GUI-Login with SSSD managed users fails

Ask Fedora
1

Hi,

I have just installed Fedora 32 Workstation on a KVM/Qemu virtual maschine.
I need to use a setup with central user-managerment via LDAP accessd by SSSD which works fine for all my other Linux-Systems (mostly Gentoo).

On Fedora 32 Workstation I am facing the issue, that I can login perfectls with the SSSH/LDAP accounts via SSH or vie the console login prompt, but GDM/GNOME login fails (it works for my local fallback user, it fails only for the SSSD/LDAP accounts).

From my perspective the main difference between local and SSSD/LDAP-accounts is the numerical user-id which starts at 1000001.

For the system setup i did the following steps:

  1. set root-pasword
    sudo su -
    passwd

  2. sshd
    systemctl enable sshd.service
    systemctl start sshd.service

  3. ssh PubkeyAuthentication for root
    mkdir .ssh
    chmod 700 .ssh
    chmod 600 .ssh/authorized_keys

  4. Hostname
    hostnamectl set-hostname fedora-32-workstation.my.domain
    reboot

  5. Update
    dnf update
    reboot

  6. SSSD
    copy my /etc/sssd/sssd.config to the system
    dnf install sssd-dbus
    authselect select sssd
    authselect enable-feature with-mkhomedir
    authselect enable-feature with-pamaccess
    reboot

[sssd]
config_file_version = 2
services = nss, pam, ifp
#services = nss, pam

domains = my.domain

use_fully_qualified_names = true
default_domain_suffix = my.domain

[nss]
filter_users = root,bin,daemon,wheel,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,nobody,apache,admin
override_shell = /usr/bin/bash

[pam]

[ifp]

[domain/my.domain]
access_provider = ldap
auth_provider = ldap
cache_credentials = true
enumerate = true
id_provider = ldap
LDAP-Access

The problem seems to somewhere here:
Apr 29 15:20:23 fedora-32-workstation.my.domain /usr/libexec/gdm-wayland-session[2702]: dbus-daemon[2702]: [session uid=1000003 pid=2702] Activated service ‘org.freedesktop.systemd1’ failed: Process org.freedesktop.systemd1 exited with status 1

I have no Idea whats going on here since login via SSH an Console works.

Please find below the whole log:
Apr 29 15:20:18 fedora-32-workstation.my.domain audit[2672]: USER_AUTH pid=2672 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg=‘op=PAM:authentication grantors=pam_usertype,pam_usertype,pam_sss,pam_gnome_keyring acct=“ldapuser@my.domain” exe=“/usr/libexec/gdm-session-worker” hostname=fedora-32-workstation.my.domain addr=? terminal=/dev/tty1 res=success’
Apr 29 15:20:18 fedora-32-workstation.my.domain gdm-password][2672]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=ldapuser@my.domain
Apr 29 15:20:18 fedora-32-workstation.my.domain gdm-password][2672]: gkr-pam: unable to locate daemon control file
Apr 29 15:20:18 fedora-32-workstation.my.domain gdm-password][2672]: gkr-pam: stashed password to try later in open session
Apr 29 15:20:18 fedora-32-workstation.my.domain audit[2672]: USER_ACCT pid=2672 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg=‘op=PAM:accounting grantors=pam_access,pam_unix,pam_sss,pam_permit acct=“ldapuser@my.domain” exe=“/usr/libexec/gdm-session-worker” hostname=fedora-32-workstation.my.domain addr=? terminal=/dev/tty1 res=success’
Apr 29 15:20:19 fedora-32-workstation.my.domain audit[2672]: CRED_ACQ pid=2672 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg=‘op=PAM:setcred grantors=pam_localuser,pam_sss,pam_gnome_keyring acct=“ldapuser@my.domain” exe=“/usr/libexec/gdm-session-worker” hostname=fedora-32-workstation.my.domain addr=? terminal=/dev/tty1 res=success’
Apr 29 15:20:19 fedora-32-workstation.my.domain audit[2672]: USER_ROLE_CHANGE pid=2672 uid=0 auid=1000003 ses=8 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg=‘pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe=“/usr/libexec/gdm-session-worker” hostname=fedora-32-workstation.my.domain addr=? terminal=/dev/tty2 res=success’
Apr 29 15:20:19 fedora-32-workstation.my.domain gdm-password][2672]: pam_systemd(gdm-password:session): Failed to get user record: Das Argument ist ungĂŒltig
Apr 29 15:20:19 fedora-32-workstation.my.domain gdm-password][2672]: pam_unix(gdm-password:session): session opened for user ldapuser@my.domain by (uid=0)
Apr 29 15:20:19 fedora-32-workstation.my.domain gdm-password][2672]: gkr-pam: unable to locate daemon control file
Apr 29 15:20:19 fedora-32-workstation.my.domain gdm-password][2672]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
Apr 29 15:20:19 fedora-32-workstation.my.domain audit[2672]: USER_START pid=2672 uid=0 auid=1000003 ses=8 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg=‘op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_unix,pam_sss,pam_gnome_keyring,pam_umask acct=“ldapuser@my.domain” exe=“/usr/libexec/gdm-session-worker” hostname=fedora-32-workstation.my.domain addr=? terminal=/dev/tty2 res=success’
Apr 29 15:20:19 fedora-32-workstation.my.domain audit[2672]: USER_LOGIN pid=2672 uid=0 auid=1000003 ses=8 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg=‘uid=1000003 exe=“/usr/libexec/gdm-session-worker” hostname=? addr=? terminal=? res=success’
Apr 29 15:20:22 fedora-32-workstation.my.domain systemd[1]: systemd-localed.service: Succeeded.
Apr 29 15:20:22 fedora-32-workstation.my.domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=‘unit=systemd-localed comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
Apr 29 15:20:22 fedora-32-workstation.my.domain systemd[1]: systemd-hostnamed.service: Succeeded.
Apr 29 15:20:22 fedora-32-workstation.my.domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=‘unit=systemd-hostnamed comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
Apr 29 15:20:22 fedora-32-workstation.my.domain audit: BPF prog-id=50 op=UNLOAD
Apr 29 15:20:22 fedora-32-workstation.my.domain audit: BPF prog-id=49 op=UNLOAD
Apr 29 15:20:22 fedora-32-workstation.my.domain audit: BPF prog-id=48 op=UNLOAD
Apr 29 15:20:22 fedora-32-workstation.my.domain audit: BPF prog-id=47 op=UNLOAD
Apr 29 15:20:22 fedora-32-workstation.my.domain audit: BPF prog-id=46 op=UNLOAD
Apr 29 15:20:22 fedora-32-workstation.my.domain systemd[1]: fprintd.service: Succeeded.
Apr 29 15:20:22 fedora-32-workstation.my.domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=‘unit=fprintd comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagentd[1282]: Error getting active session: No data available
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagentd[1282]: Error getting active session: No data available
Apr 29 15:20:23 fedora-32-workstation.my.domain kernel: rfkill: input handler enabled
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagentd[1282]: closed vdagent virtio channel
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagentd[1282]: Error getting active session: No data available
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagentd[1282]: Error getting active session: No data available
Apr 29 15:20:23 fedora-32-workstation.my.domain /usr/libexec/gdm-wayland-session[2702]: dbus-daemon[2702]: [session uid=1000003 pid=2702] Activating service name=‘org.freedesktop.systemd1’ requested by ‘:1.0’ (uid=1000003 pid=2698 comm=“/usr/libexec/gdm-wayland-session /usr/bin/gnome-se” label=“unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023”)
Apr 29 15:20:23 fedora-32-workstation.my.domain kernel: rfkill: input handler disabled
Apr 29 15:20:23 fedora-32-workstation.my.domain kernel: input: spice vdagent tablet as /devices/virtual/input/input11
