You are not logged in.

Pages: 1

#1 2014-06-29 05:30:43

akkie
Member
Registered: 2014-06-29
Posts: 5

How to unlock login keyring with pam and ldap

Hi,

I've configured pam and ldap on my system and all works well. The only problem that I have is that the login keyring gets not unlocked after GDM login. Is there a solution for this problem?

Thanks,
Christian

Offline

#2 2014-06-29 12:47:50

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: How to unlock login keyring with pam and ldap

Wecome to the forums akkie.  As for your problem you may need to be a little more specific.

How is ldap configured?

Do you have any errors or logs you can provide?

All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#3 2014-06-29 17:18:52

akkie
Member
Registered: 2014-06-29
Posts: 5

Re: How to unlock login keyring with pam and ldap

Hi,

thanks for your answer. I was not sure which of my pam specific files I should post, so I thought I ask first if someone had a similar problem.

LDAP is configured based on the arch wiki.

I've found this auth specific log entries in the journal:

Jun 29 18:58:26 shlomo gnome-keyring-daemon[721]: couldn't allocate secure memory to keep passwords and or keys from being written to the disk
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: ### SMB: auth_callback - reusing keyring credentials: user = 'NULL', domain = 'NULL'
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: ### SMB: auth_callback - reusing keyring credentials: user = 'NULL', domain = 'NULL'
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: ### SMB: auth_callback - out: last_user = 'akkie', last_domain = 'MOHIVA'
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: ### SMB: auth_callback - out: last_user = 'akkie', last_domain = 'MOHIVA'
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: ### SMB: auth_callback - reusing keyring credentials: user = 'NULL', domain = 'NULL'
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: ### SMB: auth_callback - out: last_user = 'akkie', last_domain = 'MOHIVA'
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: ### SMB: auth_callback - reusing keyring credentials: user = 'NULL', domain = 'NULL'
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: ### SMB: auth_callback - out: last_user = 'akkie', last_domain = 'MOHIVA'
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: ### SMB: auth_callback - reusing keyring credentials: user = 'NULL', domain = 'NULL'
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: ### SMB: auth_callback - out: last_user = 'akkie', last_domain = 'MOHIVA'
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL
Jun 29 18:58:26 shlomo org.gtk.vfs.Daemon[746]: tdb(__NULL__): tdb_open_ex: called with name == NULL

Offline

#4 2014-06-29 20:02:31

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: How to unlock login keyring with pam and ldap

Start with the pam files you have edited.

I've no idea of your specific setup.  I use ldap auth (with sssd) and lightdm and don't have any issues like this.  However, I haven't made any changes directly to the keyring configs, have you?

All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#5 2014-06-30 18:15:26

akkie
Member
Registered: 2014-06-29
Posts: 5

Re: How to unlock login keyring with pam and ldap

I've only changed the files as stated in the wiki entry.

$ cat /etc/pam.d/system-auth
#%PAM-1.0

auth      sufficient pam_ldap.so
auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

account   sufficient pam_ldap.so
account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  sufficient pam_ldap.so
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_ldap.so
session   optional  pam_permit.so
$ cat /etc/pam.d/su
#%PAM-1.0
auth      	sufficient    	pam_ldap.so
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid
auth		required	pam_unix.so use_first_pass
account   	sufficient    	pam_ldap.so
account		required	pam_unix.so
session         required        pam_mkhomedir.so skel=/etc/skel umask=0022
session   	sufficient    	pam_ldap.so
session		required	pam_unix.so
$ cat /etc/pam.d/su-l
#%PAM-1.0
auth      	sufficient    	pam_ldap.so
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid
auth		required	pam_unix.so use_first_pass
account   	sufficient    	pam_ldap.so
account		required	pam_unix.so
session         required        pam_mkhomedir.so skel=/etc/skel umask=0022
session   	sufficient    	pam_ldap.so
session		required	pam_unix.so
$ cat /etc/pam.d/system-login
#%PAM-1.0

auth       required   pam_tally.so         onerr=succeed file=/var/log/faillog
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so
session    required   pam_mkhomedir.so 	skel=/etc/skel umask=0022

I had the same issue under Funtoo with an equal setup. Maybe it's GDM related. I think I should test the setup with lightdm to see if this works.

Offline

Pages: 1

Board footer

Powered by FluxBB