Mageia forum

[alopez]

I have two machines at home and since I upgraded to M5, I'm facing the same problem on both: after logging-in I need to enter the password a second time to unlock the keyring.

Things that I tried and didn't work:

- reset the password for both the keyring and the account.
- delete the keyring and re-create it.
- check the logs for associated error messages (identified none)

Some information:

- I found this bug [1], but the error message is not in my logs, so it doesn't seem to be cause of the problem. No surprise since it is from 2012.
- It was working fine right before the upgrade from M4. It broke during the upgrade. I upgraded launching this command: "mgaapplet-upgrade-helper --new_distro_version=5"
- I don't have auto-login enabled (actually I have several users on each machine, although some of them might have never used the keyring)
- I was expecting to find the files on ~/.local/share/keyrings/ but instead they are at ~/.gnome2/keyrings/.
- The default keyring is not called "login" but "Depósito de claves predeterminadas" (in spanish, the language of my system). I tried creating a keyring named login to no avail.

Any idea about what could be happening?

Thanks.

[1] https://bugs.launchpad.net/ubuntu/+source/seahorse/+bug/1048484

[doktor5000]

Can you kill seahorse, then run it from a terminal and try to change the password for the current keyring to the same as your current user password?
Simply change it to something else, and then change it to your current user password.

Also, how exactly did you change the password for the keyring?

[alopez]

Can you kill seahorse, then run it from a terminal and try to change the password for the current keyring to the same as your current user password?
Simply change it to something else, and then change it to your current user password.

seahorse was not running (no surprise since it isn't a daemon - did you mean to kill gnome-keyring-daemon?), so I just launched it from the terminal. I changed the password to something temporal and then I changed it back to my login password. No messages was displayed through stdout. Then I closed the session and logged back in. The problem persists: as soon as the keyring was needed (in this case when I launched Chrome), I was asked to enter the password.

Also, how exactly did you change the password for the keyring?

I launch seahorse, I unlock the keyring if not already done, I right click on the keyring and select "Change password." I also tried changing the user password from gnome-control-center with the keyring unlocked.

[doktor5000]

Hmmm, OK so it's not the same problem I presumed. Can you please create a new user account, and login as that one and try to use the keyring/seahorse as usual? Does the issue also occur there?

[alopez]

Hmmm, OK so it's not the same problem I presumed. Can you please create a new user account, and login as that one and try to use the keyring/seahorse as usual? Does the issue also occur there?

The problem persists with a new user.

After the first log-in, the keyring wasn't even created. Launched Chrome and asked it to save the password for a website and there I was asked to provide the password and its confirmation for a new keyring. Again, it was named "Depósito de claves predeterminadas" instead of login.

[doktor5000]

Only relevant post I can remember was in this bugreport: https://bugs.mageia.org/show_bug.cgi?id=11075#c1
Maybe you can try that. Other then that, I've no clue as I don't use GNOME.
Related information: https://wiki.archlinux.org/index.php/GNOME_Keyring (although a lot might need adaption for Mageia)

FWIW, what desktop do you use? GNOME or something else? Also please show the output of

Code: Select all

ps auxwww | grep keyring
rpm -qa | grep keyring

[alopez]

Only relevant post I can remember was in this bugreport: https://bugs.mageia.org/show_bug.cgi?id=11075#c1
Maybe you can try that. Other then that, I've no clue as I don't use GNOME.
Related information: https://wiki.archlinux.org/index.php/GNOME_Keyring (although a lot might need adaption for Mageia)

OK. Thank you doktor5000. I'll continue trying on my own. I'll keep the thread updated if I find a solution.

FWIW, what desktop do you use? GNOME or something else? Also please show the output of

Code: Select all

ps auxwww | grep keyring
rpm -qa | grep keyring

Code: Select all

$ ps auxwww | grep keyring
alejand+ 28385  0.2  0.1 670848  8388 ?        SLl  19:37   0:00 /usr/bin/gnomekeyring-daemon --daemonize --login
alejand+ 29507  0.0  0.0  26976  2216 pts/0    S+   19:41   0:00 grep --color keyring
$ rpm -qa | grep keyring
lib64gnome-keyring0-3.12.0-4.mga5
gnome-keyring-3.14.0-2.mga5
libgnome-keyring-i18n-3.12.0-4.mga5
lib64gnome-keyring-gir1.0-3.12.0-4.mga5
gnome-python-gnomekeyring-2.32.0-22.mga5


[doktor5000]

Found some further documentation: https://help.gnome.org/users/seahorse-plugins/stable/
Will also try to reproduce if I find some time.

[alopez]

Some some information for the records.

I successfully rebuilt the keyrings. I created an empty keyring named login and unlocked it. I still had the default keyring, so after manually unlocking the login keyring, when I tried to unlock the default keyring, seahorse proposed to store that password. I accepted and the password is now stored in the login keyring.

So now, if I manually unlock the login keyring, than I don't need to provide the password for the default keyring (since it will read it from the login keyring). This is working fine.

But the login keyring is still not getting unlocked at log-in. I still need to manually unlock it. This seems to be the only remaining problem.

[alopez]

Can someone tell me which files from /etc/pam.d/ contain pam_gnome_keyring.so and provide me with the contents of those files?

Thanks.

[doktor5000]

This is what I have:

Code: Select all

[doktor5000@Mageia5]─[17:19:37]─[~] sudo grep -Ri keyring /etc/pam.d
/etc/pam.d/passwd:password   optional   pam_gnome_keyring.so use_authtok
/etc/pam.d/cinnamon-screensaver:auth       optional     pam_gnome_keyring.so
/etc/pam.d/cinnamon-screensaver:#auth       optional     pam_gnome_keyring.so
/etc/pam.d/lxdm:auth       optional     pam_gnome_keyring.so
/etc/pam.d/lxdm:session    optional     pam_gnome_keyring.so auto_start
/etc/pam.d/mate-screensaver:auth       optional     pam_gnome_keyring.so
/etc/pam.d/mate-screensaver:#auth       optional     pam_gnome_keyring.so
/etc/pam.d/lightdm:auth       optional    pam_gnome_keyring.so
/etc/pam.d/lightdm:session    optional    pam_gnome_keyring.so auto_start

Maybe you can show yours, because if there are login managers or other stuff you don't use, doesn't make much sense If I attach all the complete files here.
FWIW, I'm currently using kdm. Also pam_gnome_keyring was removed for many login managers as it blocked during logout, and systems would never shut down / log out.
See e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1150283

[alopez]

Look much alike mines, with the difference that I use Gnome. These are my files:

/etc/pam.d/gdm

Code: Select all

#%PAM-1.0
auth       required    pam_env.so
auth       sufficient  pam_succeed_if.so user ingroup nopasswdlogin
auth       include     system-auth
auth       optional    pam_gnome_keyring.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    optional    pam_gnome_keyring.so auto_start

/etc/pam.d/gdm-password is a link to /etc/pam.d/gdm

/etc/pam.d/gdm-pin

Code: Select all

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        requisite     pam_pin.so
auth        substack      password-auth
auth        optional      pam_gnome_keyring.so

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth
password    optional      pam_pin.so

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
-session    optional    pam_ck_connector.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       password-auth
session     optional      pam_gnome_keyring.so auto_start

/etc/pam.d/gnome-screensaver

Code: Select all

#%PAM-1.0

# Fedora Core
auth       include   system-auth
auth       optional     pam_gnome_keyring.so
account    include   system-auth
password   include   system-auth
session    include   system-auth

# SuSE/Novell
#auth       include      common-auth
#auth       optional     pam_gnome_keyring.so
#account    include      common-account
#password   include      common-password
#session    include      common-session

/etc/pam.d/passwd

Code: Select all

#%PAM-1.0
auth       include   system-auth
account    include   system-auth
password   substack   system-auth
password   optional   pam_gnome_keyring.so use_authtok
password   substack   postlogin

About the bug in Fedora, I could be suffering that bug since I noticed some problems to log-out when more than one user is logged in. Anyway, this doesn't explain why my keyring is not being unlocked on log-in...

[alopez]

Finally I succeeded to get it to work. the problem was in the PAM rules.

