Using pam_mount and pam_kwallet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(Resending, as the first mail does not seem to be on the list)

I installed a machine with KDE, configured pam_kwallet (to open KDE's password 
safe automatically when logging in) and it worked.

Then I moved /home onto an encrypted partition and configured pam_mount to 
automatically decrypt/mount /home when logging in and it worked mostly. The 
remaining part is that /home should be unmounted when logging off, which does 
not work currently (but that's not the reason of this mail).

Unfortunately, if the now encrypted /home partition is not mounted when 
logging in, the wallet does not get opened. When logging off and logging in 
again (remember: /home is still mounted after logging off), the wallet gets 
opened.

So both pam modules work separately, only if they have to work both, 
pam_kwallet fails.

I read the Linux-PAM System Administrators' Guide, but I am lacking an idea 
how to debug this problem. Has anyone an idea what I should do to find the 
root of the problem?

My wild guess would be that either pam_kwallet needs access to its home 
directory, which it gets too late if pam_mount has to mount the file system, 
or that pam_mount has to succeed (or fail?) so that pam_kwallet works.

I already activated debugging in pam_mount (setting "<debug enable="1" />" in 
/etc/security/pam_mount.conf.xml (why XML?)), but I do not know how to enable 
debugging in pam_kwallet.

The log of the first (unsuccessful for kwallet) login:
> 23:24:57: (pam_mount.c:365): pam_mount 2.14: entering auth stage
> 23:24:57: (pam_mount.c:365): pam_mount 2.14: entering auth stage
> 23:24:57: pam_kwallet(lightdm:auth): pam_sm_authenticate
> 23:25:00: pam_unix(lightdm-greeter:session): session closed for user lightdm
> 23:25:00: pam_kwallet(lightdm:setcred): pam_sm_setsecred
> 23:25:00: pam_unix(lightdm:session): session opened for user pat by (uid=0)
> 23:25:00: (pam_mount.c:568): pam_mount 2.14: entering session stage
> 23:25:00: (pam_mount.c:568): pam_mount 2.14: entering session stage
> 23:25:00: (pam_mount.c:441): pmvarrun says login count is 2
> 23:25:00: (pam_mount.c:660): done opening session (ret=0)
> 23:25:00: pam_kwallet(lightdm:session): pam_sm_open_session
> 23:25:00: pam_kwallet(lightdm:session): pam-kwallet: final socket path:
> 23:25:00: /tmp//pat.socket (pam_mount.c:441): pmvarrun says login count is 2
> 23:25:00: (pam_mount.c:660): done opening session (ret=0)

The log of the first (successful for kwallet) login:
> 23:27:59: (pam_mount.c:365): pam_mount 2.14: entering auth stage
> 23:27:59: (pam_mount.c:365): pam_mount 2.14: entering auth stage
> 23:27:59: pam_kwallet(lightdm:auth): pam_sm_authenticate
> 23:28:02: pam_unix(lightdm-greeter:session): session closed for user lightdm
> 23:28:02: pam_kwallet(lightdm:setcred): pam_sm_setsecred
> 23:28:02: pam_unix(lightdm:session): session opened for user pat by (uid=0)
> 23:28:02: (pam_mount.c:568): pam_mount 2.14: entering session stage
> 23:28:02: (pam_mount.c:568): pam_mount 2.14: entering session stage
> 23:28:07: (pam_mount.c:522): mount of /dev/sda5 failed
> 23:28:07: (pam_mount.c:441): pmvarrun says login count is 2
> 23:28:07: (pam_mount.c:660): done opening session (ret=0)
> 23:28:07: pam_kwallet(lightdm:session): pam_sm_open_session
> 23:28:07: pam_kwallet(lightdm:session): pam-kwallet: final socket path:
> 23:28:07: /tmp//pat.socket (pam_mount.c:522): mount of /dev/sda5 failed
> 23:28:07: (pam_mount.c:441): pmvarrun says login count is 2
> 23:28:07: (pam_mount.c:660): done opening session (ret=0)

I diffed them and there are only two differences. First, the successful login 
contains the lines "mount [...] failed" two times. Second, the time stamps 
contain a 5 second delay in the successful login (probably due to the failed 
mount - the mounting has to fail, as it is already mounted).

That's where I did not have further ideas. So if anyone has input, that would 
be highly welcome.

Kind regards
Patrick

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list




[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux