No user session created with xrdp and pam_systemd_home account module

[usul0184]

Thanks for a great program! Newbie here, apologies for any inaccuracies. A recent change to the PAM configuration files in Arch repositories seems to be causing problems with xrdp. The current version of /etc/pam.d/system-auth contains the following account section:

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

The first line, -account [success=1 default=ignore] pam_systemd_home.so, results in no user session being created in xrdp. The output of loginctl session-status is Could not get properties: Unknown object '/org/freedesktop/login1/session/auto'. This causes problems like being unable to start a polkit authentication agent.

For debug purposes, I’ve changed the malfunctioning pam_systemd_home.so line to account [default=ignore] pam_systemd_home.so debug. journalctl shows the following in what I think relevant part when connecting to xrdp:

Sep 08 18:13:45 bigone xrdp-sesman[642]: pam_systemd_home(xrdp-sesman:account): pam-systemd-homed account management
Sep 08 18:13:45 bigone dbus-daemon[618]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.1543' (uid=0 pid=642 comm="/usr/bin/xrdp-sesman --nodaemon ")
Sep 08 18:13:45 bigone dbus-daemon[618]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
Sep 08 18:13:45 bigone xrdp-sesman[642]: pam_systemd_home(xrdp-sesman:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Sep 08 18:13:45 bigone xrdp-sesman[642]: (642)(140313509857088)[INFO ] ++ created session (access granted): username esyu, ip 192.168.84.210:64145 - socket: 12
Sep 08 18:13:45 bigone xrdp-sesman[642]: (642)(140313509857088)[INFO ] starting Xvnc session...
Sep 08 18:13:45 bigone xrdp-sesman[642]: (642)(140313509857088)[DEBUG] Closed socket 38 (AF_INET 0.0.0.0:5910)
Sep 08 18:13:45 bigone xrdp-sesman[23600]: (23600)(140313509857088)[INFO ] calling auth_start_session from pid 23600
Sep 08 18:13:45 bigone xrdp[645]: (645)(140514163267136)[INFO ] xrdp_wm_log_msg: login successful for display 10
Sep 08 18:13:45 bigone xrdp-sesman[23600]: pam_systemd(xrdp-sesman:session): Failed to create session: No child processes
Sep 08 18:13:47 bigone xrdp-sesman[23731]: Failed to connect to session manager: Failed to connect to the session manager: Could not open network socket
Sep 08 18:13:52 bigone xrdp-sesman[23731]: xfsettingsd: No window manager registered on screen 0.
Sep 08 18:13:52 bigone xfsettingsd[23731]: Failed to get the _NET_NUMBER_OF_DESKTOPS property.

If the pam_systemd_home.so line is removed, everything works fine. Note that I do not have systemd-homed running. Xorg vs Xvnc makes no difference, nor does having a startwm.sh with just exec xterm in it.

Not sure if this is an xrdp problem or something else; for what it’s worth, local login and ssh work fine.

Additional info:

• OS and version: Manjaro 18.0 XFCE Edition
• xrdp version: 0.9.14
• xorgxrdp version: 0.2.14
• Client OS / Client software: Windows 10 Remote Desktop Connection
• Desktop: Xfce (but likely irrelevant; even xterm fails)
• Backend: Both Xorg and Xvnc

[matt335672]

Well, from what little research I've done on this, it seems that pam_systemd_home.so and systemd-homed go together:-

• Arch Linux systemd-homed description
• pam_systemd_home manpage

The error messages are consistent with this.

You've mentioned local logins and ssh are working OK. Are they using pam_systemd_home or the system-auth include?

Thanks.

[usul0184]

Local logins and ssh both include system_auth through a few other includes. For what it's worth, /etc/pam.d/sshd is the same as /etc/pam.d/xrdp-sesman. loginctl session-status works under an ssh connection with the pam_systemd_home.so line in system-auth, unlike xrdp.

The weird thing is that the pam_systemd_home.so line is essentially making it optional. The problem occurs even with [default=ignore], which should render the module completely redundant but still produces an effect for some reason.

Curious if this is reproducible on other distributions?

[matt335672]

I'll get a manjaro VM set up so I can investigate this. I'll let you know what I discover.

[matt335672]

Hi @usul0184

I've got a Manjaro VM up.

There seem to be two issues here:-

1. pam_systemd_home won't work without systemd-homed. This isn't related to xrdp. I get plentry of errors in the logs related to sudo, like this:-

Sep 11 12:20:55 manjaro sudo[103222]: pam_systemd_home(sudo:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.

2. pam_systemd in /etc/pam.d/system-login which is supposed to be creating the session is what is failing with XRDP. This happens to me whether or not pam_systemd_home is commented out.

So I think the pam_systemd_home messages above, which are after all related to the pam account type rather than the session type can be ignored.

debug can also be added to pam_systemd.so in /etc/pam.d/system-login. This produces the following:-

Sep 11 12:17:29 manjaro xrdp-sesman[102896]: pam_unix(xrdp-sesman:session): session opened for user mjb(uid=1000) by (uid=0)
Sep 11 12:17:29 manjaro xrdp-sesman[102896]: pam_systemd(xrdp-sesman:session): pam-systemd initializing
Sep 11 12:17:29 manjaro xrdp-sesman[102896]: pam_systemd(xrdp-sesman:session): Asking logind to create session: uid=1000 pid=102896 service=xrdp-sesman type=x11 class=user desktop= seat= vtnr=0 tty= display=:10 remote=no remote_user= remote_host=
Sep 11 12:17:29 manjaro xrdp-sesman[102896]: pam_systemd(xrdp-sesman:session): Session limits: memory_max=n/a tasks_max=n/a cpu_weight=n/a io_weight=n/a runtime_max_sec=n/a
Sep 11 12:17:29 manjaro xrdp-sesman[102896]: pam_systemd(xrdp-sesman:session): Failed to create session: No child processes

which brings us back to your comments on #778.

My findings seem to be at odds with yours. Are you saying that when you comment out pam_systemd_home you get sessions created? That doesn't seem to be what I'm seeing.

There also seem to be other session-related issues with Manjaro. If I log in on the console and log out again, loginctl doesn't appear to be cleaning up my old session. Are you seeing that?

[usul0184]

Thanks so much for looking into this! My thoughts below.

Yes, if I comment out -account [success=1 default=ignore] pam_systemd_home.so, a session is created.

I’ve added debug to pam_systemd.so in /etc/pam.d/system-login. If I keep pam_systemd_home.so (and no session is created), journalctl shows:

Sep 12 00:55:22 bigone xrdp-sesman[657]: pam_systemd_home(xrdp-sesman:account): pam-systemd-homed account management
Sep 12 00:55:22 bigone dbus-daemon[632]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.308' (uid=0 pid=657 comm="/usr/bin/xrdp-sesman --nodaemon ")
Sep 12 00:55:22 bigone dbus-daemon[632]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
Sep 12 00:55:22 bigone xrdp-sesman[657]: pam_systemd_home(xrdp-sesman:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Sep 12 00:55:22 bigone xrdp[660]: (660)(140366010705472)[INFO ] xrdp_wm_log_msg: login successful for display 10
Sep 12 00:55:22 bigone xrdp-sesman[4221]: (4221)(140238321407808)[INFO ] calling auth_start_session from pid 4221
Sep 12 00:55:22 bigone xrdp-sesman[4221]: pam_unix(xrdp-sesman:session): session opened for user esyu(uid=1000) by (uid=0)
Sep 12 00:55:22 bigone xrdp-sesman[4221]: pam_systemd(xrdp-sesman:session): pam-systemd initializing
Sep 12 00:55:22 bigone xrdp-sesman[4221]: pam_systemd(xrdp-sesman:session): Asking logind to create session: uid=1000 pid=4221 service=xrdp-sesman type=x11 class=user desktop= seat= vtnr=0 tty= display=:10 remote=no remote_user= remote_host=
Sep 12 00:55:22 bigone xrdp-sesman[4221]: pam_systemd(xrdp-sesman:session): Session limits: memory_max=n/a tasks_max=n/a cpu_weight=n/a io_weight=n/a runtime_max_sec=n/a
Sep 12 00:55:22 bigone xrdp-sesman[4221]: pam_systemd(xrdp-sesman:session): Failed to create session: No child processes

If I comment out pam_systemd_home.so (and a session is created), journalctl shows:

Sep 12 01:00:44 bigone xrdp-sesman[5216]: (5216)(140238321407808)[INFO ] calling auth_start_session from pid 5216
Sep 12 01:00:44 bigone xrdp[660]: (660)(140366010705472)[INFO ] xrdp_wm_log_msg: login successful for display 10
Sep 12 01:00:44 bigone xrdp-sesman[5216]: pam_unix(xrdp-sesman:session): session opened for user esyu(uid=1000) by (uid=0)
Sep 12 01:00:44 bigone xrdp-sesman[5216]: pam_systemd(xrdp-sesman:session): pam-systemd initializing
Sep 12 01:00:44 bigone xrdp-sesman[5216]: pam_systemd(xrdp-sesman:session): Asking logind to create session: uid=1000 pid=5216 service=xrdp-sesman type=x11 class=user desktop= seat= vtnr=0 tty= display=:10 remote=no remote_user= remote_host=
Sep 12 01:00:44 bigone xrdp-sesman[5216]: pam_systemd(xrdp-sesman:session): Session limits: memory_max=n/a tasks_max=n/a cpu_weight=n/a io_weight=n/a runtime_max_sec=n/a
Sep 12 01:00:44 bigone systemd-logind[634]: New session 11 of user esyu.
Sep 12 01:00:44 bigone systemd[1]: Started Session 11 of user esyu.
Sep 12 01:00:44 bigone xrdp-sesman[5216]: pam_systemd(xrdp-sesman:session): Reply from logind: id=11 object_path=/org/freedesktop/login1/session/_311 runtime_path=/run/user/1000 session_fd=12 seat= vtnr=0 original_uid=1000

It makes sense that pam_systemd_home won't work without systemd-homed. What I don’t understand is why it has an effect even when its control field is set to be entirely ignored.

I agree there are other session-related issues; it seems that certain processes aren’t terminated when logging out. Some quick Googling seems to indicate that is a problem with the individual programs. Setting KillUserProcesses=yes in /etc/systemd/logind.conf resolves this, but I don’t think that has any impact on the pam_systemd_home.so issue.

[matt335672]

I'm afraid I've hit a bit of a brick wall with this.

1. Removing pam_systemd_home.so has no affect on my (clean) installation. I get no difference in behaviour - just a "Failed to create session: No child processes". I'm running systemd 246.4-1. This is at odds with the behaviour reported above, but I can see no reason for it.
   2.I can't find a way in Manjaro to get hold of a debugging package in the same way that I can with RPM or DEB. Consequently I'm not able to step into the PAM module using a debugger to see what's going on. There doesn't even seem to be an easy way to just build a source package from the existing distro packages.

Regarding the second, this seems like such a basic thing to be missing from an open source distribution that I must be missing something. Can anyone enlighten me?

[usul0184]

Thanks for looking into this! I'm afraid I'm not knowledgeable enough to answer your questions either, unfortunately. But it does seem like other people are having the same problem: https://bbs.archlinux.org/viewtopic.php?id=258716, https://aur.archlinux.org/packages/xrdp/. Hopefully someone with more experience than I do can chime in?

[matt335672]

I've asked for some debugging pointers on the Manjaro forums. Hopefully I'm missing something straightforward.

[cpoulsen-dezide]

Any progress on this @matt335672 ? (I'm the poster of the issue on the arch board)

I can add that I have since tried creating a systemd-homed backed user, copied the previously working .xinitrc over and still has the same issue. (If that is any help at all).

[matt335672]

Still nothing to report here.

I've figured out how to build a debug systemd package now on Arch, so it's just finding the time to get into the nuts and bolts of this. It's definitely on the list, but please feel free to nag me again.

[matt335672]

Sorry - fat fingers.