As can be seen above, /etc/pam.d/gdm includes system-auth, which declares pam_tcb sufficient. This stops the execution of the PAM chain on success and returns, so the pam_gnome_keyring.so right after the include was never executed.

The solution was to replace the include keyword by substack, specially created for these cases.

Other PAM files where already correctly using substack.

What is strange is that I was the only one facing this problem, although I had it in three machines one of which was installed from scratch this morning.

[doktor5000]

Well, there don't seem any GNOME users being active here in forums, from what I can tell most people switched to other desktops.

[aselluza]

I have the same problem since Mageia 6. Everytime I log in it asks me for keyring pass to login in Skype. I don't understand much about PAM, so I couldn't understand what @alopez changed did to solve it. this is what I could see, but don't understand much...

Code: Select all

$sudo grep -Ri keyring /etc/pam.d
/etc/pam.d/gdm-pin:auth        optional      pam_gnome_keyring.so
/etc/pam.d/gdm-pin:session     optional      pam_gnome_keyring.so auto_start
/etc/pam.d/gdm-password:auth        optional      pam_gnome_keyring.so
/etc/pam.d/gdm-password:password   optional       pam_gnome_keyring.so use_authtok
/etc/pam.d/gdm-password:session     optional      pam_gnome_keyring.so auto_start
/etc/pam.d/passwd:password   optional   pam_gnome_keyring.so use_authtok
/etc/pam.d/gdm-autologin:-auth      optional    pam_gnome_keyring.so
/etc/pam.d/gdm-autologin:session    optional    pam_gnome_keyring.so auto_start

/etc/pam.d/sddm

Code: Select all

#%PAM-1.0
auth       required    pam_env.so
auth       sufficient  pam_succeed_if.so user ingroup nopasswdlogin
auth       include     system-auth
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so

any idea? thanx!

[alopez]

Well, after 1.5 years I don't remember much what I did. I'm far from being an expert on PAM, but I read a lot at that moment to (become a temporary expert and) understand what was happening.

So to make it simple, I modified the line:

Code: Select all

auth       include     system-auth

in /etc/pam.d/gdm by replacing the keyword "include" by "substack." Above you will find a copy of my original /etc/pam.d/gdm to compare it with yours.

Hope this helps.

[aselluza]

thanx!! I'll try that, cross my fingers

[aselluza]

It didn't do it

my /etc/pam.d/sddm

Code: Select all

#%PAM-1.0
auth       required    pam_env.so
auth       sufficient  pam_succeed_if.so user ingroup nopasswdlogin
auth       substack    system-auth
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so

and my /etc/pam.d/sddm-autologin (as I use autologin):

Code: Select all

#%PAM-1.0
auth       required    pam_env.so
auth       required    pam_permit.so
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include     system-auth

both fails and still asks me for keyring password to Skype login. any clue?

[alopez]

Sorry. No clue.

[aselluza]

Ok, thank you anyway, I hope someone solved it...

[doktor5000]

Well, it's pretty obvious, as you are not using gdm, you would need to ensure that your display managers pam config actually references pam_gnome_keyring.so.
But see the hint above, this was in place previously and would prevent people from logging out - https://bugzilla.redhat.com/show_bug.cgi?id=1150283
Hence I removed that - http://svnweb.mageia.org/packages?view= ... ion=797925

This is the actual change, you can try to add that back: http://svnweb.mageia.org/packages/cauld ... rev=797925

[aselluza]

Ok, thanks it did it!! Is there any similar thing that can be done for autologin (I tried adding those two lines to sddm-autologin but didn't work)? I use autologin in my desktop and then it still asks me for the pass...

[doktor5000]

Sorry, no clue.
Try simply searching for "sddm-autologin gnome-keyring" and there seem to be quite a lot of relevant search results ...

[aselluza]

Ok, thank you anyway, you're always very helpful!!

[aselluza]

Ok, I found an only way: to edit keyring password with seahorse and leave it blank.. It seems to be the only way when using autologin, so I'll use it in my desktop but not in my laptop. At least now it's not asking me for pass to log in Skype...
thanx!!