diff --git a/0001-gdm-Only-emit-verification-failed-for-foreground-ser.patch b/0001-gdm-Only-emit-verification-failed-for-foreground-ser.patch deleted file mode 100644 index 61c40bc..0000000 --- a/0001-gdm-Only-emit-verification-failed-for-foreground-ser.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0074c6870b284578d25c06b61ab8011cf8bbb8da Mon Sep 17 00:00:00 2001 -From: Benjamin Berg -Date: Fri, 23 Apr 2021 19:44:52 +0200 -Subject: [PATCH] gdm: Only emit verification failed for foreground service - -A failing background service should not count as a verification failure -as the user can still try to continue using the current foreground -service. - -As such, only emit the 'verification-failed' signal when the failing -service was the foreground service. - -Closes: #3853 ---- - js/gdm/util.js | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/js/gdm/util.js b/js/gdm/util.js -index 1ee84acde..e7e575dba 100644 ---- a/js/gdm/util.js -+++ b/js/gdm/util.js -@@ -721,7 +721,8 @@ var ShellUserVerifier = class { - } - } - -- this.emit('verification-failed', serviceName, canRetry); -+ if (this.serviceIsForeground(serviceName)) -+ this.emit('verification-failed', serviceName, canRetry); - } - - _onServiceUnavailable(_client, serviceName, errorMessage) { --- -2.30.2 - diff --git a/0001-gdm-Work-around-failing-fingerprint-auth.patch b/0001-gdm-Work-around-failing-fingerprint-auth.patch new file mode 100644 index 0000000..caac09f --- /dev/null +++ b/0001-gdm-Work-around-failing-fingerprint-auth.patch @@ -0,0 +1,67 @@ +From 22df9fa5e3c973d5a194f2bbdbcdd4a64511bc93 Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Wed, 28 Apr 2021 16:50:03 +0200 +Subject: [PATCH] gdm: Work around failing fingerprint auth + +On Fedora we have the problem that fingerprint auth fails immediately if +the PAM configuration has not been updated and no prints are enrolled. + +So, consider a verification failure within one second to be a service +failure instead. +--- + js/gdm/util.js | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/js/gdm/util.js b/js/gdm/util.js +index b02cd4d73..118a05100 100644 +--- a/js/gdm/util.js ++++ b/js/gdm/util.js +@@ -157,6 +157,7 @@ var ShellUserVerifier = class { + null, + null, + Gio.DBusProxyFlags.DO_NOT_LOAD_PROPERTIES); ++ this._fprintStartTime = -1; + this._smartcardManager = SmartcardManager.getSmartcardManager(); + + // We check for smartcards right away, since an inserted smartcard +@@ -543,6 +544,10 @@ var ShellUserVerifier = class { + async _startService(serviceName) { + this._hold.acquire(); + try { ++ if (serviceName == FINGERPRINT_SERVICE_NAME) { ++ this._fprintStartTime = GLib.get_monotonic_time(); ++ } ++ + if (this._userName) { + await this._userVerifier.call_begin_verification_for_user( + serviceName, this._userName, this._cancellable); +@@ -624,6 +629,7 @@ var ShellUserVerifier = class { + const cancellable = this._cancellable; + this._fingerprintFailedId = GLib.timeout_add(GLib.PRIORITY_DEFAULT, + FINGERPRINT_ERROR_TIMEOUT_WAIT, () => { ++ log("Generating _verificationFailed!"); + this._fingerprintFailedId = 0; + if (!cancellable.is_cancelled()) + this._verificationFailed(serviceName, false); +@@ -689,6 +695,18 @@ var ShellUserVerifier = class { + if (serviceName === FINGERPRINT_SERVICE_NAME) { + if (this._fingerprintFailedId) + GLib.source_remove(this._fingerprintFailedId); ++ ++ // On Fedora we have the problem that fingerprint auth fails ++ // immediately if the PAM configuration has not been updated and no ++ // prints are enrolled. ++ // So, consider a verification failure within one second to be a service ++ // failure instead. ++ if (this._fprintStartTime > GLib.get_monotonic_time() - GLib.USEC_PER_SEC) { ++ log("Fingerprint service failed almost immediately, considering it unavailable."); ++ log("Please fix your configuration by running: authselect select --force sssd with-fingerprint with-silent-lastlog"); ++ this._onServiceUnavailable(this._client, serviceName, null); ++ return; ++ } + } + + // For Not Listed / enterprise logins, immediately reset +-- +2.31.1 + diff --git a/1821.patch b/1821.patch new file mode 100644 index 0000000..cff93c3 --- /dev/null +++ b/1821.patch @@ -0,0 +1,221 @@ +From e7998b4d5547d65d88c56d428a65c9fb3bbeadb0 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Wed, 28 Apr 2021 10:36:46 -0400 +Subject: [PATCH 1/5] authPrompt: Don't clear querying service unless querying + service fails + +At the moment we treat a failure in any service as a signal to stop +tracking users responses to service questions. + +This commit makes sure we don't stop waiting for answers if a background +service fails. +--- + js/gdm/authPrompt.js | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/js/gdm/authPrompt.js b/js/gdm/authPrompt.js +index d2c9a16594..c182d74318 100644 +--- a/js/gdm/authPrompt.js ++++ b/js/gdm/authPrompt.js +@@ -280,8 +280,11 @@ var AuthPrompt = GObject.registerClass({ + + _onVerificationFailed(userVerifier, serviceName, canRetry) { + const wasQueryingService = this._queryingService === serviceName; +- this._queryingService = null; +- this.clear(); ++ ++ if (wasQueryingService) { ++ this._queryingService = null; ++ this.clear(); ++ } + + this.updateSensitivity(canRetry); + this.setActorInDefaultButtonWell(null); +-- +GitLab + + +From ca290737ab3ecb028f03c9189dac6131e2dcf3bc Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Wed, 28 Apr 2021 10:38:58 -0400 +Subject: [PATCH 2/5] authPrompt: Don't fail auth prompt until user is out of + retries + +At the moment we set the state of the auth prompt to failed any +time the user fails an attempt. But verification is still going +on until the user exhausts all attempts, so that's wrong. + +This commit changes it to only set the state to failed when the +user is out of tries. +--- + js/gdm/authPrompt.js | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/js/gdm/authPrompt.js b/js/gdm/authPrompt.js +index c182d74318..d111cadd1b 100644 +--- a/js/gdm/authPrompt.js ++++ b/js/gdm/authPrompt.js +@@ -288,7 +288,9 @@ var AuthPrompt = GObject.registerClass({ + + this.updateSensitivity(canRetry); + this.setActorInDefaultButtonWell(null); +- this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED; ++ ++ if (!canRetry) ++ this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED; + + if (wasQueryingService) + Util.wiggle(this._entry); +-- +GitLab + + +From 36ccf63b7a219b7e0eb11158f39c8823a25eb058 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Wed, 28 Apr 2021 10:42:14 -0400 +Subject: [PATCH 3/5] gdm: Flip canRetry boolean to doneTrying on verification + failure + +This commit just flips a boolean in the verification failed handler +to make things easier to read. +--- + js/gdm/util.js | 33 +++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 16 deletions(-) + +diff --git a/js/gdm/util.js b/js/gdm/util.js +index 1ee84acde2..bb120a81c2 100644 +--- a/js/gdm/util.js ++++ b/js/gdm/util.js +@@ -685,29 +685,19 @@ var ShellUserVerifier = class { + (this._reauthOnly || this._failCounter < this.allowedFailures); + } + +- _verificationFailed(serviceName, retry) { ++ _verificationFailed(serviceName, shouldRetry) { + // For Not Listed / enterprise logins, immediately reset + // the dialog + // Otherwise, when in login mode we allow ALLOWED_FAILURES attempts. + // After that, we go back to the welcome screen. + +- const canRetry = retry && this._canRetry(); +- + this._disconnectSignals(); ++ + this._filterServiceMessages(serviceName, MessageType.ERROR); + +- if (canRetry) { +- if (!this.hasPendingMessages) { +- this._retry(serviceName); +- } else { +- const cancellable = this._cancellable; +- let signalId = this.connect('no-more-messages', () => { +- this.disconnect(signalId); +- if (!cancellable.is_cancelled()) +- this._retry(serviceName); +- }); +- } +- } else { ++ const doneTrying = !shouldRetry || !this._canRetry(); ++ ++ if (doneTrying) { + // eslint-disable-next-line no-lonely-if + if (!this.hasPendingMessages) { + this._cancelAndReset(); +@@ -721,7 +711,18 @@ var ShellUserVerifier = class { + } + } + +- this.emit('verification-failed', serviceName, canRetry); ++ this.emit('verification-failed', serviceName, !doneTrying); ++ ++ if (!this.hasPendingMessages) { ++ this._retry(serviceName); ++ } else { ++ const cancellable = this._cancellable; ++ let signalId = this.connect('no-more-messages', () => { ++ this.disconnect(signalId); ++ if (!cancellable.is_cancelled()) ++ this._retry(serviceName); ++ }); ++ } + } + + _onServiceUnavailable(_client, serviceName, errorMessage) { +-- +GitLab + + +From de06a365e968691a4c2b39de8d5903a92f3663ec Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Wed, 28 Apr 2021 10:44:56 -0400 +Subject: [PATCH 4/5] gdm: Only disconect verification signals when not going + to retry + +At the moment a failure in a background service can lead to the +various verification signals getting disconnected, even though +we still need them for a foreground service. + +This commit changes the code to only disconnect when we've run +out of tries. +--- + js/gdm/util.js | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/js/gdm/util.js b/js/gdm/util.js +index bb120a81c2..bdc14b7519 100644 +--- a/js/gdm/util.js ++++ b/js/gdm/util.js +@@ -691,13 +691,13 @@ var ShellUserVerifier = class { + // Otherwise, when in login mode we allow ALLOWED_FAILURES attempts. + // After that, we go back to the welcome screen. + +- this._disconnectSignals(); +- + this._filterServiceMessages(serviceName, MessageType.ERROR); + + const doneTrying = !shouldRetry || !this._canRetry(); + + if (doneTrying) { ++ this._disconnectSignals(); ++ + // eslint-disable-next-line no-lonely-if + if (!this.hasPendingMessages) { + this._cancelAndReset(); +-- +GitLab + + +From 70f1e4a0d41956a5e91c31bea4d0060c9eb0bf45 Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Wed, 28 Apr 2021 18:32:22 +0200 +Subject: [PATCH 5/5] gdm: Remove pending fingerprint verification failure + +It can happen that we get a problem report and a verification failure at +the same time. For fingerprint, a problem report can result in an +internal verification failure to be queued. + +Remove this queued failure again if we got a failure already from GDM +directly. +--- + js/gdm/util.js | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/js/gdm/util.js b/js/gdm/util.js +index bdc14b7519..b02cd4d734 100644 +--- a/js/gdm/util.js ++++ b/js/gdm/util.js +@@ -686,6 +686,11 @@ var ShellUserVerifier = class { + } + + _verificationFailed(serviceName, shouldRetry) { ++ if (serviceName === FINGERPRINT_SERVICE_NAME) { ++ if (this._fingerprintFailedId) ++ GLib.source_remove(this._fingerprintFailedId); ++ } ++ + // For Not Listed / enterprise logins, immediately reset + // the dialog + // Otherwise, when in login mode we allow ALLOWED_FAILURES attempts. +-- +GitLab + diff --git a/gnome-shell.spec b/gnome-shell.spec index 68d1f99..e078e94 100644 --- a/gnome-shell.spec +++ b/gnome-shell.spec @@ -2,7 +2,7 @@ Name: gnome-shell Version: 40.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Window management and application launching for GNOME License: GPLv2+ @@ -20,8 +20,11 @@ Patch10001: 0001-loginDialog-Allow-timed-login-with-disabled-user-lis.patch Patch10002: 0001-workspacesView-Fix-PgUp-PgDown-shortcut.patch Patch10003: 0002-workspacesView-Don-t-tie-PgUp-PgDown-to-mapped-state.patch -# Some users might have a broken PAM config, so we really need this -Patch10004: 0001-gdm-Only-emit-verification-failed-for-foreground-ser.patch +# Some users might have a broken PAM config, so we really need this. +# The upstream patchset fixes password auth after a fingerprint failure. +# The second is a downstream patch to stop trying on configuration errors. +Patch10004: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1821.patch +Patch10005: 0001-gdm-Work-around-failing-fingerprint-auth.patch %define eds_version 3.33.1 @@ -237,6 +240,10 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/evolution-calendar.de %{_mandir}/man1/gnome-shell.1* %changelog +* Wed Apr 28 2021 Benjamin Berg - 40.0-5 +- Update fix for password auth after background service failure + Related: #1942443 + * Fri Apr 23 2021 Benjamin Berg - 40.0-4 - Fix password auth after secondary service failure Related: #1942443