aims team mailing list archive

Thread
Date
[Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

To: aims@xxxxxxxxxxxxxxxxxxx
From: Ryan Tandy <1314095@xxxxxxxxxxxxxxxxxx>
Date: Thu, 12 Feb 2015 17:58:51 -0000
Reply-to: Bug 1314095 <1314095@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Hi,

Grzegorz Gutowski (gzegzol) wrote on 2014-04-29: "Without suid it seems
that call (with correct username) to getspnam in function
get_account_info in file passverify.c in pam/modules/pam_unix returns
NULL. I don't understand this behaviour. I wrote a simple c program that
calls getspnam and it works as expected when called from unprivileged
user."

A call to getspnam(3) as an unprivileged user returns NULL; that's
expected. (nss_compat returns errno = EACCESS since we can't read
/etc/shadow; nss_ldapd returns errno = ENOENT as a generic "not found"
code.)

The unix_chkpwd helper is sgid to shadow so that it can read
/etc/shadow, but nss_ldapd still returns ENOENT to shadow queries. If we
make unix_chkpwd suid, then nss_ldapd returns real shadow results; but
this is only a workaround (and a potentially dangerous one, at that).

What I see happening when I attempt to unlock the screen:

- the auth stack is fine;
- in the account stack, pam_unix returns PAM_AUTHINFO_UNAVAIL (from unix_chkpwd), and it falls into pam_deny after that (since pam_ldap is Additional).

gnome-screensaver works only because it actually ignores the result from
the account stack and proceeds anyway: http://bazaar.launchpad.net
/~ubuntu-branches/ubuntu/trusty/gnome-screensaver/trusty/view/head:/src
/gs-auth-pam.c#L519

Some possible workarounds are:

- chmod u+s /sbin/unix_chkpwd (potentially dangerous, not recommended);
- dpkg-reconfigure libnss-ldapd and disable the shadow service (then pam_unix doesn't try consulting it);
- use libnss-ldap instead of libnss-ldapd, since it allows everyone to read shadow entries;
- use libnss-sss instead of libnss-ldapd, since it does not support the shadow service at all (in trusty, at least);
- make libpam-ldapd's account rule Primary instead of Additional (but this was already done and subsequently reverted by its maintainer in 0.8.8-1 and 0.8.8-2).

I'm not sure why some people reported experiencing this bug when using
libnss-ldap or libnss-sss. I'd want to review their PAM and NSS setups
in that case.

This is all about trusty so far... still have to look at utopic/vivid.

-- 
You received this bug notification because you are a member of AIMS,
which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Confirmed
Status in unity package in Ubuntu:
  Confirmed

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:	Ubuntu 14.04 LTS
  Release:	14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
    Installed: 7.2.0+14.04.20140416-0ubuntu1
    Candidate: 7.2.0+14.04.20140416-0ubuntu1
    Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
          100 /var/lib/dpkg/status
  lightdm:
    Installed: 1.10.0-0ubuntu3
    Candidate: 1.10.0-0ubuntu3
    Version table:
   *** 1.10.0-0ubuntu3 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
          100 /var/lib/dpkg/status
  libpam-modules:
    Installed: 1.1.8-1ubuntu2
    Candidate: 1.1.8-1ubuntu2
    Version table:
   *** 1.1.8-1ubuntu2 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
          100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user (user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info (user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info (user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"

  cat /etc/pam.d/common-auth 
  account     required    pam_unix.so
  auth        required    pam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  auth        requisite   pam_deny.so
  auth        required    pam_permit.so

  auth        optional    pam_afs_session.so minimum_uid=200
  auth        optional    pam_ecryptfs.so unwrap
  auth        optional    pam_cap.so

  cat /etc/pam.d/common-account 
  account     required    pam_unix.so

  cat /etc/pam.d/lightdm
  auth        requisite   pam_nologin.so
  auth        sufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  auth        optional    pam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
  auth        optional    pam_group.so
  session     required    pam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
  session     optional    pam_gnome_keyring.so auto_start
  session     required    pam_env.so readenv=1
  session     required    pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions