Problem
Some systems are experiencing GDM crashes, resulting in the desktop failing to load and the system becoming unusable (no console access, blank display) with the relevant error logged in journalctl:
gdm-launch-environment][1722]: PAM unable to dlopen(/usr/lib64/security/pam_lastlog.so):
Stack trace of thread 1701:
...snip...
username systemd[1]: systemd[1]: systemd-coredump: Deactivated successfully.
Cause
The GDM crash is caused by the system using an old configuration (non-authselect, PAM-1.0). This prevents the system from automatically migrating to the newer pam_lastlog2.so after the upgrade, leading to a fatal PAM configuration mismatch.
Prerequisites of GDM Crash
- Originally old system, older than Fedora 36.
- The configuration was not previously migrated to
authselect, and the system is currently using an old, non-authselect setup. It was supposed to be automatically switched toauthselectby the RPM postscript in Fedora 36. The migration likely failed at that time, or the system upgrade to Fedora 36 was skipped by the user.
Then the migration to lastlog2 failed. This is a feature introduced in Fedora 43.
Related Issues
Bugzilla report: #2406225
Bugzilla report: #2396016
Fedora 43 change: https://fedoraproject.org/wiki/Changes/Migrate_to_lastlog2
Workarounds
To work around this problem, boot system without graphical mode. Then, you can run the authselect command.
Boot to text mode
You can edit the arguments at boot time from the Fedora boot menu. If the Fedora boot menu does not appear on your screen, try pressing Esc or F8 repeatedly while the system is booting. On the Fedora boot menu, hit e to edit the default boot entry, go down to the line that starts linux, press End to go to the very end of the line (or use arrow keys). It will likely end rhgb quiet. Add space and number 3.
Then hit Ctrl-x to proceed with boot.
Configure authselect
You can create the default authselect configuration for Fedora 43 Workstation with this command:
sudo authselect select local with-silent-lastlog with-fingerprint with-mdns4 --force
This action automatically creates a backup of your existing configuration and switches your system to a supported authselect profile.
However, depending on your needs and your system, you might want to use a different profile with different options. This older article can explain some basics. If you need some changes, feel free to modify the command above.
Verify system
After applying the workaround, you can then customize your configuration using the authselect tool to meet your specific requirements. To confirm the fix, your system’s authentication should now be managed by an authselect profile:
$ sudo authselect current
Profile ID: local
Enabled features:
- with-silent-lastlog
- with-fingerprint
- with-mdns4
The updated and auto-generated file located at /etc/authselect/postlogin should look like this:
$ cat /etc/authselect/postlogin
# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog2.so silent
session optional pam_lastlog2.so silent
Now reboot, and hopefully the GDM should start just fine and you can log in into a graphical session.