The `/etc/pam.d/lightdm` file that gets installed by portage unnecessarily duplicates a lot of the controls present in other configs. This causes problems when you need to change the core configs. For example I installed and configured sys-auth/sssd. Doing so I put the `pam_sss.so` modules in `/etc/pam.d/system-auth`, and changed `pam_unix.so` to not be required. However the `/etc/pam.d/lightdm` config has `auth required pam_unix.so` in it instead of using the common configs. Meaning I had to change it as well. This is what the config originally looked like: #%PAM-1.0 # Block login if they are globally disabled auth required pam_nologin.so # Load environment from /etc/environment and ~/.pam_environment auth required pam_env.so # Use /etc/passwd and /etc/shadow for passwords auth required pam_unix.so # Check account is active, change password if required account required pam_unix.so # Allow password to be changed password required pam_unix.so # Setup session session required pam_unix.so session optional pam_systemd.so # File autogenerated by pamd_mimic in pam eclass auth include system-local-login account include system-local-login session include system-local-login This is what it should look like: #%PAM-1.0 auth include system-local-login account include system-local-login password include system-local-login session include system-local-login Reproducible: Always Steps to Reproduce: 1. install lightdm 2. install & configure sssd 3. try and log in to lightdm with an sssd-provided account Actual Results: Login failure Expected Results: Login success
Oh, version number might be helpful... x11-misc/lightdm-1.8.5
So what do you expect to happen here? The lightdm pam file comes from upstream. If you don't like it then please ask upstream to change it. We only install /etc/pam.d/lightdm-autologin ourselves. The rest of the pam files are part of the package itself.
I'm not sure why this was marked as resolved. I just tried installing the latest unstable version (1.12.2) and this issue is still present. I somehow missed the earlier comment on 2014-11-15, but in response: The pam files cannot be provided by upstream. Gentoo highly modifies the contents of /etc/pam. Files like `system-local-login` are not present on all distributions, thus upstream cannot make their pam files rely upon them. It is up to the distribution to modify distrubtion-specific settings. Also debian does something like what I'm proposing. Take a look at http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/view/head:/debian/lightdm.pam Notice how they have a completely custom pam file? Notice how they've ripped out any direct references to pam_unix.so and are using their own common-* files?
(In reply to Patrick from comment #3) > I'm not sure why this was marked as resolved. I just tried installing the > latest unstable version (1.12.2) and this issue is still present. > > I somehow missed the earlier comment on 2014-11-15, but in response: > The pam files cannot be provided by upstream. Gentoo highly modifies the > contents of /etc/pam. Files like `system-local-login` are not present on all > distributions, thus upstream cannot make their pam files rely upon them. It > is up to the distribution to modify distrubtion-specific settings. > > Also debian does something like what I'm proposing. Take a look at > http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/view/head:/debian/ > lightdm.pam > Notice how they have a completely custom pam file? Notice how they've ripped > out any direct references to pam_unix.so and are using their own common-* > files? I understand your problem but /etc/pam.d/lightdm is really an upstream file. Different systems may use different authentication methods so just because auth include system-local-login account include system-local-login password include system-local-login session include system-local-login matches your setup, it does not mean it matches what it's good as the default one. I am not very comfortable changing the default config
(In reply to Markos Chandras from comment #4) > (In reply to Patrick from comment #3) > > I'm not sure why this was marked as resolved. I just tried installing the > > latest unstable version (1.12.2) and this issue is still present. > > > > I somehow missed the earlier comment on 2014-11-15, but in response: > > The pam files cannot be provided by upstream. Gentoo highly modifies the > > contents of /etc/pam. Files like `system-local-login` are not present on all > > distributions, thus upstream cannot make their pam files rely upon them. It > > is up to the distribution to modify distrubtion-specific settings. > > > > Also debian does something like what I'm proposing. Take a look at > > http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/view/head:/debian/ > > lightdm.pam > > Notice how they have a completely custom pam file? Notice how they've ripped > > out any direct references to pam_unix.so and are using their own common-* > > files? > > I understand your problem but /etc/pam.d/lightdm is really an upstream file. > Different systems may use different authentication methods so just because > > auth include system-local-login > account include system-local-login > password include system-local-login > session include system-local-login > > matches your setup, it does not mean it matches what it's good as the > default one. > > I am not very comfortable changing the default config Having thought about that, i assume your patch may not affect existing installations so I will be testing the following patch for a couple of days Index: lightdm-1.13.0.ebuild =================================================================== RCS file: /var/cvsroot/gentoo-x86/x11-misc/lightdm/lightdm-1.13.0.ebuild,v retrieving revision 1.1 diff -u -B -u -r1.1 lightdm-1.13.0.ebuild --- lightdm-1.13.0.ebuild 18 Nov 2014 18:46:36 -0000 1.1 +++ lightdm-1.13.0.ebuild 21 Dec 2014 19:54:34 -0000 @@ -110,7 +110,9 @@ prune_libtool_files --all rm -rf "${ED}"/etc/init - pamd_mimic system-local-login ${PN} auth account session #372229 + # Remove existing pam file. We will build a new one. Bug #524792 + rm -rf "${ED}/etc/pam.d/${PN}" + pamd_mimic system-local-login ${PN} auth account password session #372229 dopamd "${FILESDIR}"/${PN}-autologin #390863, #423163 readme.gentoo_create_doc
Thanks. Will happily test the ebuild when it enters the portage tree. Just to add a supporting comment (maybe help with the uneasiness), your solution seems to be typical. The x11-misc/wdm package does exactly what your patch does. I also took a look at x11-misc/slim and x11-apps/xdm, and their pam files have nothing but the 'include system-local-login' lines as well. So this seems like the standard solution.
