Re: [systemd-devel] Upgrade 232 -> 233: user@XXX.service: Failed at step PAM spawning...
I'd like to summarize all the thought about this issue. The systemd behavior regarding PAM stack has been changed: 1. systemd-232: if PAM stack fails service unit is still started, so PAM errors are ignored. 2. systemd-233: if PAM stack fails service unit fails as well. The second is IMO the right logic, please correct me it's not the case. However the first one is just wrong, isn't it? Regards, Vlad. On 29/04/17 18:19, Lennart Poettering wrote: > On Sat, 29.04.17 16:59, Vlad (vo...@vovan.nl) wrote: > >> Thanks for the answer. I'd then rephrase my original question: I'd like >> to know what has been changed in the systemd (pam_systemd?) version 233, >> that now it fails to start user@xxx.service? If I downgrade to the >> version 232, then systemd gives the same error, but still starts >> user@xxx.service successfully (pam configuration is exactly the same for >> both systemd versions). > Here's an educated guess: maybe it's not pam_systemd that fails but > pam_keyring, due to the recent keyring changes? (every service know > gets its own fresh keyring set up, maybe the way you invoke > pam_keyring clashes with that?) > > Anyway, please figure out which PAM module precisely fails, using PAM > debugging. For that stuff please consult the PAM community or > documentation. > > Thanks, > > Lennart > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Upgrade 232 -> 233: user@XXX.service: Failed at step PAM spawning...
I suppose you meant pam_keyinit, not pam_keyring, right? Although I saw that the new version of default "systemd-user" pam configuration file added pam_keyinit, I tested migration of systemd from 232 to 233 with exactly the same pam.d configuration (as I mentioned below). The _only_ thing that has been changed in the system is the version of installed systemd and this leads to failed user@xxx.service. Vlad. On 29/04/17 18:19, Lennart Poettering wrote: > On Sat, 29.04.17 16:59, Vlad (vo...@vovan.nl) wrote: > >> Thanks for the answer. I'd then rephrase my original question: I'd like >> to know what has been changed in the systemd (pam_systemd?) version 233, >> that now it fails to start user@xxx.service? If I downgrade to the >> version 232, then systemd gives the same error, but still starts >> user@xxx.service successfully (pam configuration is exactly the same for >> both systemd versions). > Here's an educated guess: maybe it's not pam_systemd that fails but > pam_keyring, due to the recent keyring changes? (every service know > gets its own fresh keyring set up, maybe the way you invoke > pam_keyring clashes with that?) > > Anyway, please figure out which PAM module precisely fails, using PAM > debugging. For that stuff please consult the PAM community or > documentation. > > Thanks, > > Lennart > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Upgrade 232 -> 233: user@XXX.service: Failed at step PAM spawning...
On Sat, 29.04.17 16:59, Vlad (vo...@vovan.nl) wrote: > Thanks for the answer. I'd then rephrase my original question: I'd like > to know what has been changed in the systemd (pam_systemd?) version 233, > that now it fails to start user@xxx.service? If I downgrade to the > version 232, then systemd gives the same error, but still starts > user@xxx.service successfully (pam configuration is exactly the same for > both systemd versions). Here's an educated guess: maybe it's not pam_systemd that fails but pam_keyring, due to the recent keyring changes? (every service know gets its own fresh keyring set up, maybe the way you invoke pam_keyring clashes with that?) Anyway, please figure out which PAM module precisely fails, using PAM debugging. For that stuff please consult the PAM community or documentation. Thanks, Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Upgrade 232 -> 233: user@XXX.service: Failed at step PAM spawning...
Thanks for the answer. I'd then rephrase my original question: I'd like to know what has been changed in the systemd (pam_systemd?) version 233, that now it fails to start user@xxx.service? If I downgrade to the version 232, then systemd gives the same error, but still starts user@xxx.service successfully (pam configuration is exactly the same for both systemd versions). Regards, Vlad. On 29/04/17 13:29, Lennart Poettering wrote: > On Sat, 29.04.17 13:25, Vlad (vo...@vovan.nl) wrote: > >> Lennart, >> >> I've just tried your suggestion as well, but it doesn't change behavior. >> I'm just wondering how it would be possible to investigate the error. >> The message "user@xxx.service: Failed at step PAM spawning >> /usr/lib/systemd/systemd: Operation not permitted" isn't very >> descriptive. I enabled debug for pam_systemd, but it doesn't give useful >> information in my case. > Well, I figure you should look for PAM level debugging, not > systemd level debugging for this. Contact the PAM community for help > on that. > > But do note again that distros vary greatly on PAM, and while "-" is > typically used on Fedora-based distros, IIRC other distros don't know > or use that concept. Please ask your distro for help. > > Lennart > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Upgrade 232 -> 233: user@XXX.service: Failed at step PAM spawning...
