55 schrieb Rainer Klier:
the chronology was: 1. updated pam and kscreenlocker with yast.
Why with YaST? And what packages exactly?
i always use yast2 for updating. i am used to it. i updated all packages which the post "New Tumbleweed snapshot 20160514 released!" listed as updated. and additionally the updated packages from repo "KDE:Frameworks5 / openSUSE_Factory".
Might have been caused by the order in which you installed the packages too, though.
yes. i don't remember in which order yast2 installed pam and kscreenlocker....
4. rebooted in maintenance mode and restored old pam config files.
What do you mean with "maintenance mode"?
single user mode, by adding "1" to the kernel options line in grub.
Or do you mean you logged in in text mode?
as single user mode is only text-based, yes. but i could login as root not because it was text based, but because it was single user mode.
But that was before we added the forced PAM change to pam_unix to the Plasma packages (which was done on 2015-10-23, a month later).
aha, ok.
At that point, pam_unix2 was not changed to pam_unix automatically, causing the screenlocker to fail on upgraded systems (pam_unix is the default since
ok, this was my issue back in 2015-10-23.
so, you suggest to remove the links and make normal files? so, copy the *-pc files over the appropriate links? so that afterwards i simply have: common-account common-auth common-password common-session
Basically yes. pam-config only modifies the common-xxx-pc files, but the actual config is read from common-xxx. If the latter are not symlinks to common-xxx-pc, the actual config will not be changed automatically (and pam-config will even bail out if it notices this).
aha, thanks for this info.
But again, this is only necessary if you have some custom PAM configuration that you don't want to be changed automatically.
i think i don't have this.
Well, I can only suppose something got messed up in the (automatically generated) PAM config somehow then (reinstalling kscreenlocker will regenerate the config).
yes, this sounds possible. and reinstalling kscreenlocker fixed it by generate new and working pam config files. thanks for the explanations and infos. i hope, next time pam and/or kscreenlocker become updated, i will not have a problem any more..... -- Best Regards | Freundliche Grüße | Cordialement | Cordiali Saluti | *DI Rainer Klier* Research & Development, Technical Sales Consultant -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Rainer Klier [20.05.2016 11:00]:
i don't remember in which order yast2 installed pam and kscreenlocker....
You'll find that in /var/log/zypp/history :)
Or do you mean you logged in in text mode?
as single user mode is only text-based, yes. but i could login as root not because it was text based, but because it was single user mode.
Pardon? How can you tell the difference? Did you try to log in via console while the graphical target was active, like using "Strg-Alt-F3" at the login window and logging in as root at the console? Werner --
Am 2016-05-20 um 11:15 schrieb Werner Flamme:
Rainer Klier [20.05.2016 11:00]:
i don't remember in which order yast2 installed pam and kscreenlocker....
You'll find that in /var/log/zypp/history :)
thanks.
but i could login as root not because it was text based, but because it was single user mode.
Pardon? How can you tell the difference? Did you try to log in via console while the graphical target was active, like using "Strg-Alt-F3" at the login window and logging in as root at the console?
first i rebooted normally. on the graphical kwin/sddm screen i tried to login with my account. this did not work. then i tried to logon as root in text-console after "Strg-Alt-F1" this did not work. then i rebooted into runlevel 3, and tried to logon as root. this did not work. then i rebooted into runlevel 1. this worked. -- Best Regards | Freundliche Grüße | Cordialement | Cordiali Saluti | *DI Rainer Klier* Research & Development, Technical Sales Consultant -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, May 20, Rainer Klier wrote:
first i rebooted normally. on the graphical kwin/sddm screen i tried to login with my account. this did not work. then i tried to logon as root in text-console after "Strg-Alt-F1" this did not work. then i rebooted into runlevel 3, and tried to logon as root. this did not work. then i rebooted into runlevel 1. this worked.
Look in /var/log/messages at the date/time, where you tried this. There you should see some logs with "pam*", this could tell you what happend. Thorsten -- Thorsten Kukuk, Senior Architect SLES & Common Code Base SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tuesday, May 17, 2016 1:49:05 PM CDT Rainer Klier wrote:
hi,
Am 2016-05-16 um 13:43 schrieb Ludwig Nussel:
pam (1.2.1 -> 1.3.0) pam-modules pam_ldap
after upgrading pam to 1.3.0 from tumbleweed repo and plasma workspace 5 from KDE frameworks5 repo from 5.6.3 to 5.6.4 i can't use kscreenlocker/kcheckpass any more.
i have an upgraded openSUSE x86_64 system since 12.3 and therefor i have to preserve my pam config files
common-session-pc common-password-pc common-auth-pc common-account-pc
which use pam_unix2.so instead of pam_unix.so whenever i update pam packages. i learned this from tumbleweed update 2015-09-24.
there was a thread about this in this list named "tumbleweed update 2015-09-24 unlock screensaver failed".
after updating pam today i could not even login any more.
i solved this by restoring my old pam config files.
but kscreenlocker/kcheckpass do not work any more even after this restore.
they always report "unlock failed". when starting journalctl i see: Authentication failure for rainer (invoked by uid 1000)
could it be, that kscreenlocker/kcheckpass internally rely on pam_unix.so which does not work on my machine?
i downgraded all required plasma5 packages to 5.6.3 and now it works again.
so it must have something to do with 5.6.4 versions of plasma5....
Whenever I see authentication problems on TW these days, I first check to see if my btrfs / partition has run out of space. See if that is the case with $sudo btrfs filesystem usage /
On Tue, May 17, Rainer Klier wrote:
could it be, that kscreenlocker/kcheckpass internally rely on pam_unix.so which does not work on my machine?
Why does pam_unix.so not work on your machine? There should be no reason anymore to prefer pam_unix2.so ove pam_unix.so, even if I don't like the pam_unix.so hack to workaround broken applications like kscreenlocker. That only hides the problem and is not helpful for people, which have to use something else for authentication. Development of pam_unix2.so stopped quite some time ago and will vanish in the future. Thorsten -- Thorsten Kukuk, Senior Architect SLES & Common Code Base SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 2016-05-20 um 11:17 schrieb Thorsten Kukuk:
On Tue, May 17, Rainer Klier wrote:
could it be, that kscreenlocker/kcheckpass internally rely on pam_unix.so which does not work on my machine?
Why does pam_unix.so not work on your machine?
in the meantime, i found out, that it works, i only thought it will not work, because of the answers ins thread "tumbleweed update 2015-09-24 unlock screensaver failed" from 2015-09-24. this seems to be a misinterpretation of answers from wolfgang from my side. so currently everything is working again, and pam uses pam_unix.so and not pam_unix2.so any more. i just don't know what caused the problem i had after updating pam and kscreenlocker, so that i could not login any more to my machine. -- Best Regards | Freundliche Grüße | Cordialement | Cordiali Saluti | *DI Rainer Klier* Research & Development, Technical Sales Consultant -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (6)
-
Chan Ju Ping -
Ludwig Nussel -
Rainer Klier -
Thorsten Kukuk -
Werner Flamme -
Wolfgang Bauer