desktop-packages team mailing list archive

Thread
Date

[Bug 850298] Re: lightdm requires to enter the password twice to login in an AD domain when the password is in expiration period or when using cached_login

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Renzo Bagnati <850298@xxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Sep 2011 15:39:14 -0000
Reply-to: Bug 850298 <850298@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Attached requested log files.
They refer to a first login as the domain user 'ambiente' (at 17:05:14), which has password not in expiration period; and to a subsequent login as the domain user 'rbag', which has password in expiration period (first password entered at 17:07:09, second password at 17:08:09).
(The user 'rbag' is automatically selected when lightdm starts).

** Attachment added: "lightdm_logs.tgz"
   https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/850298/+attachment/2408189/+files/lightdm_logs.tgz

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/850298

Title:
  lightdm requires to enter the password twice to login in an AD domain
  when the password is in expiration period or when using cached_login

Status in “lightdm” package in Ubuntu:
  Incomplete

Bug description:
  I'm using an up-to-date oneiric workstation joined through samba and winbind to an AD domain controlled by a Windows server.
  Login as domain users is possible without problems in normal conditions, using a pam configuration like this in /etc/pam/common-auth:

  auth    pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login

  However, when the domain password is in expiration period (defaults to
  14 days before) or when using cached_login (when the network is
  unavailable), the password must be entered twice in lightdm to
  effectively start the user session.

  Here is an example of what happens, with lines copied from
  /var/log/auth.log

  ...[enter password for the first time in lightdm login screen]

  Sep 14 17:03:49 vmo-amb20 lightdm: pam_unix(lightdm:session): session opened for user lightdm by (uid=0)
  Sep 14 17:03:50 vmo-amb20 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "rbag"
  Sep 14 17:03:50 vmo-amb20 lightdm: pam_winbind(lightdm:auth): getting password (0x00000380)
  Sep 14 17:04:00 vmo-amb20 lightdm: pam_winbind(lightdm:auth): user 'rbag' granted access

  ...[lightdm does not display any message and just clears the password box]
  ...[enter password for the second time and login session starts]

  Sep 14 17:04:04 vmo-amb20 lightdm: pam_unix(lightdm:session): session closed for user lightdm
  Sep 14 17:04:04 vmo-amb20 lightdm: pam_winbind(lightdm:setcred): user 'lightdm' OK
  Sep 14 17:04:04 vmo-amb20 lightdm: pam_unix(lightdm:session): session opened for user rbag by (uid=0)

  If I use a text console this does not happen and I can login normally
  as a domain user; the screen just shows a warning about the days
  before password expiration or about the unavailability of a network
  connection.

  The bug could be related to this one reported for GDM:
  https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/613371

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/850298/+subscriptions

References

[Bug 850298] [NEW] lightdm requires to enter the password twice to login in an AD domain when the password is in expiration period or when using cached_login
From: Renzo Bagnati, 2011-09-14