can't login with homectl user; homectl indicates key is revoked

[sirspudd]

systemd version the issue has been seen with

v245

Used distribution

Arch

Expected behaviour you didn't see

The ability to login

Unexpected behaviour you saw

Can't login via gdm or via tty

Steps to reproduce the problem

When sshing in via classic user channel:

[root@vpnwalker /]# homectl inspect z
   User name: z
       State: inactive
 Disposition: regular
    Login OK: yes
 Password OK: yes
         UID: 60511
         GID: 60511 (z)
   Directory: /home/z
     Storage: luks (strong encryption)
  Image Path: /home/z.home
   Removable: no
       Shell: /bin/bash
LUKS Discard: no
 Mount Flags: nosuid nodev exec
   Disk Size: 3.3G
  Disk Floor: 5.0M
Disk Ceiling: 4.6G
    Next Try: anytime
 Auth. Limit: 30 attempts per 1min
   Passwords: none
     Service: io.systemd.Home

This was a functional well loved autostarting libvirtd VM, which was working before I briefly migrated to linux-ck, which prevented this exact VM from successfully running a graphical interface hence my backtracking. On return to a stock kernel, the VM resumed working but I was unable to login to my homectl governed user.

[poettering]

What are the errors you get? Anything in syslog?

[sirspudd]

Logged in as root:

homectl activate z
Operation on home z failed: Failed to execute operation: Key has been revoked

complete journald contents over the course of this action:

Mar 30 13:05:33 vpnwalker systemd-homed[375]: z: changing state fixating-for-activation → unfixated
Mar 30 13:05:33 vpnwalker systemd-homed[375]: Fixation failed: Key has been revoked
Mar 30 13:05:33 vpnwalker systemd-homed[375]: z: changing state unfixated → fixating-for-activation

[poettering]

hmm, can you provide "homectl inspect -j" of the user?

Your user has no password defined and no PKCS#11 module either, so it cannot be authenticated. How did you create it?

[sirspudd]

[root@vpnwalker sirspudd]# homectl inspect -j z
{
        "userName" : "z",
        "disposition" : "regular",
        "binding" : {
                "54ce6922aa28479497e71d1731613dbb" : {
                        "imagePath" : "/home/z.home",
                        "homeDirectory" : "/home/z",
                        "storage" : "luks",
                        "uid" : 60511,
                        "gid" : 60511
                }
        },
        "status" : {
                "54ce6922aa28479497e71d1731613dbb" : {
                        "state" : "unfixated",
                        "service" : "io.systemd.Home",
                        "diskSize" : 3554497536,
                        "diskCeiling" : 4547211264,
                        "diskFloor" : 5242880
                }
        }
}

I created this user using:

homectl create z

and then used this user for several days, before experimenting with muqss put this VM into an unusable state where I never managed to reach a login prompt; when I eventually did (by going back to a mainline kernel), I kept on failing to authenticate. I second guessed my memory of my password, but then verified I was not going mad by manually opening the home volume with cryptsetup

[matthewwardrop]

I am seeing similar issues for a home area on an external USB device. It works okay on the machine with which it was created, at least at first. If I remove the user, and then attempt to re-fixate the user on the same machine it fails. Likewise, it fails if I attempt to fixate it on a different machine (having copied the local.public file to the /var/lib/systemd/home/ folder as foo.public as advised by @poettering on the mailing list). The error message is the same as above in each case: "Key has been revoked." Journalctl reveals the same three lines as above.

I am also on Arch Linux, using systemd 245.2-2 (and everything else up to date).

[sirspudd]

@matthewwardrop Thank you for directing me to /var/lib/systemd/home/

[root@vpnwalker sirspudd]# file /var/lib/systemd/home/z.identity 
/var/lib/systemd/home/z.identity: empty

The host is running xfs on /, and as mentioned, the VM in question was hard power cycled a couple of times which I have seen in the past result in zero length files

[dsreyes1014]

hmm, can you provide "homectl inspect -j" of the user?

Your user has no password defined and no PKCS#11 module either, so it cannot be authenticated. How did you create it?

So if we don't create a user home dir with --pkcs11-token-uri=... this can't be migrated?

[sirspudd]

Awesome:

/root [root@beast] [13:57]

file /var/lib/systemd/home/z.identity
/var/lib/systemd/home/z.identity: empty

I just managed to hit this again, now on a different machine.

This time my machine froze on GDM login when I tried to boot into 5.7 rc2; I was forced to hard reset the machine and on boot it was behaving exactly the way the VM this was initially reported against did.

/var/lib/systemd/home is XFS

[dsreyes1014]

Is there anything else we can do to see if there's way to migrate the USB stick to a different machine? It seems the information asked for has been provided.

[poettering]

I'll add some code that erases invalid files like that if it encounters them. And that syncs everything to disk whenver we change the files. And that generates better error messages.

[poettering]

Fix waiting in #15869