(Tumbleweed) Login dialog is missing after pam_mount configuration

Hi all,
To use pam_mount I have modified 2 files in /etc/pam.d:
common-auth-pc

auth    required        pam_env.so
auth    optional        pam_mount.so
auth    sufficient      pam_unix.so     nis try_first_pass
auth    required        pam_ldap.so     use_first_pass

and common-session-pc

session required        pam_limits.so
session required        pam_unix.so     nis try_first_pass
session optional        pam_ldap.so
session optional        pam_umask.so
session optional        pam_systemd.so
session optional        pam_env.so
session [success=1 default=ignore]  pam_succeed_if.so  service = systemd-user quiet
session optional        pam_mount.so

I found this here

It is working with login at local console (Ctrl+Alt+F1) and ssh but not with KDE-Login. The login dialog is not visible.
As soon as I comment out the last 2 lines of common-session-pc after reboot the login dialog appears again.
Could someone please help?

It is not quite clear - are you logged in without any dialog? Or you get display manager screen but without any way to enter username / password? What display manage are you using? Posting screenshot may be helpful.

Tumbleweed starts up without any error, but I cannot see and login with the graphical login dialog. The mouse arrow is visible and movable. If I switch with Ctrl+Alt+F1 to CLI I see the login prompt and everything is like it should be. The login with CLI and ssh to this computer is working correctly.

A screenshot will show a blank black screen with a mouse arrow, so I think it will not be necessary.

Best wishes and many thanks

stob

I cannot reproduce it. I made the same modification as you and I get SDDM greeter and can login normally.

I do not use pam_ldap, may be it explains the difference.

OK, thanks to your hint I tried different pam_mount.conf.xml, because I guessed that you did not do changes to this file.

  1. Original conf file from package ā†’ gfx login dialog is shown
  2. One volume entry with fstype=CIFS ā†’ gfx login dialog is shown
  3. One volume entry with fstype=nfs ā†’ no more gfx login dialog
<volume
    fstype="nfs"
    server="servername"
    path="/groups"
    mountpoint="/groups"
    options="vers=3"
/>

I do not understand how the pam_mount.conf.xml is manipulating the behaviour of the gfx login dialog. Is it read before any communication at the login prompt is done? And what is wrong with this volume entry?
If there is a pam_mount expert out there who can help me with an answer ? This would be very helpful for me.
Thx a lot

No. You also did not describe them. You still do not describe the complete modifications, so no way to reproduce them.

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
        See pam_mount.conf(5) for a description.
-->

<pam_mount>

                <!-- debug should come before everything else,
                since this file is still processed in a single pass
                from top-to-bottom -->

<debug enable="0" />

                <!-- Volume definitions -->

<volume
    fstype="nfs"
    server="servername"
    path="/groups"
    mountpoint="/groups"
    options="vers=3"
/>


                <!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<!-- requires ofl from hxtools to be present -->
<logout wait="2000" hup="no" term="yes" kill="yes" />


                <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />


</pam_mount>

This is the fresh installed pam_mount.conf.xml only modified by the volume entry.

pam_mount session expects user password if at least one volume definition is present in case it is needed to mount filesystems. If no password is available in PAM stack it by default tries to query user interactively. sddm-helper PAM service does not use any password at all, so when it invokes pam_mount it attempts to ask user for password. But the current vt at this point is already in graphic mode (Xserver has already been started) so you neither see prompt nor can respond to it.

If you pay attention to the example in the article you referenced - it modified PAM configuration for one service only, not global files that are included by most other services.

Anyway, disabling interactive password query in session module seems to work around it.

session optional        pam_mount.so disable_interactive

And did you try to read comments on top of the files you edited? common-auth-pc and common-session-pc are autogenerated and manual changes will be lost next time these files are updated (which happens on updates of packages that are related to PAM).

This made the gfx login dialog (is the correct terminus sddm-helper for this?) appear, the NFS mount is working, but the CIFS mount is not working anymore.
Is there any idea why the CIFS volume alone is working and the NFS volume not?

<volume
        fstype="cifs"
        server="server.domain.com"
        path="path_to/%(USER)"
        mountpoint="/home/%(USER)"
        uid="10000-999999"
        options="user=%(USER),dom=DOMAIN,vers=3.0,cruid=%(USERID),dir_mode=0700,nounix"
/>

Is there somewhere a docu where I can solve this problem with tumbleweed? Sometimes there are additional subdirs in /etc or /usr/etc like inside /usr/etc/ssh where I can put those changes. In former times there were some additional files in /etc/pam.d like login, sshd, su, etc.
In Tumbleweed there is only an additional smtp /etc/pam.d.

OK, so the question in this topic is answered.

No. Did you try the obvious steps - manual mount, enabling debug? Anyway, on this forum we really prefer one topic - one question/problem. As you have different question, it is better to start new topic with corresponding title.

Which problem? If you are asking "how to modify common-auth-pc - it is answered directly in the comments in the beginning of this file. Remove the link common-auth and create a plain file instead. This file will not be changed by the system.

You should never edit anything below /usr. Period. This is reserved for your distribution packages and any change there could be silently overwritten.

Packages install their PAM configuration files mostly in /usr/lib/pam.d (this is upstream path) with rare exceptions of /usr/etc/pam.d. Files in /etc/pam.d will be used instead of the files with the same name under /usr. So, to change any default PAM configuration copy it from /usr/lib/pam.d or /usr/etc/pam.d into /etc/pam.d and edit there.

I am sorry to post again here. In the meantime I was testing to put the nfs shares to fstab but now I need to have it back into the pam_mount.conf.xml
Regarding to

OK, so the question in this topic is answered.

The gfx dialog was there but not the CIFSmount. So the solution is only a half solution, because the necessary CIFS mount is not working.
I am still not able to mount CIFS and NFS shares at the same time via pam_mount.

I venture to guess that CIFS needs your password to authenticate and this password is missing.

Iā€™m afraid that was caused by the disable_interactive option. This restored the login dialog, but prevented the CIFSmount.

I just tried it with Leap 15.5. Same behaviour. (Ubuntu 22.04 is working)

Update:
Tumbleweed with Gnome is working but not with KDE

1 Like

Is there any chance that someone could fix that problem with KDE ?
Gnome is not the preferred desktop of my users.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.