(In reply to Patrick from comment #6) > Thanks. Will happily test the ebuild when it enters the portage tree. > > Just to add a supporting comment (maybe help with the uneasiness), your > solution seems to be typical. The x11-misc/wdm package does exactly what > your patch does. > I also took a look at x11-misc/slim and x11-apps/xdm, and their pam files > have nothing but the 'include system-local-login' lines as well. So this > seems like the standard solution. Thanks. Committed it that to the 1.13.0 ebuild and will curry it forward to the next 1.12 and 1.13 versions.
(In reply to Patrick from comment #6) > Thanks. Will happily test the ebuild when it enters the portage tree. > > Just to add a supporting comment (maybe help with the uneasiness), your > solution seems to be typical. The x11-misc/wdm package does exactly what > your patch does. > I also took a look at x11-misc/slim and x11-apps/xdm, and their pam files > have nothing but the 'include system-local-login' lines as well. So this > seems like the standard solution. I guess that lxdm should do the same? Seems like it just inherits what upstream have
(In reply to Joakim Tjernlund from comment #8) > (In reply to Patrick from comment #6) > > Thanks. Will happily test the ebuild when it enters the portage tree. > > > > Just to add a supporting comment (maybe help with the uneasiness), your > > solution seems to be typical. The x11-misc/wdm package does exactly what > > your patch does. > > I also took a look at x11-misc/slim and x11-apps/xdm, and their pam files > > have nothing but the 'include system-local-login' lines as well. So this > > seems like the standard solution. > > I guess that lxdm should do the same? Seems like it just inherits > what upstream have Probably but please open a separate bug. This is about lightdm
(In reply to Markos Chandras from comment #9) > (In reply to Joakim Tjernlund from comment #8) > > (In reply to Patrick from comment #6) > > > Thanks. Will happily test the ebuild when it enters the portage tree. > > > > > > Just to add a supporting comment (maybe help with the uneasiness), your > > > solution seems to be typical. The x11-misc/wdm package does exactly what > > > your patch does. > > > I also took a look at x11-misc/slim and x11-apps/xdm, and their pam files > > > have nothing but the 'include system-local-login' lines as well. So this > > > seems like the standard solution. > > > > I guess that lxdm should do the same? Seems like it just inherits > > what upstream have > > Probably but please open a separate bug. This is about lightdm Right, see https://bugs.gentoo.org/show_bug.cgi?id=533338
(In reply to Patrick from comment #3) > I'm not sure why this was marked as resolved. I just tried installing the > latest unstable version (1.12.2) and this issue is still present. > > I somehow missed the earlier comment on 2014-11-15, but in response: > The pam files cannot be provided by upstream. Gentoo highly modifies the > contents of /etc/pam. Files like `system-local-login` are not present on all > distributions, thus upstream cannot make their pam files rely upon them. It > is up to the distribution to modify distrubtion-specific settings. > > Also debian does something like what I'm proposing. Take a look at > http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/view/head:/debian/ > lightdm.pam > Notice how they have a completely custom pam file? Notice how they've ripped > out any direct references to pam_unix.so and are using their own common-* > files? There is a lightdm-greeter PAM file too. Should not that file be Gentoo adapted as well?
