You are not logged in.
Hi,
Today after upgrading pam I've started to see log messages like this one:
pam_systemd_home(systemd-user:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
Worth noting that my home is indeed encrypted but until now I've never seen these messages. sudo operations work perfectly fine.
Nothing to worry then?
➜ $ ~ pacman -Qs pam
local/pam 1.4.0-3
PAM (Pluggable Authentication Modules) library
local/pambase 20200721.1-2
Base PAM configuration for services
Last edited by Jason P. (2020-08-19 10:38:17)
Offline
pambase 20200721.1-2 added systemd-home support. If the service is not active you will see such a message.
It is not an issue if you if you do not wish to use the service.
Offline
Thanks for the info loqs.
Aside of that, maybe is a bit noisy throwing errors in such scenarios, when something not enabled by the user will not make any difference in the actual result of the authentication process. It's a misleading message that can potentially make a user think that there's something wrong. But probably this is not the place for a discussion like this hehe.
Offline
How to disable systemd-homed and dbus-org.freedesktop.home1.service?
It's annoying everything I run sudo.
Last edited by enihcam (2020-08-20 23:39:52)
Offline
enihcam is it enabled on your system or are you just seeing the messages in the journal related to it?
Offline
I have it disabled, nevertheless I see the error messages.
➜ $ ~ systemctl status systemd-homed.service
● systemd-homed.service - Home Area Manager
Loaded: loaded (/usr/lib/systemd/system/systemd-homed.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:systemd-homed.service(8)
Offline
A fast forward question to @loqs: Is it safe to remove the "pam_systemd_home.so" record entries from the pam configuration files for the one doesnt use the "systemd-homed.service" ?
Offline
Al.Piotrowicz what do you mean by safe?
You could delete /usr/lib/security/pam_systemd_home.so without adjusting the pam stack all the pam_systemd_home.so entries are prefixed with - meaning it is not an error for the module to be missing.
/etc/pam.d/system-auth without pam_systemd_home.so
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth [success=1 default=ignore] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
Edit:
pam_unix always checked byefore pam_systemd_home:
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok
-auth [success=1 default=ignore] pam_systemd_home.so
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
account [success=1 default=ignore] pam_unix.so
-account required pam_systemd_home.so
account optional pam_permit.so
account required pam_time.so
password [success=1 default=ignore] pam_unix.so try_first_pass nullok shadow
-password required pam_systemd_home.so
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
Last edited by loqs (2020-08-21 13:54:10)
Offline
Thanks for quick reply, I meant some undesired behaviour by systemd. Im not linux expert and have had plenty of systemd glitches recently so preffered to ask at first. Now it seems clear for me.
Offline
No the messages you see are because the service is off. Removing support is returning to the old pambase which did not support pam-systemd-home by default. So you have already tested the pam stack without pam-systemd-home.
Offline
HI
editing /etc/pam.d/homed-substack like so in conjunction with above edit pam_unix always checked byefore pam_systemd_home: stops the journal errors
#%PAM-1.0
auth sufficient pam_unix.so try_first_pass nullok
-auth sufficient pam_systemd_home.so suspend=true
auth [success=bad] pam_permit.so
account sufficient pam_unix.so
-account sufficient pam_systemd_home.so suspend=true
account required pam_deny.so
Last edited by cirrus (2020-08-22 14:52:10)
Ancestoral Clan https://cirrus.freevar.com/mclean.html
Offline
Yes, that stopped the incessant spamming of the logs with the message "Failed to query user record: Unit dbus-org.freedesktop.home1.service not found."
It is still triggered whenever there's a authentication problem, like when you type the password wrong when using sudo or in the Mate lock-screen.
That's is not a problem though, as it's not happening that often. However, as I am never going to enable systemd-homed.service the message is completely unneeded, but there you go....
"ONLY THOSE WHO ATTEMPT THE IMPOSSIBLE WILL ACHIEVE THE ABSURD"
- Oceania Association of Autonomous Astronauts
Offline
The proposed fix from https://github.com/systemd/systemd/issues/16813 might stop the message being produced. I have not tried it.