On Sat, 29.04.17 13:25, Vlad (vo...@vovan.nl) wrote: > Lennart, > > I've just tried your suggestion as well, but it doesn't change behavior. > I'm just wondering how it would be possible to investigate the error. > The message "user@xxx.service: Failed at step PAM spawning > /usr/lib/systemd/systemd: Operation not permitted" isn't very > descriptive. I enabled debug for pam_systemd, but it doesn't give useful > information in my case. Well, I figure you should look for PAM level debugging, not systemd level debugging for this. Contact the PAM community for help on that. But do note again that distros vary greatly on PAM, and while "-" is typically used on Fedora-based distros, IIRC other distros don't know or use that concept. Please ask your distro for help. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Upgrade 232 -> 233: user@XXX.service: Failed at step PAM spawning...
Lennart, I've just tried your suggestion as well, but it doesn't change behavior. I'm just wondering how it would be possible to investigate the error. The message "user@xxx.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted" isn't very descriptive. I enabled debug for pam_systemd, but it doesn't give useful information in my case. Regards, Vlad. On 29/04/17 12:21, Lennart Poettering wrote: > On Sat, 29.04.17 11:13, Vlad (vo...@vovan.nl) wrote: > >> Hello, >> >> I've recently updated systemd and now user session is failing to start: >> Apr 29 11:04:02 xxx systemd[550]: user@xxx.service: Failed at step PAM >> spawning /usr/lib/systemd/systemd: Operation not permitted >> Apr 29 11:04:02 xxx systemd[1]: Failed to start User Manager for UID xxx. >> Apr 29 11:04:02 xxx lightdm[535]: pam_systemd(lightdm:session): Failed >> to create session: Start job for unit user@xxx.service failed with 'failed' >> >> Apparently the previous version gives similar error as well, but doesn't >> fail to start user session: >> Apr 29 11:09:37 xxx systemd[565]: user@xxx.service: Failed at step PAM >> spawning /usr/lib/systemd/systemd: Operation not permitted >> Apr 29 11:09:37 xxx systemd[1]: Started User Manager for UID xxx. >> >> I'd appreciate any thoughts about this issue. > Maybe your PAM snippet for your app changed the pam_systemd invocation > from "ignore all errors" to "do not ignore errors"? > > PAM varies between distros, on Fedora-based distros lines that ignore > failures in PAM configuration are usually prefixed with a single dash > character. Maybe this was altered for you? > > Lennart > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Upgrade 232 -> 233: user@XXX.service: Failed at step PAM spawning...
Lennart, As I can see pam_systemd is "optional" everywhere in pam.d configuration. Is that what you meant? grep pam_systemd * system-auth:session optionalpam_systemd.so debug systemd-user:session optional pam_systemd.so Regards, Vlad. On 29/04/17 12:21, Lennart Poettering wrote: > On Sat, 29.04.17 11:13, Vlad (vo...@vovan.nl) wrote: > >> Hello, >> >> I've recently updated systemd and now user session is failing to start: >> Apr 29 11:04:02 xxx systemd[550]: user@xxx.service: Failed at step PAM >> spawning /usr/lib/systemd/systemd: Operation not permitted >> Apr 29 11:04:02 xxx systemd[1]: Failed to start User Manager for UID xxx. >> Apr 29 11:04:02 xxx lightdm[535]: pam_systemd(lightdm:session): Failed >> to create session: Start job for unit user@xxx.service failed with 'failed' >> >> Apparently the previous version gives similar error as well, but doesn't >> fail to start user session: >> Apr 29 11:09:37 xxx systemd[565]: user@xxx.service: Failed at step PAM >> spawning /usr/lib/systemd/systemd: Operation not permitted >> Apr 29 11:09:37 xxx systemd[1]: Started User Manager for UID xxx. >> >> I'd appreciate any thoughts about this issue. > Maybe your PAM snippet for your app changed the pam_systemd invocation > from "ignore all errors" to "do not ignore errors"? > > PAM varies between distros, on Fedora-based distros lines that ignore > failures in PAM configuration are usually prefixed with a single dash > character. Maybe this was altered for you? > > Lennart > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Upgrade 232 -> 233: user@XXX.service: Failed at step PAM spawning...
On Sat, 29.04.17 11:13, Vlad (vo...@vovan.nl) wrote: > Hello, > > I've recently updated systemd and now user session is failing to start: > Apr 29 11:04:02 xxx systemd[550]: user@xxx.service: Failed at step PAM > spawning /usr/lib/systemd/systemd: Operation not permitted > Apr 29 11:04:02 xxx systemd[1]: Failed to start User Manager for UID xxx. > Apr 29 11:04:02 xxx lightdm[535]: pam_systemd(lightdm:session): Failed > to create session: Start job for unit user@xxx.service failed with 'failed' > > Apparently the previous version gives similar error as well, but doesn't > fail to start user session: > Apr 29 11:09:37 xxx systemd[565]: user@xxx.service: Failed at step PAM > spawning /usr/lib/systemd/systemd: Operation not permitted > Apr 29 11:09:37 xxx systemd[1]: Started User Manager for UID xxx. > > I'd appreciate any thoughts about this issue. Maybe your PAM snippet for your app changed the pam_systemd invocation from "ignore all errors" to "do not ignore errors"? PAM varies between distros, on Fedora-based distros lines that ignore failures in PAM configuration are usually prefixed with a single dash character. Maybe this was altered for you? Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel