https://bugs.kde.org/show_bug.cgi?id=490924
--- Comment #18 from Fabian Vogt <fab...@ritter-vogt.de> --- (In reply to Sophie Dexter from comment #16) > (In reply to Fabian Vogt from comment #12) > > I don't see any new info in either of those logs unfortunately. What's the > > full content of both kde and password-auth PAM configs? > > Files in attachments with 2 versions of 'password-auth' file, one for the > 'sssd' profile, the other for the 'local' profile. > > I read Fedora Magazine's article on Fedora 40 migrating to the new 'local' > profile and noticed the default local profile does not include fingerprint > readers which piqued my interest since the logs mention both fingerprint and > smartcard readers, but I don't have either. > > Long story short, I switched to authselect's local profile and the problem > almost goes away... With the local profile I see the locks screen shake when > I press the sleep button and my system then sleeps without any further > action on my part. My password is accepted at the first attempt when I wake > my system as it should be. Perfect! That means the cause is most likely pam_sss. > I do however still see broken PAM conversation errors in journalctl > indicating this is not a true fix. That's expected, the code sends PAM_CONV_ERR when suspending. That's what the diff in comment #1 commented out. > If you are using authselect's local > profile it may explain why you haven't noticed your password being rejected. > > I'd still like to track down the cause and help fix whatever the issue is :-) Me too. Can you please try this (with the working local config as base): "auth sufficient pam_sss.so forward_pass" after pam_unix (this should bring the issue back) and then "auth sufficient pam_sss.so use_first_pass" instead? I wonder whether that avoids the issue as well. Please keep a local root shell open when editing PAM config. If this works, the PAM_CONV_ERR return does not fully quit the PAM stack and it just gets stuck at pam_sss. The fix would be to return PAM_CONV_ERR until pam_authenticate returns failure. -- You are receiving this mail because: You are watching all bug changes.