Edit:
Changes the message to
pam_systemd_home(systemd-user:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Edit2:
Updated system-auth only call pam_systemd_homed if the account is managed by it due to https://bugs.archlinux.org/task/65819#comment192113
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok
-auth [success=1 default=ignore] pam_systemd_home.so
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
account [default=1 success=ignore] pam_succeed_if.so quiet uid >= 60001 uid <= 60513
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password [default=1 success=ignore] pam_succeed_if.so quiet uid >= 60001 uid <= 60513
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session [default=1 success=ignore] pam_succeed_if.so quiet uid >= 60001 uid <= 60513
-session required pam_systemd_home.so
session optional pam_permit.so
Last edited by loqs (2020-08-27 04:38:45)
Offline
"Edit2" seems to work. The message is still triggered when a password is typed wrong, but I guess that is unavoidable. PAM goes through the list of modules in such a scenario I guess....?
"ONLY THOSE WHO ATTEMPT THE IMPOSSIBLE WILL ACHIEVE THE ABSURD"
- Oceania Association of Autonomous Astronauts
Offline
As pointed out https://bugs.archlinux.org/task/65819#comment192124 the range of UIDs used by systemd-home is not guaranteed to be in that range.
My edit from post #8 where pam_systemd_home is removed should achieve the result you desire.
Last edited by loqs (2020-08-27 12:00:10)
Offline
Still seeing this as well, on several "standard" installations not using systemd-homed (and not intending to).
I've seen several proposed solutions/workarounds here and in FS#65819, which one is recommended now?
Offline
None of the solutions in https://bugs.archlinux.org/task/65819 will stop the extra messages.
Th easiest solution is perhaps to use NoExtract
NoExtract=usr/lib/security/pam_systemd_home.so
Then reinstall systemd.
This works because all the pam_systemd_home entries in /etc/pam.d/system-auth are prefixed with a - while prevents failure to load the module being an error.
If you want to edit the pam configs the first solution from post #8.
Last edited by loqs (2020-09-20 20:17:48)
Offline
Thanks.
So the default config will keep this "bug" ?
Offline
I expect so.
Offline
Still reading up on systemd-homed (and so far I think I'll stay far away from it), but is simply enabling and ignoring it a solution as well? Or will it eat my kittens if I do?
Offline
Still reading up on systemd-homed (and so far I think I'll stay far away from it), but is simply enabling and ignoring it a solution as well?
Yes as the messages are caused by the service not being active.
Offline
I just tried to enable and start systemd-homed.service, but it kept flooding my logs on each and every sudo invocation because my user had not been created with it. So I used
Th easiest solution is perhaps to use NoExtract
NoExtract=usr/lib/security/pam_systemd_home.so
Then reinstall systemd.
This works because all the pam_systemd_home entries in /etc/pam.d/system-auth are prefixed with a - while prevents failure to load the module being an error.
which worked perfectly and stopped all the log flood.
Thanks!
Offline
Given the large amounts of unnecessary noise this service creates, and the limited benefit for typical systems, it would perhaps be interesting to not enable pam_systemd_home.so by default (in pambase package).
Offline
I second not enabling pam_systemd_home.so by default in any of the pambase packages. I cannot envision every needing or wanting the enabled, and I suspect that is true for a large majority of Arch installs. Just because upstream dreams something up to fit some corner-case doesn't mean that Arch needs to enable the functionality. We just split postfix into multiple packages containing non-default backends, so why not split this functionality out into a separate package and those few that will ever want it can install that package and enable the service. Far better choice than cluttering the logs on a majority of the systems that will never use it.
David C. Rankin, J.D.,P.E.
Offline
After having tried the differing solutions, I concur that having pam_unix checked first as shown in the edit to post #8 above about as simple as it gets. Simply modify the two pairs of lines shown (e.g. just move the pam_unix check before the pam_systemd_home check for 'account' and `password' sections of the file -- done. No more heinous homed message needlessly filling the journal.
David C. Rankin, J.D.,P.E.
Offline