aims team mailing list archive

Thread
Date
[Bug 1314095] [NEW] Unity Lockscreen in 14.04 can't unlock when using LDAP account

To: aims@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1314095@xxxxxxxxxxxxxxxxxx>
Date: Tue, 27 May 2014 07:19:40 -0000
Reply-to: Bug 1314095 <1314095@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
You have been subscribed to a public bug by Jan Groenewald (jan-aims):

My setup is:

Ubuntu 14.04 LTS,
ldap accounts,
krb5 authentication,
Lightdm,
Unity session

ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine.
I am able to login in console without any problems.
I was able to login in lightdm.
Then I used the lock screen.
I could not disable the lock screen using my password.
I rebooted my computer.

Now:
After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password.

>From my short inspection of auth.log and unix_chkpwd sources it seems,
that unix_chkpwd works fine when called from lightdm and fails to get
user info when called from unity lockscreen.


lsb_release -rd
Description:	Ubuntu 14.04 LTS
Release:	14.04

apt-cache policy unity lightdm libpam-modules
unity:
  Installed: 7.2.0+14.04.20140416-0ubuntu1
  Candidate: 7.2.0+14.04.20140416-0ubuntu1
  Version table:
 *** 7.2.0+14.04.20140416-0ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status
lightdm:
  Installed: 1.10.0-0ubuntu3
  Candidate: 1.10.0-0ubuntu3
  Version table:
 *** 1.10.0-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status
libpam-modules:
  Installed: 1.1.8-1ubuntu2
  Candidate: 1.1.8-1ubuntu2
  Version table:
 *** 1.1.8-1ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

Contents of /var/log/auth.log:

Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): session closed for user lightdm
Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user (user)
Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info (user)
Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info (user)
Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"

cat /etc/pam.d/common-auth 
account     required    pam_unix.so
auth        required    pam_group.so
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
auth        requisite   pam_deny.so
auth        required    pam_permit.so

auth        optional    pam_afs_session.so minimum_uid=200
auth        optional    pam_ecryptfs.so unwrap
auth        optional    pam_cap.so

cat /etc/pam.d/common-account 
account     required    pam_unix.so

cat /etc/pam.d/lightdm
auth        requisite   pam_nologin.so
auth        sufficient  pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth        optional    pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
auth        optional    pam_group.so
session     required    pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session     optional    pam_gnome_keyring.so auto_start
session     required    pam_env.so readenv=1
session     required    pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password

** Affects: unity
     Importance: High
         Status: Confirmed

** Affects: unity (Ubuntu)
     Importance: High
         Status: Confirmed


** Tags: lockscreen
-- 
Unity Lockscreen in 14.04 can't unlock when using LDAP account
https://bugs.launchpad.net/bugs/1314095
You received this bug notification because you are a member of AIMS, which is subscribed to the bug report.