← Back to team overview

touch-packages team mailing list archive

[Bug 1314095] Update Released

 

The verification of the Stable Release Update for nss-pam-ldapd has
completed successfully and the package has now been released to
-updates.  Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unity in Ubuntu.
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Invalid
Status in nss-pam-ldapd package in Ubuntu:
  Fix Released
Status in unity package in Ubuntu:
  Invalid
Status in nss-pam-ldapd source package in Trusty:
  Fix Released
Status in unity source package in Trusty:
  Invalid
Status in nss-pam-ldapd source package in Utopic:
  Fix Released
Status in unity source package in Utopic:
  Invalid
Status in nss-pam-ldapd package in Debian:
  Fix Released

Bug description:
  SRU justification:

  [Impact]

  * Summary: in Trusty, when libnss-ldapd is used, LDAP users are not
  able to unlock the Unity lockscreen. Utopic and later are not
  affected. Some workarounds are listed in comment #29.

  * nslcd in Trusty and earlier does not permit unprivileged users to
  read shadow entries. When invoked by the Unity lockscreen, running as
  the logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in
  pam_acct_mgmt when it tries to get password expiry information from
  shadow. This leads to an authorization failure, so Unity refuses to
  unlock the screen. pam_ldap is not consulted for pam_acct_mgmt after
  pam_unix fails because its rule is in the Additional section.

  * In Utopic and later, nslcd returns partial shadow entries to
  unprivileged users. This is enough for the expiry check in pam_unix to
  succeed, so the screen can be unlocked. See
  http://bugs.debian.org/706913 for a discussion of the upstream fix.

  * This proposed SRU backports the upstream solution to Trusty's nslcd.
  This is a change of behaviour for shadow queries from unprivileged
  users, compared to the current package. An alternative, more targeted
  fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from
  pam_acct_mgmt, like gnome-screensaver already does (see comment #29).
  The nslcd change is a more general fix for not just Unity, but any
  PAM-using program run by an unprivileged user.

  [Test Case]

  * Install and configure libnss-ldapd. Ensure ldap is enabled for at
  least the passwd and shadow services in /etc/nsswitch.conf.

  * Log into Unity as an LDAP user, lock the screen, and then try to
  unlock it again.

  [Regression Potential]

  * The patch is minimal, was written by the upstream author, and was
  backported (adjusting for whitespace changes) to Trusty. The change
  has already been released in Utopic and will be included in Debian
  Jessie as well.

  * Regression testing should include checking that shadow queries, both
  by name and for listing all users, are unchanged when issued as root.

  [Other Info]

  * Packages for testing are available in ppa:rtandy/lp1314095

  Original description:

  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.

  lsb_release -rd
  Description:	Ubuntu 14.04 LTS
  Release:	14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
    Installed: 7.2.0+14.04.20140416-0ubuntu1
    Candidate: 7.2.0+14.04.20140416-0ubuntu1
    Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
          100 /var/lib/dpkg/status
  lightdm:
    Installed: 1.10.0-0ubuntu3
    Candidate: 1.10.0-0ubuntu3
    Version table:
   *** 1.10.0-0ubuntu3 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
          100 /var/lib/dpkg/status
  libpam-modules:
    Installed: 1.1.8-1ubuntu2
    Candidate: 1.1.8-1ubuntu2
    Version table:
   *** 1.1.8-1ubuntu2 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
          100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user (user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info (user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info (user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"

  cat /etc/pam.d/common-auth
  account     required    pam_unix.so
  auth        required    pam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  auth        requisite   pam_deny.so
  auth        required    pam_permit.so

  auth        optional    pam_afs_session.so minimum_uid=200
  auth        optional    pam_ecryptfs.so unwrap
  auth        optional    pam_cap.so

  cat /etc/pam.d/common-account
  account     required    pam_unix.so

  cat /etc/pam.d/lightdm
  auth        requisite   pam_nologin.so
  auth        sufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  auth        optional    pam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
  auth        optional    pam_group.so
  session     required    pam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
  session     optional    pam_gnome_keyring.so auto_start
  session     required    pam_env.so readenv=1
  session     required    pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions