Bug 395947

Summary:	Using pam_kwallet5.so breaks pam_mkhomedir.so
Product:	[Frameworks and Libraries] kwallet-pam	Reporter:	Bernard Gray <bernard.gray>
Component:	general	Assignee:	Plasma Bugs List <plasma-bugs>
Status:	RESOLVED FIXED
Severity:	normal	CC:	aacid, fabian, kde, kde
Priority:	NOR
Version:	5.12.4
Target Milestone:	---
Platform:	Ubuntu
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	/etc/pam.d/sddm on k/ubuntu 18.04

Description Bernard Gray 2018-06-28 05:58:58 UTC

Created attachment 113617 [details]
/etc/pam.d/sddm on k/ubuntu 18.04

Hi folks, 
I'm running k/ubuntu 18.04, and using pam to do ldap authenticated logins. As part of this process, for each user I need to create my default environment from /etc/skel/

What Happened:
When I login, the home dir is created without the contents of /etc/skel

What I expect to Happen:
When I login, the home dir is created *with* the contents of /etc/skel

How to recreate the problem:
1. Enable the pam_mkhomedir.so according to your platform requirements 
 - on ubuntu, I use a config in /usr/share/pam-configs/ and run sudo pam-auth-update to apply it to the various /etc/pam.d/common-* files
2. Login to an account that doesn't have any home dir created yet
3. Verify that files from /etc/skel/ have not been copied (.bashrc is a really obvious one)

Extra Investigation Notes:

* This came about because sddm pulls in an /etc/pam.d/sddm config (attached), which has a couple of pam_kwallet*.so entries.

* This bug report against sddm suggested a workaround which involved removing all the pam_kwallet*.so entries and adding the pam_mkhomedir entry manually (I verified this works):
  https://github.com/sddm/sddm/issues/769

* in order to verify separation from sddm, I load the pam_kwallet5.so in common-[auth,session] instead of the sddm config. I use a different display manager (gdm3) and pam_mkhomedir.so fails to run. If I disable the kwallet entries and login using gdm3, pam_mkhomedir.so runs (in gdm3 it gives you a status message).

Comment 1 Kai Uwe Broulik 2018-06-28 06:43:49 UTC


*** This bug has been marked as a duplicate of bug 392913 ***

Comment 2 Bernard Gray 2018-06-28 06:46:31 UTC

(In reply to Kai Uwe Broulik from comment #1)
> 
> *** This bug has been marked as a duplicate of bug 392913 ***


This has nothing to do with the duplicate you've marked

Comment 3 Fabian Vogt 2018-06-28 07:02:10 UTC

This should be fixed in pam_kwallet 5.13.0 - not sure why it wasn't added to Plasma/5.12.

Can you build pam_kwallet with https://cgit.kde.org/kwallet-pam.git/commit/?id=06760eed821f5383d03dc83a9a077a377ba39541 to confirm that it's fixed or try pam_kwallet 5.13.x? Should be relatively easy, pam_kwallet has no dependencies on other parts of Plasma.

Comment 4 Bernard Gray 2018-07-01 23:29:29 UTC

(In reply to Fabian Vogt from comment #3)
> This should be fixed in pam_kwallet 5.13.0 - not sure why it wasn't added to
> Plasma/5.12.
> 
> Can you build pam_kwallet with
> https://cgit.kde.org/kwallet-pam.git/commit/
> ?id=06760eed821f5383d03dc83a9a077a377ba39541 to confirm that it's fixed or
> try pam_kwallet 5.13.x? Should be relatively easy, pam_kwallet has no
> dependencies on other parts of Plasma.

Hi Fabian, 
Thanks for this tidbit - I did give it a test last week with this patch, and it has resolved the issue. My apologies for the slow reply!

Comment 5 Fabian Vogt 2018-07-02 05:46:56 UTC

It's not fixed - that commit is not in 5.12.x.

@aacid: Any reason in particular it was only submitted for 5.13?

Comment 6 Albert Astals Cid 2018-07-02 21:41:34 UTC

(In reply to Fabian Vogt from comment #5)
> It's not fixed - that commit is not in 5.12.x.
> 
> @aacid: Any reason in particular it was only submitted for 5.13?

I guess i found it to be corner case-y and not warranted a backport since there's always the risk/benefit calculation you have to do when backporting something to a LTS branch.

I've no idea how common this scenario and how "live-tested" we can say my new code is to say "yes it doesn't seem to cause regressions let's bring it to 5.12 since it's an important fix"

I guess that'd would be more a question for the Plasma maintainers than for me, I really don't follow the Plasma development much and don't know what are the guidelines for backporting patches.

Comment 7 Bernard Gray 2018-07-02 23:12:35 UTC

(In reply to Albert Astals Cid from comment #6)
> (In reply to Fabian Vogt from comment #5)
> > It's not fixed - that commit is not in 5.12.x.
> > 
> > @aacid: Any reason in particular it was only submitted for 5.13?
> 
> I guess i found it to be corner case-y and not warranted a backport since
> there's always the risk/benefit calculation you have to do when backporting
> something to a LTS branch.
> 
> I've no idea how common this scenario and how "live-tested" we can say my
> new code is to say "yes it doesn't seem to cause regressions let's bring it
> to 5.12 since it's an important fix"

* sddm is shipping with a default config which uses pam_kwallet*.so
* I expect most enterprise deployments will use the libpam_mkhomedir.so module 

ie Most enterprise deployments shipping vanilla-ish KDE which, from my perspective of course, isn't really a corner case :P

Comment 8 Albert Astals Cid 2018-07-10 21:48:38 UTC

I understand your use case seems common to you, because it's your use case to you it happens 100% of the time, but no one reported this before.

That's why I am asking someone from the Plasma side to answer whether we want to backport this fixes or not. Pretty please?

Comment 9 Bernard Gray 2018-07-10 23:38:53 UTC

(In reply to Albert Astals Cid from comment #8)
> I understand your use case seems common to you, because it's your use case
> to you it happens 100% of the time, but no one reported this before.
 
I fully understand, I was being funny (at least, attempting to be) :P

> That's why I am asking someone from the Plasma side to answer whether we
> want to backport this fixes or not. Pretty please?

Just to confirm, are you asking me to ask the question to the plasma maintainers?
Or have you asked the question to the maintainers already?
Or are you asking if someone else knows how to ask the plasma maintainers?

Comment 10 David Edmundson 2018-07-11 08:29:16 UTC

> That's why I am asking someone from the Plasma side to answer whether we want to backport this fixes or not. Pretty please?

yes please.

Comment 11 Albert Astals Cid 2018-07-11 21:41:54 UTC

(In reply to David Edmundson from comment #10)
> > That's why I am asking someone from the Plasma side to answer whether we want to backport this fixes or not. Pretty please?
> 
> yes please.

Thanks for confirmation :)

I'm away from a computer until next week and then i have to take care of KDE Applications 18.08 branching, but it is my understanding that next Plasma 5.12 release is not until september so i should be on time for that :)

Comment 12 Albert Astals Cid 2018-07-26 22:28:53 UTC

Pushed to Plasma 5.12 branch

https://cgit.kde.org/kwallet-pam.git/commit/?h=Plasma/5.12&id=3dc73747c16f7d732e1d47a634c9e1875c3f4bfe

Comment 13 Bernard Gray 2018-08-02 23:15:28 UTC

Thanks all :)