touch-packages team mailing list archive

Thread
Date
[Bug 892480] Re: PAM with LDAPS breaks authentication via Policykit to Gnome applications as local administrator

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <892480@xxxxxxxxxxxxxxxxxx>
Date: Fri, 08 May 2015 09:10:44 -0000
Reply-to: Bug 892480 <892480@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: policykit-1 (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/892480

Title:
  PAM with LDAPS breaks authentication via Policykit to Gnome
  applications as local administrator

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  1) Test system

  My client is a fresh installation of Ubuntu 10.04 LTS x86. It has been
  fully patched.

  libnss-ldap and dependencies have then been installed with Synaptic
  package manager using the local administrator account created during
  installation of Ubuntu.

  /etc/ldap.conf has been modified to point to an OpenDJ v2.4.2 LDAP
  server running on the local network,using ldaps://server:port
  nomenclature.

  The self-signed certificate from the OpenDJ server has been exported
  as a PEM encoded file and saved on the test Ubuntu client at
  /usr/share/ca-certificates/server.pem. The file has been made world
  readable.

  At /etc/ldap.conf the certificate has been pointed to accordingly:

  TLS_CACERTFILE /usr/share/ca-certificates/server.pem

  A dedicated bind account has been created in the LDAP server and this
  has been specified in /etc/ldap.conf with the bind password recorded
  at /etc/ldap.secret

  PAM configuration files at /etc/pam.d have been modified to contain
  the following, in order common-account, common-auth, common-password
  and common-session:

  account     sufficient    pam_ldap.so
  account     required      pam_unix.so

  auth        sufficient    pam_ldap.so
  auth        required      pam_unix.so nullok_secure use_first_pass

  password    sufficient    pam_ldap.so nullok
  password    required      pam_unix.so nullok obscure min=4 max=8 md5

  session	    required	  pam_mkhomedir.so skel=/etc/skel/ umask=0022
  session     required      pam_unix.so
  session     optional      pam_ldap.so

  
  /etc/nsswitch.conf has been modified accordingly to contain the following information:

  passwd:       files ldap
  group:        files ldap
  shadow:       files ldap

  LDAP users can log in to the client successfully, and home directories
  are created automatically. In LDAP, my test user accounts have been
  assigned the gidNumber attribute value of 119 (admin).

  
  2) What I expect to happen

  As local administrator (note *not* as an LDAP user), I expect to be
  able to launch a Gnome  application such as Ubuntu Software Center and
  have Policykit validate my credentials correctly such that I can
  install or remove applications (or otherwise perform administrative
  tasks).

  3) What happened instead

  Logging in to the system as a local administrator, I can launch Ubuntu
  Software Center. Upon (for example) attempting to install an
  application, I am prompted for my credentials. I enter these (the same
  credentials used to log into the system), but they are rejected with
  an "Authentication Failure" error.

  
  4) Additional information

  Using my Virtualbox host with a combination of snapshots, I have
  determined that this oddity appears specifically in this scenario when
  secure LDAP is configured on the client. If I modify /etc/ldap.conf
  and use plain LDAP, i.e. an insecure connection to my OpenDJ server
  without a certificate, then logged in to the test client as a local
  administrator I can successfully authenticate to Ubuntu Software
  Center.

  In either scenario, using Synaptic with the same credentials as local
  administrator poses no problem.

  
  Policykit version details:

  $ apt-cache policy policykit-1
  policykit-1:
    Installed: 0.96-2ubuntu0.1
    Candidate: 0.96-2ubuntu0.1
    Version table:
   *** 0.96-2ubuntu0.1 0
          500 http://nz.archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
          500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
          100 /var/lib/dpkg/status
       0.96-2 0
          500 http://nz.archive.ubuntu.com/ubuntu/ lucid/main Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/892480/+subscriptions