Results 1 to 3 of 3

Thread: PolicyKit fails with systemsettings5,NetworkManager,ssh (and more?)

  1. #1

    Default PolicyKit fails with systemsettings5,NetworkManager,ssh (and more?)

    Hi,
    it looks like authentication though PolicyKit that is used by many apps to authenticate is thoroughly broken. It manifests in rejection of valid root passwords when in need to make changes. Examples:

    1. NetworkManager. Changing connections impossible as root password rejected.
    2. systemsettings5. Changing SDDM login screen impossible as root password rejected.
    3. SSH. When you ssh in Tumbleweed box and then try to do "su -" root password rejected.

    All relevant packages are updated as of 20190616:
    polkit version: 0.115-5.3
    gnome-keyring: 3.31.91-1.3

    gnome-keyring-pam: 3.31.91-1.3

    pam-ssh: 2.3-1.4
    pam: 1.3.1-3.4



    Does anybody know if that is a royal screw-up somewhere upstream, packagers problem or that more looks like updates messed up some config files? Any known fixes for that?

    Essentially as it is now my Tumbleweed box can be managed only grabbing keybord connected to the box and logging in as root.

    I am also running a separate Leap 15.1 box and it is doing fine so far after smooth upgrade from Leap 15.0.



    The culprit seems to be this message "gkr-pam: unable to locate daemon control file"

    Here are systemd journal snippets for NetworkManager:
    Jun 16 12:37:30 somehost polkitd[1719]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.NetworkManager.settings.modify.system for unix-process:11562:4768409 [/usr/bin/kcmshell5 kcm_networkmanagement.desktop] (own>
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finish obtain authorization: false
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finish obtain authorization: false
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: polkit_qt_listener_initiate_authentication_finish callback for 0x559c593ca4a0
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Listener adapter polkit_qt_listener_initiate_authentication_finish
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Completed: false
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: COMPLETED
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Dialog cancelled
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: "Password: "
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Request: "Password: "
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: REQUEST
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Trying again
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Completed: false
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: COMPLETED
    Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser=root rhost= user=root
    Jun 16 12:37:21 somehost unix_chkpwd[11575]: password check failed for user (root)
    Jun 16 12:37:21 somehost unix_chkpwd[11575]: check pass; user unknown
    Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: pam_kwallet5(polkit-1:auth): (null): pam_sm_authenticate
    Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: gkr-pam: unable to locate daemon control file
    Jun 16 12:37:21 somehost polkit-kde-authentication-agent-1[4302]: Dialog accepted
    Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: "Password: "
    Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: Request: "Password: "
    Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: REQUEST
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Trying again
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: WinId of the shown dialog is 39845921 39845921
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: WinId of the dialog is 39845921 39845921
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Action description has been found
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Message of action: "System policy prevents modification of network settings for all users"
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Initiating authentication
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: polkit_qt_listener_initiate_authentication callback for 0x559c593ca4a0
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: GSimpleAsyncResult: 0x559c59afd4b0
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Listener adapter polkit_qt_listener_initiate_authentication


    Here are systemd journal snippets forsystemsettings5:
    Jun 16 12:37:30 somehost polkitd[1719]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.NetworkManager.settings.modify.system for unix-process:11562:4768409 [/usr/bin/kcmshell5 kcm_networkmanagement.desktop] (own>
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finish obtain authorization: false
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finish obtain authorization: false
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: polkit_qt_listener_initiate_authentication_finish callback for 0x559c593ca4a0
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Listener adapter polkit_qt_listener_initiate_authentication_finish
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Completed: false
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: COMPLETED
    Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Dialog cancelled
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: "Password: "
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Request: "Password: "
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: REQUEST
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Trying again
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Completed: false
    Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: COMPLETED
    Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser=root rhost= user=root
    Jun 16 12:37:21 somehost unix_chkpwd[11575]: password check failed for user (root)
    Jun 16 12:37:21 somehost unix_chkpwd[11575]: check pass; user unknown
    Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: pam_kwallet5(polkit-1:auth): (null): pam_sm_authenticate
    Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: gkr-pam: unable to locate daemon control file
    Jun 16 12:37:21 somehost polkit-kde-authentication-agent-1[4302]: Dialog accepted
    Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: "Password: "
    Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: Request: "Password: "
    Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: REQUEST
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Trying again
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: WinId of the shown dialog is 39845921 39845921
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: WinId of the dialog is 39845921 39845921
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Action description has been found
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Message of action: "System policy prevents modification of network settings for all users"
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Initiating authentication
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: polkit_qt_listener_initiate_authentication callback for 0x559c593ca4a0
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: GSimpleAsyncResult: 0x559c59afd4b0
    Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Listener adapter polkit_qt_listener_initiate_authentication


