commit: a507d2e4bf7049b0fb569fb031cdc9c64cc4a70f
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 13 11:28:16 2025 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Oct 13 11:28:24 2025 +0000
URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=a507d2e4
system-local-login: move pam_gnome_keyring before system-login
Otherwise, pam_openrc seems to break pam_gnome_keyring's session handling.
Before, we get something like:
```
- Last output repeated 2 times -
Oct 13 15:54:19 [elogind-daemon] New session 2 of user larry.
Oct 13 15:54:19 [pam_openrc] starting session
Oct 13 15:54:19 [pam_openrc] 1 sessions
Oct 13 15:54:19 [supervise-daemon] Supervisor command line: supervise-daemon
user.larry --start --respawn-max 3 --respawn-period 5 --notify fd:3
/usr/libexec/rc/bin/openrc-user -- larry
Oct 13 15:54:19 [supervise-daemon] Child command line:
/usr/libexec/rc/bin/openrc-user larry
Oct 13 15:54:19 [elogind-daemon] Existing logind session ID 2 used by new audit
session, ignoring.
Oct 13 15:54:19 [gnome-keyring-daemon] module_instances: assertion 'funcs !=
NULL && "instances"' failed
- Last output repeated twice -
Oct 13 15:54:19 [gnome-keyring-daemon] lookup_login_keyring: assertion
'GCK_IS_SESSION (session)' failed
Oct 13 15:54:19 [gnome-keyring-daemon] create_credential: assertion
'GCK_IS_SESSION (session)' failed
Oct 13 15:54:19 [gnome-keyring-daemon] egg_error_message: assertion 'error'
failed
Oct 13 15:54:19 [gnome-keyring-daemon] couldn't create login credential:
(unknown)
Oct 13 15:54:19 [pam_openrc] gkr-pam: the password for the login keyring was
invalid.
Oct 13 15:54:19 [pam_openrc] gkr-pam: couldn't unlock the login keyring.
```
After, we get:
```
Oct 13 16:17:06 [gnome-session-binary]
CODE_FILE=../gnome-session-48.0/gnome-session/gsm-manager.c:CODE_LINE=1408:start_phase:Entering
running state
Oct 13 16:17:07 [gnome-keyring-daemon] couldn't access control socket:
/run/user/32/keyring/control: No such file or directory
Oct 13 16:17:07 [gnome-keyring-daemon] discover_other_daemon: 0
[...]
- Last output repeated 2 times -
Oct 13 16:17:11 [elogind-daemon] New session 2 of user larry.
Oct 13 16:17:11 [pam_openrc] starting session
Oct 13 16:17:11 [pam_openrc] 1 sessions
Oct 13 16:17:11 [supervise-daemon] Supervisor command line: supervise-daemon
user.larry --start --respawn-max 3 --respawn-period 5 --notify fd:3
/usr/libexec/rc/bin/openrc-user -- larry
Oct 13 16:17:11 [supervise-daemon] Child command line:
/usr/libexec/rc/bin/openrc-user larry
Oct 13 16:17:11 [elogind-daemon] Existing logind session ID 2 used by new audit
session, ignoring.
Oct 13 16:17:11 [pam_openrc] gkr-pam: couldn't unlock the login keyring.
```
I'm not completely happy with this still, but I'm happy enough to go with
it. There's definitely a missing session in the 1st case. I'm wondering
if pam_openrc is doing something wrong but I haven't spotted *what*
yet.
Thanks to zyxhere for interactively debugging with me on IRC.
Closes: https://bugs.gentoo.org/964268
Closes: https://github.com/gentoo/pambase/pull/27
Signed-off-by: Sam James <sam <AT> gentoo.org>
templates/system-local-login.tpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/system-local-login.tpl b/templates/system-local-login.tpl
index f133719..5e01090 100644
--- a/templates/system-local-login.tpl
+++ b/templates/system-local-login.tpl
@@ -7,7 +7,7 @@ password include system-login
{% if gnome_keyring %}
password optional pam_gnome_keyring.so use_authtok
{% endif %}
-session include system-login
{% if gnome_keyring %}
session optional pam_gnome_keyring.so auto_start
{% endif %}
+session include system-login