Apr 29 15:20:23 fedora-32-workstation.my.domain audit[2672]: USER_END pid=2672 uid=0 auid=1000003 ses=8 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg=‘op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_unix,pam_sss,pam_gnome_keyring,pam_umask acct=“ldapuser@my.domain” exe=“/usr/libexec/gdm-session-worker” hostname=fedora-32-workstation.my.domain addr=? terminal=/dev/tty2 res=success’
Apr 29 15:20:23 fedora-32-workstation.my.domain audit[2672]: USER_LOGOUT pid=2672 uid=0 auid=1000003 ses=8 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg=‘uid=1000003 exe=“/usr/libexec/gdm-session-worker” hostname=? addr=? terminal=? res=success’
Apr 29 15:20:23 fedora-32-workstation.my.domain audit[2672]: CRED_DISP pid=2672 uid=0 auid=1000003 ses=8 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg=‘op=PAM:setcred grantors=pam_localuser,pam_sss,pam_gnome_keyring acct=“ldapuser@my.domain” exe=“/usr/libexec/gdm-session-worker” hostname=fedora-32-workstation.my.domain addr=? terminal=/dev/tty2 res=success’
Apr 29 15:20:23 fedora-32-workstation.my.domain gnome-shell[2732]: The XKEYBOARD keymap compiler (xkbcomp) reports:
Apr 29 15:20:23 fedora-32-workstation.my.domain gnome-shell[2732]: > Warning: Unsupported maximum keycode 569, clipping.
Apr 29 15:20:23 fedora-32-workstation.my.domain gnome-shell[2732]: > X11 cannot support keycodes above 255.
Apr 29 15:20:23 fedora-32-workstation.my.domain gnome-shell[2732]: > Internal error: Could not resolve keysym Invalid
Apr 29 15:20:23 fedora-32-workstation.my.domain gnome-shell[2732]: Errors from xkbcomp are not fatal to the X server
Apr 29 15:20:23 fedora-32-workstation.my.domain gsd-color[2484]: unable to get EDID for xrandr-Virtual-1: unable to get EDID for output
Apr 29 15:20:23 fedora-32-workstation.my.domain /usr/libexec/gdm-wayland-session[2702]: dbus-daemon[2702]: [session uid=1000003 pid=2702] Activated service ‘org.freedesktop.systemd1’ failed: Process org.freedesktop.systemd1 exited with status 1
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagentd[1282]: Error getting active session: No data available
Apr 29 15:20:23 fedora-32-workstation.my.domain gnome-shell[2413]: Could not release device (13,70): GDBus.Error:org.freedesktop.login1.DeviceNotTaken: Device not taken
Apr 29 15:20:23 fedora-32-workstation.my.domain /usr/libexec/gdm-wayland-session[2698]: Unable to register display with display manager
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagentd[1282]: Error getting active session: No data available
Apr 29 15:20:23 fedora-32-workstation.my.domain gsd-color[2484]: unable to get EDID for xrandr-Virtual-1: unable to get EDID for output
Apr 29 15:20:23 fedora-32-workstation.my.domain gdm-password][2672]: pam_unix(gdm-password:session): session closed for user ldapuser@my.domain
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagentd[1282]: opening vdagent virtio channel
Apr 29 15:20:23 fedora-32-workstation.my.domain gdm[1009]: GdmDisplay: Session never registered, failing
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagentd[1282]: Set max clipboard: 104857600
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: Received Graphics Device Info:
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: Device /dev/dri/card0 is at /sys/devices/pci0000:00/0000:00:01.0/drm/card0
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: Found card ‘/sys/devices/pci0000:00/0000:00:01.0/drm/card0’ with Vendor ID 0x100, Device ID 0x1b36
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagentd[1282]: Set max clipboard: 104857600
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: Couldn’t find an XRandr output for the specified device
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: channel_id: 0 monitor_id: 0 device_address: pci/0000/01.0, device_display_id: 0 xrandr output ID NOT FOUND
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: No guest output map, using output index as display id
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: Received Graphics Device Info:
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: Device /dev/dri/card0 is at /sys/devices/pci0000:00/0000:00:01.0/drm/card0
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: Found card ‘/sys/devices/pci0000:00/0000:00:01.0/drm/card0’ with Vendor ID 0x100, Device ID 0x1b36
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: Couldn’t find an XRandr output for the specified device
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: channel_id: 0 monitor_id: 0 device_address: pci/0000/01.0, device_display_id: 0 xrandr output ID NOT FOUND
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: No guest output map, using output index as display id
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: vdagent_audio_record_sync mute=no nchannels=2
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: vdagent-audio: (capture-left) 65535 (%99.00)
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: vdagent-audio: (capture-right) 65535 (%99.00)
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: vdagent_audio_playback_sync mute=no nchannels=2
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: vdagent-audio: (playback-left) 65535 (%99.00)
Apr 29 15:20:23 fedora-32-workstation.my.domain spice-vdagent[2496]: vdagent-audio: (playback-right) 65535 (%99.00)
Apr 29 15:20:42 fedora-32-workstation.my.domain systemd[1]: libvirtd.service: Succeeded.
Apr 29 15:20:42 fedora-32-workstation.my.domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=‘unit=libvirtd comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
Apr 29 15:20:52 fedora-32-workstation.my.domain geoclue[2465]: Service not used for 60 seconds. Shutting down

Apr 29 15:20:52 fedora-32-workstation.my.domain systemd[1]: geoclue.service: Succeeded.
Apr 29 15:20:52 fedora-32-workstation.my.domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=‘unit=geoclue comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
Apr 29 15:20:53 fedora-32-workstation.my.domain realmd[2594]: quitting realmd service after timeout
Apr 29 15:20:53 fedora-32-workstation.my.domain realmd[2594]: stopping service
Apr 29 15:20:53 fedora-32-workstation.my.domain systemd[1]: realmd.service: Succeeded.
Apr 29 15:20:53 fedora-32-workstation.my.domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=‘unit=realmd comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’

1 Like
2

I have a similar issue with a vanilla fresh install of Fedora 32.

It is an active directory domain, can join the machine to the domain and user through the gnome settings GUI which does work, however when you try to log the user in via GDM they cannot. I have also tried manually joining the user to the domain with realm join -v mydomain -U dave (tried both upper and lower case for the domain, makes no difference) the machine joins successfully. In a terminal you can su - to the user and enter the password and authenticate. Still no login via GDM, the login attempts and shows the last login from the terminal below the login window, then flashes back to the login screen. I have also tried disabling SELINUX to test.

please note I have had to replace my domain in-tend.com with the txt mydomain as for some reason this site wouldn’t let me post it, said users could only post 2 links.

Apr 30 09:12:44 ds-xps-in-tend-com gdm-password][8879]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=dave@mydomain
Apr 30 09:12:44 ds-xps-in-tend-com audit[8879]: USER_AUTH pid=8879 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_usertype,pam_usertype,pam_sss,pam_gnome_keyring acct=“dave@mydomain”>
Apr 30 09:12:44 ds-xps-in-tend-com gdm-password][8879]: gkr-pam: unable to locate daemon control file
Apr 30 09:12:44 ds-xps-in-tend-com gdm-password][8879]: gkr-pam: stashed password to try later in open session
Apr 30 09:12:45 ds-xps-in-tend-com audit[8879]: USER_ACCT pid=8879 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct=“dave@mydomain” exe=“/usr/libexec/gdm-sessi>
Apr 30 09:12:45 ds-xps-in-tend-com audit[8879]: CRED_ACQ pid=8879 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_localuser,pam_sss,pam_gnome_keyring acct=“dave@mydomain” exe=”/usr/libexec/g>
Apr 30 09:12:45 ds-xps-in-tend-com gdm-password][8879]: pam_systemd(gdm-password:session): Failed to get user record: Invalid argument
Apr 30 09:12:45 ds-xps-in-tend-com gdm-password][8879]: pam_unix(gdm-password:session): session opened for user dave@mydomain by (uid=0)
Apr 30 09:12:45 ds-xps-in-tend-com gdm-password][8879]: gkr-pam: unable to locate daemon control file
Apr 30 09:12:45 ds-xps-in-tend-com gdm-password][8879]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
Apr 30 09:12:45 ds-xps-in-tend-com audit[8879]: USER_START pid=8879 uid=0 auid=1471801105 ses=6 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits>
Apr 30 09:12:45 ds-xps-in-tend-com audit[8879]: USER_LOGIN pid=8879 uid=0 auid=1471801105 ses=6 msg=‘uid=1471801105 exe=“/usr/libexec/gdm-session-worker” hostname=? addr=? terminal=? res=success’
Apr 30 09:12:46 ds-xps-in-tend-com systemd[1]: systemd-timedated.service: Succeeded.
Apr 30 09:12:46 ds-xps-in-tend-com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=systemd-timedated comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
Apr 30 09:12:46 ds-xps-in-tend-com audit: BPF prog-id=215 op=UNLOAD
Apr 30 09:12:46 ds-xps-in-tend-com audit: BPF prog-id=214 op=UNLOAD
Apr 30 09:12:46 ds-xps-in-tend-com audit: BPF prog-id=213 op=UNLOAD
Apr 30 09:12:47 ds-xps-in-tend-com kernel: rfkill: input handler enabled
Apr 30 09:12:48 ds-xps-in-tend-com /usr/libexec/gdm-wayland-session[9226]: dbus-daemon[9226]: [session uid=1471801105 pid=9226] Activating service name=‘org.freedesktop.systemd1’ requested by ‘:1.0’ (uid=1471801105 >
Apr 30 09:12:48 ds-xps-in-tend-com audit[8879]: USER_END pid=8879 uid=0 auid=1471801105 ses=6 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,>
Apr 30 09:12:48 ds-xps-in-tend-com audit[8879]: USER_LOGOUT pid=8879 uid=0 auid=1471801105 ses=6 msg=‘uid=1471801105 exe=“/usr/libexec/gdm-session-worker” hostname=? addr=? terminal=? res=success’
Apr 30 09:12:48 ds-xps-in-tend-com /usr/libexec/gdm-wayland-session[9226]: dbus-daemon[9226]: [session uid=1471801105 pid=9226] Activated service ‘org.freedesktop.systemd1’ failed: Process org.freedesktop.systemd1 e>
Apr 30 09:12:48 ds-xps-in-tend-com audit[8879]: CRED_DISP pid=8879 uid=0 auid=1471801105 ses=6 msg='op=PAM:setcred grantors=pam_localuser,pam_sss,pam_gnome_keyring acct=“dave@mydomain” exe="/usr/libexec/gdm-sessi>
Apr 30 09:12:48 ds-xps-in-tend-com gdm-password][8879]: pam_unix(gdm-password:session): session closed for user dave@mydomain
Apr 30 09:12:48 ds-xps-in-tend-com /usr/libexec/gdm-wayland-session[9223]: Unable to register display with display manager
Apr 30 09:12:48 ds-xps-in-tend-com kernel: rfkill: input handler disabled
Apr 30 09:12:48 ds-xps-in-tend-com gdm[1634]: GdmDisplay: Session never registered, failing
Apr 30 09:12:48 ds-xps-in-tend-com gnome-shell[9323]: The XKEYBOARD keymap compiler (xkbcomp) reports:
Apr 30 09:12:48 ds-xps-in-tend-com gnome-shell[9323]: > Warning: Unsupported maximum keycode 569, clipping.
Apr 30 09:12:48 ds-xps-in-tend-com gnome-shell[9323]: > X11 cannot support keycodes above 255.
Apr 30 09:12:48 ds-xps-in-tend-com gnome-shell[9323]: > Internal error: Could not resolve keysym Invalid
Apr 30 09:12:48 ds-xps-in-tend-com gnome-shell[9323]: Errors from xkbcomp are not fatal to the X server
Apr 30 09:12:51 ds-xps-in-tend-com tracker-extract[7928]: XML parsing failure
Apr 30 09:12:51 ds-xps-in-tend-com tracker-extract[7928]: XML parsing failure
Apr 30 09:12:52 ds-xps-in-tend-com tracker-extract[7928]: XML parsing failure
Apr 30 09:12:53 ds-xps-in-tend-com gdm-password][9377]: gkr-pam: unlocked login keyring

3

I have tracked down the reason for the failure. The troublemaker is the pam_systemd PAM plugin in /etc/pam.d/pasword-auth (line -session optional pam_systemd.so). The plugin is unable to retrieve user records from sssd. The related error message is

Mai 01 17:39:51 fedora-32-workstation.my.domain gdm-password][8287]: pam_systemd(gdm-password:session): Failed to get user record: Invalid argument

This results in the inability to start a dbus-session for the sssd maintained user and the whole session setup is f****d up.

Now i am totally out of ideas.

5

Same issue here. Fedora workstation joined to AD, after upgrading to 32 I cannot login anymore using the AD user. The process is broken after CRED_ACQ.

May 15 13:59:16 tgswksit1 gdm-password][6131]: gkr-pam: invalid option: debug
May 15 13:59:16 tgswksit1 gdm-password][6131]: gkr-pam: unable to locate daemon control file
May 15 13:59:16 tgswksit1 gdm-password][6131]: gkr-pam: stashed password to try later in open session
May 15 13:59:16 tgswksit1 audit[6131]: USER_ACCT pid=6131 uid=0 auid=4294967295 ses=4294967295 msg=‘op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct=“user@domain.local” exe=“/usr/libexec/gdm-session-worker” hostname=tgswksit1 addr=? terminal=/dev/tty1 res=success’
May 15 13:59:16 tgswksit1 audit[6131]: CRED_ACQ pid=6131 uid=0 auid=4294967295 ses=4294967295 msg=‘op=PAM:setcred grantors=pam_localuser,pam_sss,pam_gnome_keyring acct=user@domain.locall" exe=“/usr/libexec/gdm-session-worker” hostname=tgswksit1 addr=? terminal=/dev/tty1 res=success’
May 15 13:59:16 tgswksit1 gdm-password][6131]: pam_systemd(gdm-password:session): Failed to get user record: Invalid argument
May 15 13:59:16 tgswksit1 gdm-password][6131]: pam_unix(gdm-password:session): session opened for user user@domain.local by (uid=0)
May 15 13:59:16 tgswksit1 gdm-password][6131]: gkr-pam: unable to locate daemon control file
May 15 13:59:16 tgswksit1 gdm-password][6131]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
May 15 13:59:16 tgswksit1 audit[6131]: USER_START pid=6131 uid=0 auid=810203472 ses=7 msg='op=PAM:session_open

Another machine running Fedora 31:

May 15 14:56:51 tgswksit1a gdm-password][5012]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user@domain.local
May 15 14:56:51 tgswksit1a audit[5012]: USER_AUTH pid=5012 uid=0 auid=4294967295 ses=4294967295 msg=‘op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss,pam_gnome_keyring acct=“user@domain.local” exe=“/usr/libexec/gdm-session-worker” hostname=tgswksit1a addr=? terminal=/dev/tty1 res=success’
May 15 14:56:51 tgswksit1a gdm-password][5012]: gkr-pam: unable to locate daemon control file
May 15 14:56:51 tgswksit1a audit[5012]: USER_ACCT pid=5012 uid=0 auid=4294967295 ses=4294967295 msg=‘op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct=“user@domain.local” exe=“/usr/libexec/gdm-session-worker” hostname=tgswksit1a addr=? terminal=/dev/tty1 res=success’
May 15 14:56:51 tgswksit1a audit[5012]: CRED_ACQ pid=5012 uid=0 auid=4294967295 ses=4294967295 msg=‘op=PAM:setcred grantors=pam_localuser,pam_sss,pam_gnome_keyring acct=“user@domain.local” exe=“/usr/libexec/gdm-session-worker” hostname=tgswksit1a addr=? terminal=/dev/tty1 res=success’
May 15 14:56:51 tgswksit1a systemd[1]: Created slice User Slice of UID 810203472.
May 15 14:56:51 tgswksit1a systemd[1]: Starting User Runtime Directory /run/user/810203472

May 15 14:56:51 tgswksit1a systemd-logind[976]: New session 12 of user user@domain.local.
May 15 14:56:51 tgswksit1a audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=user-runtime-dir@810203472 comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
May 15 14:56:51 tgswksit1a systemd[1]: Started User Runtime Directory /run/user/810203472.
May 15 14:56:51 tgswksit1a systemd[1]: Starting User Manager for UID 810203472


It looks like is not creating the user slice part. Any idea?

6

Same problem here, but my username does not have any dot neither i use samba.
Bug 1814454 – Cannot login with usernames that contain a period has been pushed to stable, but still hapening to my (fully updated) system:

May 18 20:51:55 fos.madrid.medios.es audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=fprintd comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
May 18 20:51:58 fos.madrid.medios.es gdm-password][15258]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=sanmi@madrid.medios.es
May 18 20:51:58 fos.madrid.medios.es audit[15258]: USER_AUTH pid=15258 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss,pam_gnome_keyring acct=“sanmi@madrid.medios.es”>
May 18 20:51:58 fos.madrid.medios.es gdm-password][15258]: gkr-pam: unable to locate daemon control file
May 18 20:51:58 fos.madrid.medios.es gdm-password][15258]: gkr-pam: stashed password to try later in open session
May 18 20:51:58 fos.madrid.medios.es audit[15258]: USER_ACCT pid=15258 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct=“sanmi@madrid.medios.es” exe=“/usr/libexec/gdm-session-w>
May 18 20:51:58 fos.madrid.medios.es audit[15258]: CRED_ACQ pid=15258 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_localuser,pam_sss,pam_gnome_keyring acct=“sanmi@madrid.medios.es” exe=”/usr/libexec/gdm-s>
May 18 20:51:58 fos.madrid.medios.es gdm-password][15258]: pam_systemd(gdm-password:session): Failed to get user record: Invalid argument
May 18 20:51:58 fos.madrid.medios.es gdm-password][15258]: pam_unix(gdm-password:session): session opened for user sanmi@madrid.medios.es by (uid=0)
May 18 20:51:58 fos.madrid.medios.es gdm-password][15258]: gkr-pam: unable to locate daemon control file
May 18 20:51:58 fos.madrid.medios.es gdm-password][15258]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
May 18 20:51:58 fos.madrid.medios.es audit[15258]: USER_START pid=15258 uid=0 auid=610201124 ses=13 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_unix,>
May 18 20:51:58 fos.madrid.medios.es audit[15258]: USER_LOGIN pid=15258 uid=0 auid=610201124 ses=13 msg=‘uid=610201124 exe=“/usr/libexec/gdm-session-worker” hostname=? addr=? terminal=? res=success’

