aims team mailing list archive

Thread
Date

[Bug 1283957] Re: Lightdm changes case of username unless only certain users allowed

To: aims@xxxxxxxxxxxxxxxxxxx
From: Steve Langasek <steve.langasek@xxxxxxxxxxxxx>
Date: Tue, 05 Apr 2016 03:13:22 -0000
Reply-to: Bug 1283957 <1283957@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I'm sorry this bug has taken so long to find its way to the pam package.
Unfortunately, this is not a bug per se in either component.  The
problem is a semantic difference between the two different pam modules:
you are using pam_ldap, which does case-insensitive name lookups
(because that's how LDAP works), together with pam_listfile which, like
all the modules include in pam, work on case-sensitive usernames
(because this is the standard Unix semantics).

We could reassign this bug to libpam-ldap, but this seems unlikely to
result in a change in the behavior of that module since it's been that
way for over a decade and no one's figured out a good way to fix it yet.

** Changed in: pam (Ubuntu)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of AIMS,
which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1283957

Title:
  Lightdm changes case of username unless only certain users allowed

Status in pam package in Ubuntu:
  Won't Fix

Bug description:
  Ubuntu 12.04

  On a desktop where are our users are allowed to log in:
  Feb 24 08:04:24 southafrica lightdm: pam_ldap(lightdm:auth): username changed from Gerhard to gerhard
  and the user can successfully log in even though the username was typed with an upper case.

  On a desktop where we have a restricted list of users, the list is FIRST checked, before the case is changed, so the user cannot log in (admittedly when typing the username "incorrectly"), even though they are in the list of allowed users.
  Feb 24 08:04:18 southafrica lightdm: pam_listfile(lightdm:auth): Refused user Gerhard for service lightdm
  Feb 24 08:04:24 southafrica lightdm: pam_unix(lightdm:auth): check pass; user unknown
  Feb 24 08:04:24 southafrica lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= 
  Feb 24 08:04:24 southafrica lightdm: pam_winbind(lightdm:auth): getting password (0x00000388)
  Feb 24 08:04:24 southafrica lightdm: pam_winbind(lightdm:auth): pam_get_item returned a password
  Feb 24 08:04:24 southafrica lightdm: pam_ldap(lightdm:auth): username changed from Gerhard to gerhard

  0 root@southafrica:/etc/pam.d#grep allow lightdm
  auth required pam_listfile.so onerr=fail item=user sense=allow file=/etc/login.user.allowed
  0 root@southafrica:/etc/pam.d#grep -i gerhard /etc/login.user.allowed 
  gerhard

  
  A local override is to add gerhard AND Gerhard to /etc/login.user.allowed, but perhaps the upstream intention is to fix this typo for users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1283957/+subscriptions