Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 435042 - gnome-base/gdm-3.4.1-r1[systemd]: cannot login
Summary: gnome-base/gdm-3.4.1-r1[systemd]: cannot login
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] GNOME (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Linux Gnome Desktop Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-14 16:03 UTC by Alexander E. Patrakov
Modified: 2013-01-26 16:24 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Greeter log (:0-greeter.log,15.11 KB, text/plain)
2012-09-15 13:03 UTC, Alexander E. Patrakov
Details
Slave log (:0-slave.log,275 bytes, text/plain)
2012-09-15 13:04 UTC, Alexander E. Patrakov
Details
tar.gz of all my pam files, just in case (pam.d.tar.gz,2.83 KB, application/x-gzip)
2012-09-15 13:06 UTC, Alexander E. Patrakov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander E. Patrakov 2012-09-14 16:03:35 UTC
There is a regression introduced in gnome-base/gdm-3.4.1-r1 and not present in gnome-base/gdm-3.4.1, leading to inability to login via gdm, at all, with the correct username and password. Removing the pam_systemd line from /etc/pam.d/gdm-password fixes it for me, but I don't know why. I do use systemd.

Also I wonder why pam_loginuid is not used.

Reproducible: Always

Steps to Reproduce:
1. Click your username in gdm
2. Enter the correct password

Actual Results:  
gdm returns to the user selection screen, without any delay

Expected Results:  
gdm should have started a gnome session or whatever the user selected

aep-desktop ~ # emerge -pv gdm pambase

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] sys-auth/pambase-20120417-r1  USE="cracklib gnome-keyring sha512 systemd -consolekit -debug -minimal -mktemp -pam_krb5 -pam_ssh -passwdqc (-selinux)" 0 kB
[ebuild   R    ] gnome-base/gdm-3.4.1-r1  USE="fallback gnome-keyring gnome-shell introspection ipv6 ldap systemd tcpd xinerama xklavier -accessibility -audit -consolekit -debug -fprint -plymouth (-selinux) -smartcard -test" 0 kB

Total: 2 packages (2 reinstalls), Size of downloads: 0 kB

aep-desktop ~ # emerge --info
Portage 2.1.11.16 (default/linux/x86/10.0/desktop/gnome, gcc-4.6.3, glibc-2.15-r2, 3.5.0-gentoo i686)
=================================================================
System uname: Linux-3.5.0-gentoo-i686-Intel-R-_Core-TM-_i3_CPU_M_370_@_2.40GHz-with-gentoo-2.2
Timestamp of tree: Thu, 13 Sep 2012 03:15:01 +0000
app-shells/bash:          4.2_p37
dev-java/java-config:     2.1.12
dev-lang/python:          2.7.3-r2, 3.2.3-r1
dev-util/cmake:           2.8.9
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.10.5
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.9.6-r3, 1.11.6, 1.12.3
sys-devel/binutils:       2.22.90
sys-devel/gcc:            4.5.4, 4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.5 (virtual/os-headers)
sys-libs/glibc:           2.15-r2
Repositories: gentoo x-portage renpy-games
ACCEPT_KEYWORDS="x86 ~x86"
ACCEPT_LICENSE="*"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=core2 -pipe -fno-strict-aliasing -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=core2 -pipe -fno-strict-aliasing -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -march=i686 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr"
FFLAGS="-O2 -march=i686 -pipe"
GENTOO_MIRRORS="http://mirror.yandex.ru/gentoo-distfiles http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LANG="ru_RU.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/local/gentoo-renpy-games"
SYNC="rsync://mirror.yandex.ru/gentoo-portage"
USE="X a52 aac acl acpi alsa amr avahi bash-completion berkdb bluetooth bluray branding bzip2 cairo cdda cddb cdr cjk cli colord cracklib crypt cups cxx dbus djvu dri dts dvd dvdr eds emboss encode evo exif ffmpeg firefox flac fontconfig fortran gdbm gif gnome gnome-keyring gnome-online-accounts gphoto2 gstreamer gtk gtk3 iconv icu idn introspection ipv6 jack jpeg lcms ldap libnotify mad matroska mmx mmxext mng modules mp3 mp4 mpeg mudflap musepack nautilus ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds pppd pulseaudio qt3support readline scanner sdl session socialweb spell sse sse2 sse3 ssl ssse3 startup-notification svg systemd tcpd theora tiff truetype udev udisks unicode upnp upower usb v4l v4l2 vaapi vim-syntax vorbis wavpack webkit wxwidgets x264 x86 xattr xcb xface xinerama xml xv xvid zeitgeist zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="crypt lvm systemd" DVB_CARDS="tda10046lifeview" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" QEMU_SOFTMMU_TARGETS="x86_64 arm cris i386 m68k microblaze mips mips64 mips64el mipsel ppc ppc64 ppcemb sh4 sh4eb sparc sparc64" QEMU_USER_TARGETS="alpha arm armeb cris i386 m68k microblaze mips mipsel ppc ppc64 ppc64abi32 sh4 sh4eb sparc sparc32plus sparc64 x86_64" RUBY_TARGETS="ruby18 ruby19" SANE_BACKENDS="gt68xx" USERLAND="GNU" VIDEO_CARDS="intel nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7 2.7-pypy-1.9 3.2"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-14 18:00:48 UTC
And for other systemd users, without the pam_systemd line, gnome-shell crashes immediately after login :(
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-14 18:09:45 UTC
Please attach the /var/log/gdm/:0-greeter.log and /var/log/gdm/:0-slave.log that are generated after a failed login with gdm-3.4.1-r1.
Comment 3 Alexander E. Patrakov 2012-09-15 13:03:52 UTC
Created attachment 323880 [details]
Greeter log
Comment 4 Alexander E. Patrakov 2012-09-15 13:04:11 UTC
Created attachment 323882 [details]
Slave log
Comment 5 Alexander E. Patrakov 2012-09-15 13:06:04 UTC
Created attachment 323884 [details]
tar.gz of all my pam files, just in case
Comment 6 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-15 18:36:18 UTC
There doesn't seem to be anything suspicious in the log.

@systemd, any suggestions for what might be going wrong and how gdm should use pam_systemd?
Comment 7 Ulenrich 2012-09-17 13:50:46 UTC
@Patrakov your pam.d/gdm doesnt use provided pam.d/system-xxx

For me kdm starting a kde session without consolekit works as follows:
/etc/pam.d/kde
---
#%PAM-1.0
auth       include      system-local-login
account    include      system-local-login
password   include      system-local-login
session    include      system-local-login
---

/etc/pam.d/system-local-login just redirects for now
---
auth		include		system-login
account		include		system-login
password	include		system-login
session		include		system-login
---
/etc/pam.d/system-login
---
auth		required	pam_shells.so 
auth		required	pam_nologin.so 
auth		include		system-auth
 				
account		required	pam_access.so 
account		required	pam_nologin.so 
account		include		system-auth
 
password	include		system-auth
 
session         optional        pam_loginuid.so
session		required	pam_env.so 
session		include		system-auth
-session	optional	pam_systemd.so
---
The last one of mine is less than yours, I dont have gnome-keyring
Comment 8 Ulenrich 2012-09-17 14:00:06 UTC
@Patrakov, I just see you have additional cracklib 
enabled in /etc/pam.d/system-auth, mine is more simple:
---
auth		required	pam_env.so 
auth		required	pam_unix.so try_first_pass likeauth nullok 
auth		optional	pam_permit.so
 
account		required	pam_unix.so 
account		optional	pam_permit.so
 
password	required	pam_unix.so try_first_pass  nullok sha512 shadow 
password	optional	pam_permit.so
 
session		required	pam_limits.so 
session		required	pam_env.so 
session		optional	pam_mktemp.so
session		required	pam_unix.so 
session		optional	pam_permit.so
---
I have additional pam_mktemp, which might be obsolete with systemd....
Comment 9 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-18 09:10:49 UTC
I've installed systemd on one of my machines and found a way to reproduce the problem. I believe the solution is to add pam_systemd to gdm-welcome.

Please check whether the following fixes the gdm login problem (assuming you have pambase[systemd] and gdm[systemd]):

/etc/pam.d/gdm-welcome :
#%PAM-1.0
auth       required    pam_env.so
-auth      sufficient  pam_ldap.so try_first_pass ignore_authinfo_unavail
auth       required    pam_permit.so
account    required    pam_nologin.so
account    include     system-services
password   include     system-services
session    optional    pam_loginuid.so
session    optional    pam_keyinit.so force revoke
session    include     system-services
-session   optional    pam_systemd.so

/etc/pam.d/gdm-password :
#%PAM-1.0
auth       include     system-local-login
account    include     system-local-login
password   include     system-local-login
session    include     system-local-login
Comment 10 David Hicks 2012-09-18 14:06:58 UTC
For gnome-overlay ~amd64 I can confirm that adding pam_systemd as optional to /etc/pam.d/gdm-launch-environment resolves the login issue.

I have USE="systemd -consolekit" set globally and use the latest ebuilds from gnome overlay.
Comment 11 Jean-Marc Hengen 2012-09-19 07:07:02 UTC
I had the same problem as described in this bug. I can confirm that adding pam_systemd.so to gdm-welcome AND removing it from gdm-password solved the problem for me.

Somehow related to that, most of the pam_systemd.so lines in /etc/pam.d/gdm* configurations started with a '-' (minus) character e.g.:
  -session   optional    pam_systemd.so
As I could not figure out, what's their role or if it's a bug, I removed them during debugging. It works for me without those '-' (minus) characters. Concerned files:
  /etc/pam.d/gdm
  /etc/pam.d/gdm-autologin
  /etc/pam.d/gdm-fingerprint
  /etc/pam.d/gdm-password
  /etc/pam.d/gdm-smartcard
If I should open an extra bug for this issue, let me know, I'm happy to do so.

If additional information is required, I'm happy to provide it.
Comment 12 Jean-Marc Hengen 2012-09-19 07:16:30 UTC
(In reply to comment #11)
> Somehow related to that, most of the pam_systemd.so lines in /etc/pam.d/gdm*
> configurations started with a '-' (minus) character e.g.:
>   -session   optional    pam_systemd.so
Reading again the pam-d man page I found the role of the '-' (minus) character. It's about logging. Sorry for the noise :-(
Comment 13 Alexander E. Patrakov 2012-09-19 13:02:38 UTC
Adding "session optional pam_systemd.so" to gdm-welcome after pam_loginuid.so does not help here.
Comment 14 David Hicks 2012-09-19 13:53:49 UTC
Alex, do you have kernel option CONFIG_AUDIT_LOGINUID_IMMUTABLE enabled?

pam_loginuid.so is required by default and gdm will fail if the above kernel option is enabled. systemd is (I think) supposed to set the loginuid process attribute from a root user account thus avoiding issues with CONFIG_AUDIT_LOGINUID_IMMUTABLE being set. If CONFIG_AUDIT_LOGINUID_IMMUTABLE is enabled, make pam_loginuid.so optional in /etc/pam.d/* to get gdm working again.
Comment 15 Alexander E. Patrakov 2012-09-19 14:50:17 UTC
Yes, I have that kernel option, and yes, adding "session optional pam_loginuid.so" as a first line of the "session" section in all gdm-related pam files helps. No need to comment out pam_systemd.so.
Comment 16 Alexander E. Patrakov 2012-09-20 17:04:03 UTC
The fix is incomplete. While it allows me to login, it does not work the second time. I.e.:

1. Log in using the correct username and password => success
2. Log out => success
3. Click your username again => see that gdm doesn't even list session types anymore
4. Type your password => it does not let you in, returns to the screen where you can select a user name.
Comment 17 Bernd Feige 2012-09-20 17:15:32 UTC
Same here.
I found the reason is that some processes (most notably /usr/bin/pulseaudio) remain after logout and apparently keep the session alive, so that gdm doesn't start a new session. Killing these processes allows logging in again.
Best regards,
Bernd
Comment 18 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-20 17:56:54 UTC
(In reply to comment #17)
> Same here.
> I found the reason is that some processes (most notably /usr/bin/pulseaudio)
> remain after logout and apparently keep the session alive, so that gdm
> doesn't start a new session. Killing these processes allows logging in again.

What versions of systemd do you have, and with what USE flags? Please check that pulseaudio and pambase were built with USE=systemd, and that you have CONFIG_CGROUPS=y in your kernel config.
Comment 19 Bernd Feige 2012-09-20 19:17:13 UTC
(In reply to comment #18)
> (In reply to comment #17)
> > Same here.
> > I found the reason is that some processes (most notably /usr/bin/pulseaudio)
> > remain after logout and apparently keep the session alive, so that gdm
> > doesn't start a new session. Killing these processes allows logging in again.
> 
> What versions of systemd do you have, and with what USE flags? Please check
> that pulseaudio and pambase were built with USE=systemd, 

emerge -pv systemd pulseaudio pambase

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] sys-apps/systemd-189-r3  USE="acl lzma pam tcpd -audit -cryptsetup -gcrypt -qrcode (-selinux)" 0 kB
[ebuild   R    ] media-sound/pulseaudio-2.1-r1  USE="X alsa asyncns caps dbus gdbm glib gnome gtk ipv6 jack libsamplerate orc ssl systemd tcpd udev webrtc-aec -avahi -bluetooth -doc -equalizer -lirc (-oss) -realtime (-system-wide) {-test} -xen" 0 kB
[ebuild   R    ] sys-auth/pambase-20120417-r1  USE="consolekit cracklib gnome-keyring sha512 systemd -debug -minimal -mktemp -pam_krb5 -pam_ssh -passwdqc (-selinux)" 0 kB

> and that you have
> CONFIG_CGROUPS=y in your kernel config.

CONFIG_CGROUPS=y
# CONFIG_CGROUP_DEBUG is not set
# CONFIG_CGROUP_FREEZER is not set
# CONFIG_CGROUP_DEVICE is not set
# CONFIG_CPUSETS is not set
# CONFIG_CGROUP_CPUACCT is not set
# CONFIG_RESOURCE_COUNTERS is not set
# CONFIG_CGROUP_PERF is not set
CONFIG_CGROUP_SCHED=y
CONFIG_FAIR_GROUP_SCHED=y
# CONFIG_CFS_BANDWIDTH is not set
CONFIG_RT_GROUP_SCHED=y
CONFIG_BLK_CGROUP=y

...

CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_AUDIT_LOGINUID_IMMUTABLE=y

Regards,
Bernd
Comment 20 David Hicks 2012-09-22 10:18:45 UTC
I forgot that you also need to modify /usr/bin/gdm to replace:

gdm-binary &

With just:

gdm-binary

systemd already starts the gdm service asynchronously via gdm.service.




If using pulseaudio you'll also need to edit /usr/bin/start-pulseaudio-x11 and comment out the following line:

/usr/bin/pactl load-module module-x11-publish "display=$DISPLAY" > /dev/null

When gdm first launches, pulseaudio is spawned and will write session IDs for the gdm user into the X root window properties. If you try to login with an actual user, pulseaudio will try to respawn under the real user account but will mistakenly try to use the session IDs obtained from the X root window -- the session IDs of the "gdm" user for which the real user does not have access to use.
Comment 21 David Hicks 2012-09-22 10:26:16 UTC
One more comment I forgot --

systemd's graphical.target will try to launch display-manager.service that doesn't exist in Gentoo.

The correct fix is probably to implement eselect-display-manager which switches symlinks between a GDM display-manager.service, KDE display-manager.service, etc as the user selects.

A quick hack is to edit /usr/lib/systemd/system/graphical.target and change display-manager.service to gdm.service.
Comment 22 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2012-09-22 15:41:57 UTC
(In reply to comment #21)
> One more comment I forgot --
> 
> systemd's graphical.target will try to launch display-manager.service that
> doesn't exist in Gentoo.
> 
> The correct fix is probably to implement eselect-display-manager which
> switches symlinks between a GDM display-manager.service, KDE
> display-manager.service, etc as the user selects.
> 
> A quick hack is to edit /usr/lib/systemd/system/graphical.target and change
> display-manager.service to gdm.service.

Please stop over-engineering things.

The correct way is to have:

  [Install]
  Alias=display-manager.service

and then 'systemctl enable gdm.service' will create an appropriate symlink. Not that they are just stupid and inventing the same thing as graphical.target did...
Comment 23 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-22 22:41:58 UTC
Pulseaudio maintainers, please take a look at comment 17 and comment 20.

What changes should gdm and pulseaudio add to fix the problem?
Comment 24 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-27 09:00:05 UTC
Please test whether gdm-3.4.1-r2 fixes the login issues
Comment 25 Jean-Marc Hengen 2012-09-28 13:30:41 UTC
(In reply to comment #24)
> Please test whether gdm-3.4.1-r2 fixes the login issues

Works for me.
Comment 26 Alexander E. Patrakov 2012-09-28 13:47:58 UTC
Works for me during the first login, doesn't work for the second.
Comment 27 Bernd Feige 2012-09-28 13:49:47 UTC
(In reply to comment #24)
> Please test whether gdm-3.4.1-r2 fixes the login issues

For me, with systemd-192/udev-192 now, pulseaudio-2.1-r1 still remains active after logout but now at least disappears after 20s, as advertised. So if I wait a while after logging out, I can log in again. Note that strangely this behavior is somewhat instable, since I sometimes managed to log in directly after logging out.

Another rather strange observation is this: When I used gnome-session-properties to disable autostart of gnome-keyring-secrets, a process "/usr/bin/gnome-keyring-daemon --start --foreground --components=secrets" remained running after logout and likewise impeded a new login. While pulseaudio, as described, disappeared after 20s together with its gconf-helper, this process remained running. So there's a difference between autostarted and started-on-demand processes which shouldn't be there. [pulseaudio.desktop is not disabled BTW]

Re. Comment #20 (David Hicks): /usr/bin/gdm is a symlink to /usr/sbin/gdm-binary here. Also whether or not module-x11-publish is loaded in /usr/bin/start-pulseaudio-x11 did not make a difference.

Anyway, in a more-or-lessish way gdm-3.4.1-r2 works for me too.
Thanks and regards,
Bernd
Comment 28 Alexander E. Patrakov 2012-09-28 13:58:48 UTC
I must add that, for me, not only pulseaudio lingers after user logout, but also gconf-helper.
Comment 29 Alexander E. Patrakov 2012-09-28 14:09:47 UTC
Also I will consider this bug only hidden, not fixed, if pulseaudio is modified to stop lingering. It is a bug in GDM that it allows one misbehaving process in the previous session (today pulseaudio, tomorrow, let's say, flash-plugin) to subvert further logins.
Comment 30 Alexander E. Patrakov 2012-09-28 14:22:36 UTC
I have created bug 436506 to track the "pulseaudio lingers after logout" issue. Let's use bug 435042 (i.e. this bug) for the issue that a lingering process (not necessarily pulseaudio) can subvert further logins via gdm.
Comment 31 Martin Wegner 2012-09-28 15:03:00 UTC
As a sidenote, the pam.d files installed by gdm-3.4.1-r2 prevent sys-libs/pam-1.1.6 from being (r)emerged:

 * Your current setup is using one or more of the following modules,
 * that are not built or supported anymore:
 * pam_pwdb, pam_console
 * If you are in real need for these modules, please contact the maintainers
 * of PAM through http://bugs.gentoo.org/ providing information about its
 * use cases.
 * Please also make sure to read the PAM Upgrade guide at the following URL:
 *   http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml

 * ERROR: sys-libs/pam-1.1.6 failed (preinst phase):
 *   deprecated PAM modules still used
 * 
 * Call stack:
 *     ebuild.sh, line  89:  Called pkg_preinst
 *   environment, line 3303:  Called die
 * The specific snippet of code:
 *       check_old_modules || die "deprecated PAM modules still used"


# grep pam_pwdb /etc/pam.d/*
# grep pam_console /etc/pam.d/*
/etc/pam.d/gdm:session    optional    pam_console.so
# equery belongs /etc/pam.d/gdm
 * Searching for /etc/pam.d/gdm ... 
gnome-base/gdm-3.4.1-r2 (/etc/pam.d/gdm)

So I think the pam_console line should be eradicated.
Comment 32 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-29 06:05:51 UTC
(In reply to comment #31)

You are right; fixed in 3.4.1-r3.

>*gdm-3.4.1-r3 (29 Sep 2012)
>
>  29 Sep 2012; Alexandre Rostovtsev <tetromino@gentoo.org>
>  -gdm-3.4.1-r2.ebuild, +gdm-3.4.1-r3.ebuild:
>  Do not install old /etc/pam.d/gdm file, it blocks sys-libs/pam from emerging
>  (bug #435042, thanks to Martin Wegner).
Comment 33 Gilles Dartiguelongue gentoo-dev 2012-11-28 23:41:42 UTC
Adjusting severty, systemd isn't really a recommended option for now and there 
is no point in having this more critical than critical stuff.
Comment 34 Alexander E. Patrakov 2012-12-12 16:33:51 UTC
I cannot call this a responsible maintainership of the involved packages.

By this time, I'd expect from the real maintainer:

1) Finding the guilty party among gdm, systemd, pam and possibly other packages.
2) Forwarding the report to the correct upstream (or, failing (1), to at least _some_ upstream).
3) Putting the upstream bug/discussion URL into the URL field.

However, since you are not going to do this due to more critical stuff, please at least mask the guilty USE flags so that other users don't step on this still-unfixed bug.

Additional information that can help: if I deliberately introduce a lingering process (e.g. tmux) into the session, then systemd-cgls (from root login via getty) shows that the cgroup still exists, and loginctl shows that the corresponding session is in the "closing" state.
Comment 35 Gilles Dartiguelongue gentoo-dev 2013-01-22 22:42:50 UTC
Please try with gdm-3.6.
Comment 36 Bernd Feige 2013-01-23 14:11:17 UTC
(In reply to comment #35)
> Please try with gdm-3.6.

Here, gnome-base/gdm-3.6.2 lets me login whether or not pulseaudio and its gconf helper are running. So it appears to work correctly now.
Comment 37 Gilles Dartiguelongue gentoo-dev 2013-01-23 23:12:58 UTC
ok, I'll close it as fixed then. Thanks for the update.
Comment 38 Alexander E. Patrakov 2013-01-26 16:24:00 UTC
Fixed indeed.