    Here are systemd journal snippets for ssh session:
    Jun 16 12:50:45 somehost systemd-logind[1605]: Removed session 4.
    Jun 16 12:50:45 somehost systemd-logind[1605]: Session 4 logged out. Waiting for processes to exit.
    Jun 16 12:50:45 somehost systemd[1]: session-4.scope: Succeeded.
    Jun 16 12:50:45 somehost sshd[11875]: pam_kwallet5(sshd:setcred): pam_kwallet5: pam_sm_setcred
    Jun 16 12:50:45 somehost sshd[11875]: pam_kwallet5(sshd:session): pam_kwallet5: pam_sm_close_session
    Jun 16 12:50:45 somehost sshd[11875]: pam_unix(sshd:session): session closed for user someuser
    Jun 16 12:50:45 somehost sshd[11877]: Disconnected from user someuser 192.168.1.2 port 39492
    Jun 16 12:50:45 somehost sshd[11877]: Received disconnect from 192.168.1.2 port 39492:11: disconnected by user
    Jun 16 12:50:39 somehost su[11924]: FAILED SU (to root) someuser on pts/8
    Jun 16 12:50:37 somehost su[11924]: pam_unix(su-l:auth): authentication failure; logname=someuser uid=1000 euid=1000 tty=pts/8 ruser=someuser rhost= user=root
    Jun 16 12:50:37 somehost unix_chkpwd[11927]: password check failed for user (root)
    Jun 16 12:50:37 somehost unix_chkpwd[11927]: check pass; user unknown
    Jun 16 12:50:37 somehost su[11924]: pam_kwallet5(su-l:auth): (null): pam_sm_authenticate
    Jun 16 12:50:24 somehost su[11919]: FAILED SU (to root) someuser on pts/8
    Jun 16 12:50:23 somehost su[11919]: pam_unix(su-l:auth): authentication failure; logname=someuser uid=1000 euid=1000 tty=pts/8 ruser=someuser rhost= user=root
    Jun 16 12:50:23 somehost unix_chkpwd[11922]: password check failed for user (root)
    Jun 16 12:50:23 somehost unix_chkpwd[11922]: check pass; user unknown
    Jun 16 12:50:22 somehost su[11919]: pam_kwallet5(su-l:auth): (null): pam_sm_authenticate
    Jun 16 12:50:10 somehost sshd[11877]: pam_kwallet5(sshd:setcred): pam_kwallet5: pam_sm_setcred
    Jun 16 12:50:10 somehost sshd[11875]: pam_kwallet5(sshd:session): pam_kwallet5: not a graphical session, skipping. Use force_run parameter to ignore this.
    Jun 16 12:50:10 somehost sshd[11875]: pam_kwallet5(sshd:session): (null): pam_sm_open_session
    Jun 16 12:50:10 somehost sshd[11875]: pam_unix(sshd:session): session opened for user someuser by (uid=0)
    Jun 16 12:50:10 somehost systemd[1]: Started Session 4 of user someuser.
    Jun 16 12:50:10 somehost systemd-logind[1605]: New session 4 of user someuser.
    Jun 16 12:50:10 somehost sshd[11875]: pam_kwallet5(sshd:setcred): (null): pam_sm_setcred
    Jun 16 12:50:10 somehost sshd[11875]: Accepted publickey for someuser from 192.168.1.2 port 39492 ssh2: ED25519 SHA256:T2FG2zLytE26AIK8ozRcWUjIBasOGwd6v74LwtlDVMU

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,479
    Blog Entries
    3

    Default Re: PolicyKit fails with systemsettings5,NetworkManager,ssh (and more?)

    I don't know the answer. However, there are other bugs showing up, such that uninstalling pam_kwallet fixes them. It might be a bug in libgcrypt.

    I suggest unistalling pam_kwallet to see if that helps. And, by the way, if prompted to open "kwallet", then your login password should work (that's what pam_kwallet uses).
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3

    Default SOLVED: Re: PolicyKit fails with systemsettings5,NetworkManager,ssh (and more?)

    Hi,

    I un-uninstalled pam_kwallet and in all cases I mentioned in my post authentication now goes through. Case solved. Thanks a LOT!
    Last edited by bryga; 16-Jun-2019 at 11:50. Reason: problem was resolved

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •