dx-packages team mailing list archive
-
dx-packages team
-
Mailing list archive
-
Message #17564
Re: [Aims] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account
Hi Joost,
I think those kwallet errors are harmless if you don't use KDE; I commented
mine out.
0 root@muizenberg:/etc/pam.d#grep kwal *
lightdm:#auth optional pam_kwallet.so
lightdm:#session optional pam_kwallet.so auto_start
lightdm.all.allowed:#auth optional pam_kwallet.so
lightdm.all.allowed:#session optional pam_kwallet.so auto_start
lightdm-greeter:#auth optional pam_kwallet.so
lightdm-greeter:#session optional pam_kwallet.so auto_start
lightdm.user.allowed:#auth optional pam_kwallet.so
lightdm.user.allowed:#session optional pam_kwallet.so auto_start
I think you can ignore pam_succeed_if, I see that regularly.
You DO seem to have unix_chkpwd, but I also get that message after the fix;
from your logs:
Jul 9 08:45:12 zotac-44 unix_chkpwd[4847]: password check failed for user
(testuser)
This is me succesfully unlocking after the unix_chkpwd workaround:
0 root@muizenberg:~#ls -l /sbin/unix_chkpwd
-rwsr-sr-x 1 root shadow 35536 Feb 1 00:21 /sbin/unix_chkpwd
0 root@muizenberg:/var/log#tail -n 5 auth.log
Jul 9 11:10:35 muizenberg compiz: pam_succeed_if(lightdm:auth):
requirement "user ingroup nopasswdlogin" not met by user "jan"
Jul 9 11:10:37 muizenberg unix_chkpwd[22139]: password check failed for
user (jan)
Jul 9 11:10:37 muizenberg compiz: pam_unix(lightdm:auth): authentication
failure; logname= uid=10000 euid=10000 tty= ruser= rhost= user=jan
Jul 9 11:10:37 muizenberg compiz: gkr-pam: unlocked login keyring
Jul 9 11:10:37 muizenberg compiz: pam_group(lightdm:setcred): unable to
set the group membership for user: Operation not permitted
0 root@muizenberg:/var/log#
Another thought, are there any dconf/gsettings lockdown in LTSP that might
affect this?
Regards,
Jan
On 9 July 2014 10:42, Joost Ringoot <joost@xxxxxxxxxxx> wrote:
> Hello Jan,
>
> Apparently the LTSP authentication method for the client is not the same
> as for the server, I was to hastly to say that sssd was installed in the
> LTSP client like it is on the server, it is not by default.
>
> There are no errors "unix_chkpwd" in the logs but:
> Jul 9 08:44:58 zotac-44 compiz: PAM unable to dlopen(pam_kwallet.so):
> /lib/security/pam_kwallet.so: cannot open shared object file: No such file
> or directory
> Jul 9 08:44:58 zotac-44 compiz: PAM adding faulty module: pam_kwallet.so
> Jul 9 08:44:58 zotac-44 compiz: pam_succeed_if(lightdm:auth): requirement
> "user ingroup nopasswdlogin" not met by user "testuser"
> Jul 9 08:45:12 zotac-44 unix_chkpwd[4847]: password check failed for user
> (testuser)
> Jul 9 08:45:12 zotac-44 compiz: pam_unix(lightdm:auth): authentication
> failure; logname= uid=2683 euid=2683 tty= ruser= rhost= user=testuser
> Jul 9 08:45:14 zotac-44 compiz: PAM unable to dlopen(pam_kwallet.so):
> /lib/security/pam_kwallet.so: cannot open shared object file: No such file
> or directory
> Jul 9 08:45:14 zotac-44 compiz: PAM adding faulty module: pam_kwallet.so
> Jul 9 08:45:14 zotac-44 compiz: pam_succeed_if(lightdm:auth): requirement
> "user ingroup nopasswdlogin" not met by user "testuser"
>
> --
> You received this bug notification because you are a member of AIMS,
> which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1314095
>
> Title:
> Unity Lockscreen in 14.04 can't unlock when using LDAP account
>
> Status in Unity:
> Incomplete
> Status in "unity" package in Ubuntu:
> Incomplete
>
> Bug description:
> My setup is:
>
> Ubuntu 14.04 LTS,
> ldap accounts,
> krb5 authentication,
> Lightdm,
> Unity session
>
> ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent
> passwd and getent shadow works fine.
> I am able to login in console without any problems.
> I was able to login in lightdm.
> Then I used the lock screen.
> I could not disable the lock screen using my password.
> I rebooted my computer.
>
> Now:
> After logging in through lightdm, the unity lockscreen locks the screen
> immediately and I can not disable it using my password.
>
> From my short inspection of auth.log and unix_chkpwd sources it seems,
> that unix_chkpwd works fine when called from lightdm and fails to get
> user info when called from unity lockscreen.
>
>
> lsb_release -rd
> Description: Ubuntu 14.04 LTS
> Release: 14.04
>
> apt-cache policy unity lightdm libpam-modules
> unity:
> Installed: 7.2.0+14.04.20140416-0ubuntu1
> Candidate: 7.2.0+14.04.20140416-0ubuntu1
> Version table:
> *** 7.2.0+14.04.20140416-0ubuntu1 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
> lightdm:
> Installed: 1.10.0-0ubuntu3
> Candidate: 1.10.0-0ubuntu3
> Version table:
> *** 1.10.0-0ubuntu3 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
> libpam-modules:
> Installed: 1.1.8-1ubuntu2
> Candidate: 1.1.8-1ubuntu2
> Version table:
> *** 1.1.8-1ubuntu2 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> Contents of /var/log/auth.log:
>
> Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth):
> requirement "user ingroup nopasswdlogin" not met by user "user"
> Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth):
> authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=
> user=user
> Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user
> authenticated as user@NETWORK
> Apr 29 06:49:32 localhost lightdm[15604]:
> pam_unix(lightdm-greeter:session): session closed for user lightdm
> Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
> Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for
> user (user)
> Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication
> failure; logname= uid=1001 euid=1001 tty= ruser= rhost= user=user
> Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user
> authenticated as user@NETWORK
> Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info
> (user)
> Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info
> (user)
> Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth):
> requirement "user ingroup nopasswdlogin" not met by user "user"
>
> cat /etc/pam.d/common-auth
> account required pam_unix.so
> auth required pam_group.so
> auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
> auth [success=1 default=ignore] pam_krb5.so try_first_pass
> minimum_uid=200
> auth requisite pam_deny.so
> auth required pam_permit.so
>
> auth optional pam_afs_session.so minimum_uid=200
> auth optional pam_ecryptfs.so unwrap
> auth optional pam_cap.so
>
> cat /etc/pam.d/common-account
> account required pam_unix.so
>
> cat /etc/pam.d/lightdm
> auth requisite pam_nologin.so
> auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
> @include common-auth
> auth optional pam_gnome_keyring.so
> @include common-account
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so close
> auth optional pam_group.so
> session required pam_limits.so
> @include common-session
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open
> session optional pam_gnome_keyring.so auto_start
> session required pam_env.so readenv=1
> session required pam_env.so readenv=1 user_readenv=1
> envfile=/etc/default/locale
> @include common-password
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions
>
> --
> Mailing list: https://launchpad.net/~aims
> Post to : aims@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~aims
> More help : https://help.launchpad.net/ListHelp
>
--
.~.
/V\ Jan Groenewald
/( )\ www.aims.ac.za
^^-^^
--
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095
Title:
Unity Lockscreen in 14.04 can't unlock when using LDAP account
Status in Unity:
Incomplete
Status in “unity” package in Ubuntu:
Incomplete
Bug description:
My setup is:
Ubuntu 14.04 LTS,
ldap accounts,
krb5 authentication,
Lightdm,
Unity session
ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine.
I am able to login in console without any problems.
I was able to login in lightdm.
Then I used the lock screen.
I could not disable the lock screen using my password.
I rebooted my computer.
Now:
After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password.
From my short inspection of auth.log and unix_chkpwd sources it seems,
that unix_chkpwd works fine when called from lightdm and fails to get
user info when called from unity lockscreen.
lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04
apt-cache policy unity lightdm libpam-modules
unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
*** 7.2.0+14.04.20140416-0ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
*** 1.10.0-0ubuntu3 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
*** 1.1.8-1ubuntu2 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
Contents of /var/log/auth.log:
Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost= user=user
Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): session closed for user lightdm
Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user (user)
Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost= user=user
Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info (user)
Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info (user)
Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
cat /etc/pam.d/common-auth
account required pam_unix.so
auth required pam_group.so
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_afs_session.so minimum_uid=200
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
cat /etc/pam.d/common-account
account required pam_unix.so
cat /etc/pam.d/lightdm
auth requisite pam_nologin.so
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
auth optional pam_group.so
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password
To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions
References