(In reply to Markos Chandras from comment #7) > (In reply to Patrick from comment #6) > > Thanks. Will happily test the ebuild when it enters the portage tree. > > > > Just to add a supporting comment (maybe help with the uneasiness), your > > solution seems to be typical. The x11-misc/wdm package does exactly what > > your patch does. > > I also took a look at x11-misc/slim and x11-apps/xdm, and their pam files > > have nothing but the 'include system-local-login' lines as well. So this > > seems like the standard solution. > > Thanks. Committed it that to the 1.13.0 ebuild and will curry it forward to > the next 1.12 and 1.13 versions. Using 1.13.0 at home now with MATE, works as expected.
(In reply to Joakim Tjernlund from comment #11) > (In reply to Patrick from comment #3) > > I'm not sure why this was marked as resolved. I just tried installing the > > latest unstable version (1.12.2) and this issue is still present. > > > > I somehow missed the earlier comment on 2014-11-15, but in response: > > The pam files cannot be provided by upstream. Gentoo highly modifies the > > contents of /etc/pam. Files like `system-local-login` are not present on all > > distributions, thus upstream cannot make their pam files rely upon them. It > > is up to the distribution to modify distrubtion-specific settings. > > > > Also debian does something like what I'm proposing. Take a look at > > http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/view/head:/debian/ > > lightdm.pam > > Notice how they have a completely custom pam file? Notice how they've ripped > > out any direct references to pam_unix.so and are using their own common-* > > files? > > There is a lightdm-greeter PAM file too. Should not that file > be Gentoo adapted as well? yes. i just fixed it. thanks
(In reply to Markos Chandras from comment #13) > (In reply to Joakim Tjernlund from comment #11) > > (In reply to Patrick from comment #3) > > > I'm not sure why this was marked as resolved. I just tried installing the > > > latest unstable version (1.12.2) and this issue is still present. > > > > > > I somehow missed the earlier comment on 2014-11-15, but in response: > > > The pam files cannot be provided by upstream. Gentoo highly modifies the > > > contents of /etc/pam. Files like `system-local-login` are not present on all > > > distributions, thus upstream cannot make their pam files rely upon them. It > > > is up to the distribution to modify distrubtion-specific settings. > > > > > > Also debian does something like what I'm proposing. Take a look at > > > http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/view/head:/debian/ > > > lightdm.pam > > > Notice how they have a completely custom pam file? Notice how they've ripped > > > out any direct references to pam_unix.so and are using their own common-* > > > files? > > > > There is a lightdm-greeter PAM file too. Should not that file > > be Gentoo adapted as well? > > yes. i just fixed it. thanks Thanks, I wounder if the mask could be removed at this point?
(In reply to Joakim Tjernlund from comment #14) > (In reply to Markos Chandras from comment #13) > > (In reply to Joakim Tjernlund from comment #11) > > > (In reply to Patrick from comment #3) > > > > I'm not sure why this was marked as resolved. I just tried installing the > > > > latest unstable version (1.12.2) and this issue is still present. > > > > > > > > I somehow missed the earlier comment on 2014-11-15, but in response: > > > > The pam files cannot be provided by upstream. Gentoo highly modifies the > > > > contents of /etc/pam. Files like `system-local-login` are not present on all > > > > distributions, thus upstream cannot make their pam files rely upon them. It > > > > is up to the distribution to modify distrubtion-specific settings. > > > > > > > > Also debian does something like what I'm proposing. Take a look at > > > > http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/view/head:/debian/ > > > > lightdm.pam > > > > Notice how they have a completely custom pam file? Notice how they've ripped > > > > out any direct references to pam_unix.so and are using their own common-* > > > > files? > > > > > > There is a lightdm-greeter PAM file too. Should not that file > > > be Gentoo adapted as well? > > > > yes. i just fixed it. thanks > > Thanks, I wounder if the mask could be removed at this point? no i always keep the latest major version masked
(In reply to Markos Chandras from comment #15) > (In reply to Joakim Tjernlund from comment #14) > > (In reply to Markos Chandras from comment #13) > > Thanks, I wounder if the mask could be removed at this point? > > no i always keep the latest major version masked Why? Is this not what the unstable keyword is for? Other packages don't use this practice.
(In reply to Patrick from comment #16) > (In reply to Markos Chandras from comment #15) > > (In reply to Joakim Tjernlund from comment #14) > > > (In reply to Markos Chandras from comment #13) > > > Thanks, I wounder if the mask could be removed at this point? > > > > no i always keep the latest major version masked > > Why? Is this not what the unstable keyword is for? Other packages don't use > this practice. because lightdm has a tendency to break things. this is my personal decision and this bug is not the place to discuss it. I will unmask it as soon as 1.14 is out.