Could not login my device with correct passwords |
|||
Issue descriptionChrome Version: 59.0.3048.0 OS: Chrome OS 9360.0.0 dev-channel link test I enrolled my device in managedchrome.com domain in DM Test sever. Then I added two personal accounts on the device. After that, I logged in one account, and clicked the system tray to add another account in the session, but the password was rejected. I tried a few more times and eventually the system directed me to the feedback dialog, with pre-filled content pointing to Issue 547857 . But no matter which button I clicked (Send feedback or cancel), the feedback dialog could not be dismissed. Besides, there was no shelf & system tray on the background so seems the only solution to exit this weird state was to reboot the device. After rebooting, everything seems fine until now. Attached the log.
,
Mar 24 2017
Re #1. Trying to make sense of the log, but nothing obvious so far. 1) In fact, we have logged in with user #2 (bb994330609bd7e86e7134fe6b21f39f7932dee9) just fine. Then closed the session and immediately logged in with user #1 (b6e4684d3e816d3c17e7e35f0ca1d571a3e0c3c7). No issues. And then we are trying to mount the home for the 2nd user (bb994330609bd7e86e7134fe6b21f39f7932dee9). The keyset is there but we fail to decrypt it with the provided credentials. No TPM errors between the previous successful login and this unsuccessful attempt. It's not a lckout or communication issue - the error is clear: we fail to decrypt. It could have been explained by using wrong credentials. But right after that the session (with both users #1 and #2) is closed, and we start a new one, with user #2 only, and fail to use the credentials again (same error). Note that this time the session for the 1st user is closed. So, it's not just repeated attempts to add a user to the session. It's starting a new session with that 2nd user. It's unlikely wrong credentials are used this time... The keyset is never re-encrypted with the new authkey as result of these errors. Which is confirmed by the ability to login after reboot. After rebooting we succeeded when adding users to the session in the reverse order - first user #2, then user #1. I wonder, if the order matters here. When mounting cryptohomes, the keysets are scanned until the first one with a matching label is found. Or any one is found, if an empty label is provided. If several matching keysets exist, once we get an error for the first matching keyset, we don't attempt the others. Is it possible that there are two authkeys for user #2? (E.g. as a result of not clearing the disk when the TPM owner was cleared and leaving there old keysets?) And when we login, we specify some non-empty label which matches the second keyset, and it works fine with the credentials (since it matches the current cryptohome key). When we add a user to the session, we specify an empty label, and thus an old keyset is picked up (which assumes some old cryptohome). And it doesn't work, although the password is correct. 2) There're actually three users on the device, not two - is that right? And what I also don't quite understand is why we created the cryptohome for user #2 twice. That might be related to having two keysets for user #2: 2017-03-24T00:21:57.904064+00:00 INFO cryptohomed[1664]: Migrated (or created) user directory: /home/.shadow/20c9c19ab4319c104d667fdbba512189066dcfcc/vault 2017-03-24T00:22:33.338158+00:00 INFO cryptohomed[1664]: Migrated (or created) user directory: /home/.shadow/bb994330609bd7e86e7134fe6b21f39f7932dee9/vault 2017-03-24T00:24:04.767999+00:00 INFO cryptohomed[1664]: Migrated (or created) user directory: /home/.shadow/bb994330609bd7e86e7134fe6b21f39f7932dee9/vault 2017-03-24T00:24:49.322451+00:00 INFO cryptohomed[1664]: Migrated (or created) user directory: /home/.shadow/b6e4684d3e816d3c17e7e35f0ca1d571a3e0c3c7/vault 3) I also don't get the authorization errors when trying to access the public part of cryptohome key. Another explanation to all that could be that we loaded a wrong cryptohome key (so, decrypt and all accesses to it fail) due to some disk or memory glitch, or we somehow have a wrong cryptohome key handle. Or someone silently unloaded one cryptohome kye and loaded a different ones. But I don't see any lines that could hint that in the log. Bottomline: would be interesting to see if it's possible to reproduce the issue (e.g. by adding users to the session in a different order). If so, then check what's happening with the system in such case on a test image with extra debug. So far, no good clues.
,
Mar 30 2017
Thanks for the investigation and detailed observation! Re#2: I was testing some issue related to login screen, so I might have added one account and deleted it in the middle. And that's the reason I kept signing in and signing out. But when this issue popped out, I only have two accounts on the device, not 3 accounts. Unfortunately, I could not repro this case after rebooting, no matter in which order I log in the accounts. I'll update this thread if I can encounter this issue again in the future.
,
Feb 28 2018
Daisy, can we close this bug since we can't reproduce?
,
Feb 28 2018
I haven't seen this bug for a long time. Close it. |
|||
►
Sign in to add a comment |
|||
Comment 1 by xiy...@chromium.org
, Mar 24 2017