Ubuntu
gdm package

Apparmor blocks GDM login for new users

Bug #870316 reported by HrevilO
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Medium
Unassigned
gdm (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Creation of a new user after upgrade from 11.04 to 11.10 beta 2 fails in the following way:

The newly created user can't login at gdm (3.0.4-0ubuntu11).
gdm stops and outputs "could not update ICEauthority file /home/username/.ICEauthority"
ls -la /home/username/ at a shell logged in with the new username shows no such file.

Solution to this was:
Use lightdm (1.0.1-0ubuntu4) instead of gdm.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: gnome-system-tools 2.32.0-0ubuntu8
ProcVersionSignature: Ubuntu 3.0.0-12.19-generic 3.0.4
Uname: Linux 3.0.0-12-generic x86_64
ApportVersion: 1.23-0ubuntu2
Architecture: amd64
CheckboxSubmission: f919af6e19f0a575dfb14e568c875d23
CheckboxSystem: daed2f3d6643b4a84b4520a2427f8c2b
Date: Fri Oct 7 23:08:22 2011
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/users-admin
ProcEnviron:
 PATH=(custom, user)
 LANG=de_AT.UTF-8
 SHELL=/bin/bash
SourcePackage: gnome-system-tools
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
HrevilO (oliver-h) wrote :
HrevilO (oliver-h)
description: updated
Revision history for this message
Milan Bouchet-Valat (nalimilan) wrote :

That's most likely a permission problem. What does ls -l /home/username/.ICEauthority say? How did you create the user? Could you try creating another test user too?

Changed in gnome-system-tools (Ubuntu):
status: New → Incomplete
importance: Undecided → Medium
Revision history for this message
HrevilO (oliver-h) wrote :

as already mentioned:
ls -la /home/username/ at a shell logged in with the new username shows no such file (.ICEauthority).

I tried:
copying the file from another user (that actually works) and changing the owner, group and permissions corresponding to the new user. Even using the new file with iceauth show worked without problems.
but login with gdm was still not possible.

the new user was created by "users-admin" and i tried it a few times with different usernames.

Revision history for this message
Milan Bouchet-Valat (nalimilan) wrote :

Sorry, I meant the output of ls -la /home/, i.e. to see the permissions set on the home folder. If you do
sudo su gdm
touch/home/username/.ICEauthority
does it work?

Revision history for this message
HrevilO (oliver-h) wrote :

ls -la /home/
shows that "drwxr-xr-x " and owner+group are the same as the user.
touch ... didn't help.

interesting thing:
once the new user was logged in with lightdm also the log in with gdm works perfectly. Even if /home/username/.ICEauthority doesn't exist.

Revision history for this message
HrevilO (oliver-h) wrote :

to be a bit more specific:
/home/username/.ICEauthority can be deleted before the login. it seems to be created again on login.

Revision history for this message
Milan Bouchet-Valat (nalimilan) wrote :

Yeah, the point of the GDM error is that it should be able to create it on login if not present. Have a look at /var/log/gdm/* and at ~/.xesssion-errors and see whether there are more details.

affects: gnome-system-tools (Ubuntu) → gdm (Ubuntu)
Revision history for this message
HrevilO (oliver-h) wrote :

You're right, there are some errors in those logs.

xsession-errors says: "Failed to create secure directory: Keine Berechtigung" (means no permission)

and there are also some permission problems in /var/log/gdm/:0-slave.log (however, this file should be for the user i am currently working with? I exprience no problems with that one... ) and :0-slave.log.1 (there is my test user mentioned, and that is the one that fails).

for example:
(gnome-settings-daemon:3358): color-plugin-WARNING **: failed to create profile from EDID data: Fehler beim Erstellen des Ordners: Keine Berechtigung (means no permission to create folder)

Revision history for this message
Milan Bouchet-Valat (nalimilan) wrote :

Anything in /var/log/messages about apparmor or gdm?

Changed in gdm (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
HrevilO (oliver-h) wrote :

after uncommenting

*.=info;*.=notice;*.=warn;\
 auth,authpriv.none;\
 cron,daemon.none;\
 mail,news.none -/var/log/messages
in "/etc/rsyslog.d/50-default.conf"

there are some messages about apparmor in /var/log/messages.

Milan Bouchet-Valat (nalimilan)
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
summary: - creating of new user not compatible with gdm
+ Apparmor blocks GDM login for new users
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The apparmor messages are generated when trying to access the /home/test directory with the guest user. This is expected and by design and should not affect the 'test' user from logging in at all. Also, the denials are from the gdm guest session profile as shipped by gdm, so I am closing the apparmor task.

Changed in apparmor (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.