7

I was able to fix my issue updating systemd from rawhide. I have no issues whatsoever now. This is what I’m using now:

systemd-245.5-2.fc33.x86_64
systemd-libs-245.5-2.fc33.x86_64
systemd-container-245.5-2.fc33.x86_64
systemd-pam-245.5-2.fc33.x86_64
systemd-libs-245.5-2.fc33.i686
systemd-rpm-macros-245.5-2.fc33.noarch
systemd-udev-245.5-2.fc33.x86_64

Good luck!

8

Unfortunately upgrading to rawhide did not resolve the problem for me:

$ rpm -qa | grep systemd
systemd-rpm-macros-245.6-1.fc33.noarch
systemd-libs-245.6-1.fc33.x86_64
systemd-245.6-1.fc33.x86_64
systemd-pam-245.6-1.fc33.x86_64
systemd-udev-245.6-1.fc33.x86_64
python3-systemd-234-13.fc33.x86_64
python-systemd-doc-234-13.fc33.x86_64
libreport-plugin-systemd-journal-2.13.1-2.fc33.x86_64
systemd-container-245.6-1.fc33.x86_64
rpm-plugin-systemd-inhibit-4.16.0-0.beta1.1.fc33.1.x86_64

journalctl -b:

Jun 02 12:28:53 hostname gdm-password][1629]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=ad_user
Jun 02 12:28:53 hostname audit[1629]: USER_AUTH pid=1629 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_usertype,pam_usertype,pam_sss,pam_gnome_keyring acct="ad_user" exe="/usr/libexec/gdm-session-worker" hostname=hostname addr=? terminal=/dev/tty1 res=success'
Jun 02 12:28:53 hostname gdm-password][1629]: gkr-pam: unable to locate daemon control file
Jun 02 12:28:53 hostname gdm-password][1629]: gkr-pam: stashed password to try later in open session
Jun 02 12:28:53 hostname gdm-password][1629]: pam_sss(gdm-password:account): Access denied for user ad_user: 4 (System error)
Jun 02 12:28:53 hostname audit[1629]: USER_ACCT pid=1629 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="ad_user" exe="/usr/libexec/gdm-session-worker" hostname=hostname addr=? terminal=/dev/tty1 res=failed'

Perhaps related to this bugzilla

9

ran into this too - the correct answer to this will be with use of the authselect tool but I was in a hurry and had enough info at hand to just change the pam.d files necessary.

Below - changes to system-auth work for password logins via command line - password-auth file is included / referenced by gdm-password and solves the problem of GDM login failure.

Run below to apply config changes - if you can’t wait to reboot, you can flip runlevels quickly to get in; systemctl isolate runlevel3; systemctl isolate runlevel5

cat << EOF > /etc/pam.d/system-auth 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_sss.so
session     required      pam_unix.so
EOF
cat /etc/pam.d/system-auth > /etc/pam.d/password-auth

I do need to do a clean install now and get the authselect options figured out for this as GDM will inevitably not be the only issue - I’ll do my best to remember to update with the command once tested.

10

sigh - this was way simpler than expected 


authselect select -f sssd

2 Likes
11

This has been fixed for me with updates. I ran out some updates on a virtual machine that wasn’t working and the updates fixed it so it works out of the box. I have then since upgraded a Fedora 31 machine (my daily driver) to Fedora 32 and the upgrade didn’t mess up the auth and all works as expected.

12

For me, the issue is that IPA Short Names don’t work with F32/Rawhide. I have to use the fully qualified UPN: user@ad.domain.com instead of just user.

13 
$ rpm -q --changelog krb5-libs | grep -B 1 -e short
* Wed Jul 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-10
- Set qualify_shortname empty in default configuration

Could this be related to your problem?

14

I can log in to a console just fine using the short name, it’s just the Gnome session that crashes afterwards. I’ve tested this using clean installations of Fedora 31/32/Rawhide in a VM. 31 works, 32+ doesn’t. Details are here

1 Like