Running without pam-kwallet installed issues a warning in auth.log

Status changed to 'Confirmed' because the bug affects multiple users.

i've seen this error also, but because i was not able to login with lightdm anymore. i have an encrypted home and changed my password in the shel. so it seems like having different passwords for the system and the encryptedfs does not work. after changing back my system password i was able to log in again....

This error occurs when you try to switch to the second account. While logged in as a different user does not work :-(

It appears when trying to login with domain credentials.

I'm seeing this now too in 14.04. Sam message in the auth.log file.

I'm doing AD authentication, was working fine, ran a dist-upgrade, and now AD authentication broken. Any suggested fix? I don't have pam_kwallet package installed and it is looking for the .so?

Thanks,

Ed

Installed a fresh 14.04 deskop, and joined to a Samba domain (server running 12.04 samba). Having setup samba as a member server with winbind, I can now enumerate Domain users and login via SSH. When logging in via the GUI desktop, the above happens:
- authentication success, the desktop starts coming up
- but them bombs out and comes back to the GUI login.

I commented out the wallet lines in /etc/pam.d/lightdm /etc/pam.d/lightdm-greeter, rebooted, but that didn't help.

/var/log/auth.log doesn't help much
May 23 15:57:33 ubuntu1 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "bob"
May 23 15:57:33 ubuntu1 lightdm: pam_winbind(lightdm:auth): getting password (0x00000000)
May 23 15:57:36 ubuntu1 lightdm: pam_winbind(lightdm:auth): user 'bob' granted access
May 23 15:57:36 ubuntu1 lightdm: pam_winbind(lightdm:account): user 'bob' granted access
May 23 15:57:36 ubuntu1 lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
May 23 15:57:36 ubuntu1 lightdm: pam_unix(lightdm:session): session opened for user bobby (uid=0)
May 23 15:57:38 ubuntu1 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)

See attached for the lighdmlogs, which are more verbose.

Installed a fresh 14.04 deskop, and joined to a Samba domain (server running 12.04 samba). Having setup samba as a member server with winbind, I can now enumerate Domain users and login via SSH. When logging in via the GUI desktop, the above happens:
- authentication success, the desktop starts coming up
- but them bombs out and comes back to the GUI login.

I commented out the wallet lines in /etc/pam.d/lightdm /etc/pam.d/lightdm-greeter, rebooted, but that didn't help.

/var/log/auth.log doesn't help much
May 23 15:57:33 ubuntu1 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "bob"
May 23 15:57:33 ubuntu1 lightdm: pam_winbind(lightdm:auth): getting password (0x00000000)
May 23 15:57:36 ubuntu1 lightdm: pam_winbind(lightdm:auth): user 'bob' granted access
May 23 15:57:36 ubuntu1 lightdm: pam_winbind(lightdm:account): user 'bob' granted access
May 23 15:57:36 ubuntu1 lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
May 23 15:57:36 ubuntu1 lightdm: pam_unix(lightdm:session): session opened for user bobby (uid=0)
May 23 15:57:38 ubuntu1 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)

See attached for the lighdmlogs, which are more verbose.

i have this issue too. i am connecting to a OMV Nas box via NFS from a 14.04 desktop.

I am also facing similar issue on 64-bit version. Using terminal, I am able to login with domain credentials, however, with GUI I see similar logs in /var/logs/auth.log.

Do we have any workaround?

An update to #8: I no longer have this issue, but am not sure why.
Installed another 14.04 laptop and it worked fine, no need change /etc/pam.d/lightdm /etc/pam.d/lightdm-greeter either.

Tips:
after joining the domin (e.g. net rpc getsid; net rpc join), try some of the following to verify your membership:

wbinfo -u
wbinfo -g
getent passwd MYUSER
getent passwd "MYDOMAIN\MYUSER"
wbinfo --authenticate=MOPACK\\MYUSER
ssh MYUSER@localhost

Make sure /home/MYDOMAIN exists and home directories belong to their users.

I am facing this error message as well. The pam_kwallet.so plugin seems to be added to PAM automatically:

root@ubuntu:~# grep kwallet /etc/pam.d/*
/etc/pam.d/lightdm:auth optional pam_kwallet.so
/etc/pam.d/lightdm:session optional pam_kwallet.so auto_start
/etc/pam.d/lightdm-greeter:auth optional pam_kwallet.so
/etc/pam.d/lightdm-greeter:session optional pam_kwallet.so auto_start

No KDE Desktop Environment installed per se, only KDE-reliant software such as digikam.

PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
still strikes in 14.04...
:~$ sudo systemctl status lightdm.service
lightdm.service - LSB: Start lightdm
   Loaded: loaded (/etc/init.d/lightdm)
   Active: failed (Result: timeout) since Tue 2014-06-24 13:24:40 CEST; 34min ago
  Process: 446 ExecStart=/etc/init.d/lightdm start (code=killed, signal=TERM)
   CGroup: name=systemd:/system/lightdm.service
           ├─ 482 /usr/sbin/lightdm -d
           ├─1337 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
           └─1391 lightdm --session-child 12 21

Jun 24 13:24:40 zika systemd[1]: lightdm.service operation timed out. Terminating.
Jun 24 13:24:40 zika systemd[1]: Failed to start LSB: Start lightdm.
Jun 24 13:24:40 zika systemd[1]: Unit lightdm.service entered failed state.
Jun 24 13:26:28 zika lightdm[1341]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Jun 24 13:26:28 zika lightdm[1341]: PAM adding faulty module: pam_kwallet.so
Jun 24 13:26:28 zika lightdm[1341]: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Jun 24 13:26:30 zika lightdm[1391]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Jun 24 13:26:30 zika lightdm[1391]: PAM adding faulty module: pam_kwallet.so
Jun 24 13:26:30 zika lightdm[1391]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "zika"
Jun 24 13:26:40 zika lightdm[1391]: pam_unix(lightdm:session): session opened for user zika by (uid=0)

Error given above might be attibuted to following two additional facts:
That was with:
1. slim installed
2. 3.16 kernel under all that...
Now, that I've booted with 3.14-liquorix and wit slim purged there is no error...

I get similar messages, and I don't do domain authentication (that I know of); samba is not installed. I'm on a fairly regular install: single-user laptop, though I have a test user as well. Updated 14.04 install on x64. I use Unity.

I also get similar messages from compiz:

Jul 4 21:18:44 tinker compiz: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Jul 4 21:18:44 tinker compiz: PAM adding faulty module: pam_kwallet.so
Jul 4 21:18:44 tinker compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "bgeron"

I have seen such messages from compiz both before and after lightdm, so it seems not to be a version thing. Perhaps multiple causes?

I got the compiz message upon locking my screen. When I switch to the other user, I additionally get this:

Jul 5 00:08:04 tinker lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Jul 5 00:08:04 tinker lightdm: PAM adding faulty module: pam_kwallet.so
Jul 5 00:08:04 tinker lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" was met by user "myotheruser"
Jul 5 00:08:04 tinker lightdm: pam_unix(lightdm:session): session opened for user myotheruser by (uid=0)
Jul 5 00:08:04 tinker lightdm: pam_ck_connector(lightdm:session): cannot determine display-device

Maybe we should we tag compiz in this ticket as well?

bgeron@tinker ~> lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04
bgeron@tinker ~> apt-cache policy lightdm compiz pam-kwallet
lightdm:
  Installed: 1.10.1-0ubuntu1
  Candidate: 1.10.1-0ubuntu1
  Version table:
 *** 1.10.1-0ubuntu1 0
        500 http://nl.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.10.0-0ubuntu3 0
        500 http://nl.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
compiz:
  Installed: 1:0.9.11+14.04.20140409-0ubuntu1
  Candidate: 1:0.9.11+14.04.20140423-0ubuntu1
  Version table:
     1:0.9.11+14.04.20140423-0ubuntu1 0
        500 http://nl.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
 *** 1:0.9.11+14.04.20140409-0ubuntu1 0
        500 http://nl.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status
pam-kwallet:
  Installed: (none)
  Candidate: 0.0~git20140410-0ubuntu2.1
  Version table:
     0.0~git20140410-0ubuntu2.1 0
        500 http://nl.archive.ubuntu.com/ubuntu/ trusty-updates/universe amd64 Packages
     0.0~git20140410-0ubuntu2 0
        500 http://nl.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
bgeron@tinker ~> uname -a
Linux tinker 3.13.0-30-generic #54-Ubuntu SMP Mon Jun 9 22:45:01 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

That's weird. Update Manager doesn't show any updates, but aptitude (and apt-cache) do for compiz. Will try™ to report back when I installed the 1:0.9.11+14.04.20140423-0ubuntu1 update.

Updated compiz to 1:0.9.11+14.04.20140423-0ubuntu1; still same problems.

This is due to us adding pam_kwallet to the configuration so that KDE could work correctly with LightDM (bug bug 1305307). The warning occurs in Ubuntu because you don't have pam-kwallet installed and PAM warns if a module is not found (even if it is marked optional as in this case). KDE users will have a similar warning about pam_gnome_keyring being missing.

The only solutions I can think of are:
- Force users to install both libpam-gnome-keyring and pam-kwallet (seems excessive)
- Modify PAM not to report the error (but I don't think PAM can really tell if we expected the module to not exist).
- Use different PAM configuration for kubuntu/ubuntu (but then you can't log into both from the same install).
- ...

Give the warning is harmless I'm not proposing taking any action.

A workaround is to comment the following lines:

#auth optional pam_kwallet.so
#session optional pam_kwallet.so auto_start

in /etc/pam.d/lightdm file

There is information about KWallet.

https://wiki.archlinux.org/index.php/KDE_Wallet

It is marked as optional because it is allowed to fail as it does when you are running with Gnome (unity uses Gnome by default). So this is not a bug. You make comment out the lines as shown in #19 but you may regret it if you switch to KUbuntu one day...

Apologist Alexis Wilke says "So this is not a bug.".
Hogwash, say I.
Read that what you're writing yourself with care, dear Alexis.

Six month later I have the same issue. I can't login as ordinary user rose with lightdm.
It is an Ubuntu 15.04 for armv7l .
At the beginning I saw the issues with kwallet, which is not installed. I commented out the corresponding lines in. I have now:

root@odroid6:~# cat /etc/pam.d/lightdm
#%PAM-1.0
auth requisite pam_nologin.so
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
#auth optional pam_kwallet.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
#session optional pam_kwallet.so auto_start
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password

and

root@odroid6:~# cat /etc/pam.d/lightdm-greeter
#%PAM-1.0
auth required pam_permit.so
auth optional pam_gnome_keyring.so
#auth optional pam_kwallet.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
#session optional pam_kwallet.so auto_start
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale

It seems that my password is accepted (login via ssh works perfectly), but with lightdm I get only a black screen with mouse cursor. Login as user odroid which is in group nopasswdlogin with lightdm works too.

After trying to login as user rose, I have to login with ssh and kill all processes owned by rose. At the end of /var/log/auth.log I see:

Oct 28 19:34:17 odroid6 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "rose"
Oct 28 19:34:26 odroid6 lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Oct 28 19:34:26 odroid6 lightdm: pam_unix(lightdm:session): session opened for user rose by (uid=0)
Oct 28 19:34:26 odroid6 systemd-logind[651]: New session c8 of user rose.
Oct 28 19:34:26 odroid6 systemd: pam_unix(systemd-user:session): session opened for user rose by (uid=0)
Oct 28 19:35:10 odroid6 systemd-logind[651]: Removed session c6.
Oct 28 19:35:10 odroid6 systemd: pam_unix(systemd-user:session): session closed for user lightdm

j. rose, please file a new bug for your issue; this bug is about the kwallet warning messages which are confusing but otherwise harmless. Your situation sounds very different.

To file the bug, please run: apport-bug lightdm

Feel free to copy-and-paste the description, it's a great start.

Thanks

I have seen the same thing in 15.04. Looking further, I see that the entire /lib/security directory is missing. So I'm a little curious as to what else is gone.

Funny thing is that it was working. I don't know what precipitated the problem.

j. rose filed this bug as https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1511824. Thank you, j. rose.

Jeff Silverman

Same issue . With LDAP.

The pam_wallet error is what shows up in the auth.log - but it is the failure of Lightdm to work that triggers it .

Lightdm fails - but if I go to term and do getent or id user it works . If I wait , it works. If the box goes to hibernate , it fails the first time (incorrect LDAP password - which it isn't) and works the second time.

It is like lightdm has a second /useless hibernation screen login .

If I modify lightdm - I get different failures . My logs and configs and results are the same as all the "lightdm fails" bugs out there .

I think an *error* message in the logs for a condition that isn't actually an error (not having kwallet installed in this case), is indeed a bug.

#19 works for me except there are two extra lines and another identical file to change:

    #auth optional pam_kwallet.so
    #auth optional pam_kwallet5.so
    #session optional pam_kwallet.so auto_start
    #session optional pam_kwallet5.so auto_start

...are the four lines to comment out.

    /etc/pam.d/lightdm
    /etc/pam.d/lightdm-greeter

...are the two files to modify.

I can confirm the problem with `journalctl`:

Jan 03 01:05:13 tron lightdm[12730]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or dire
Jan 03 01:05:13 tron lightdm[12730]: PAM adding faulty module: pam_kwallet.so
Jan 03 01:05:13 tron lightdm[12730]: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or di
Jan 03 01:05:13 tron lightdm[12730]: PAM adding faulty module: pam_kwallet5.so
Jan 03 01:05:14 tron lightdm[12841]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or dire
Jan 03 01:05:14 tron lightdm[12841]: PAM adding faulty module: pam_kwallet.so
Jan 03 01:05:14 tron lightdm[12841]: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or di
Jan 03 01:05:14 tron lightdm[12841]: PAM adding faulty module: pam_kwallet5.so

The lines were created during logins, i.e. initial logins or after locking the screen (xflock4) and unlocking it again.

The workaround I used was to change /etc/pam.d/lightdm and /etc/pam.d/lightdm-greeter and comment out (#) the following lines (in both files):

#auth optional pam_kwallet.so
#auth optional pam_kwallet5.so
...
#session optional pam_kwallet.so auto_start
#session optional pam_kwallet5.so auto_start

So far the systemd log is clear of those loglines. A different workaround would be to simply install the KDE component.

The correct way to fix this issue is not to comment out the lines mentioning kwallet, but to make the modules silent by prepending a '-' (dash) to each line. Example:

# /etc/pam.d/lightdm
-auth optional pam_kwallet.so
-auth optional pam_kwallet5.so
-session optional pam_kwallet.so auto_start
-session optional pam_kwallet5.so auto_start

Same in /etc/pam.d/lightdm-greeter.

This feature is mentioned in the pam.conf(5) manpage:

If the type value from the list above is prepended with a - character
the PAM library will not log to the system log if it is not possible to
load the module because it is missing in the system. This can be useful
especially for modules which are not always installed on the system and
are not required for correct authentication and authorization of the
login session.