touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #45830
[Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account
confirming on my setup as well.
openstack VM (similar to amazon ec2)
Running GDM3 (apt-get install gnome-shell) w/ NX Server to xorg-server-dummy package (since vm is headless)
LDAP Authentication w/ SSSD Package
Once I connect to the server, I am able to log in the first time using my ldap account. Also since i already have a home folder (PAM mkhomedir) my LDAP 'firstName' and 'lastName' actually show up on the GDM3 login screen. Which was a pleasant surprise.
however, once locked. I'm getting the error in /var/log/auth.log:
Jan 8 05:19:10 onr-geoserver gdm-password][12480]: pam_succeed_if(gdm-password:auth): requirement "user ingroup nopasswdlogin" not met by user "cott"
Jan 8 05:19:17 onr-geoserver gdm-password][12480]: pam_unix(gdm-password:auth): authentication failure; logname=cott uid=0 euid=0 tty=:0 ruser= rhost= user=cott
Jan 8 05:19:19 onr-geoserver gdm-password][12480]: pam_sss(gdm-password:auth): authentication success; logname=cott uid=0 euid=0 tty=:0 ruser= rhost= user=cott
Jan 8 05:19:19 onr-geoserver gdm-password][12480]: gkr-pam: unlocked login keyring
Jan 8 05:19:19 onr-geoserver systemd-logind[1359]: Removed session 3.
Jan 8 05:19:19 onr-geoserver gdm-password][12708]: pam_succeed_if(gdm-password:auth): requirement "user ingroup nopasswdlogin" not met by user "cott"
it seems 'pam_sss' is happy (auth. success), but 'pam_unix' is not.
This is all purely package installs from ubuntu 14.04 cloud image. no
custom configs except for the dummy monitor in xorg.conf. which i doubt
is related.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unity in Ubuntu.
https://bugs.launchpad.net/bugs/1314095
Title:
Unity Lockscreen in 14.04 can't unlock when using LDAP account
Status in Unity:
Incomplete
Status in unity package in Ubuntu:
Incomplete
Bug description:
My setup is:
Ubuntu 14.04 LTS,
ldap accounts,
krb5 authentication,
Lightdm,
Unity session
ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine.
I am able to login in console without any problems.
I was able to login in lightdm.
Then I used the lock screen.
I could not disable the lock screen using my password.
I rebooted my computer.
Now:
After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password.
From my short inspection of auth.log and unix_chkpwd sources it seems,
that unix_chkpwd works fine when called from lightdm and fails to get
user info when called from unity lockscreen.
lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04
apt-cache policy unity lightdm libpam-modules
unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
*** 7.2.0+14.04.20140416-0ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
*** 1.10.0-0ubuntu3 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
*** 1.1.8-1ubuntu2 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
Contents of /var/log/auth.log:
Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost= user=user
Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): session closed for user lightdm
Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user (user)
Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost= user=user
Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info (user)
Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info (user)
Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
cat /etc/pam.d/common-auth
account required pam_unix.so
auth required pam_group.so
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_afs_session.so minimum_uid=200
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
cat /etc/pam.d/common-account
account required pam_unix.so
cat /etc/pam.d/lightdm
auth requisite pam_nologin.so
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
auth optional pam_group.so
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password
To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions
