Package: mate-screensaver Version: 1.16.1-1 Severity: normal Dear Maintainer,
I've configured Debian 9 to use LDAP and Kerberos for authentication. I used PAM to do this and modified /etc/pam.d/ . Now I cannot unlock my mate-screensaver session when I am logged in as a user from the ldap Directory. Here is what my "common-auth" looks like: # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/netid.allow #new comment out 5-18-2017 auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so ##### # already comment out #auth sufficient pam_krb5.so use_first_pass # and here are more per-package modules (the "Additional" block) auth optional pam_ssh.so use_first_pass # end of pam-auth-update config ----------------------------- here is my /etc/pam/mate-screensaver file: root@jaxi:/etc/pam.d# more mate-screensaver @include common-auth auth optional pam_gnome_keyring.so root@jaxi:/etc/pam.d#root@jaxi:/homes/mbw# here are the errors I see in /var/log/auth.log: Jul 6 11:19:54 jaxi lightdm: pam_krb5(lightdm:auth): user mbw authenticated as m...@netid.washington.edu Jul 6 11:19:54 jaxi lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Jul 6 11:19:54 jaxi lightdm[11362]: pam_unix(lightdm:session): session opened for user mbw by (uid=0) Jul 6 11:19:54 jaxi systemd-logind[443]: Removed session c4. Jul 6 11:19:54 jaxi systemd: pam_krb5(systemd-user:session): cannot create Kerberos context Jul 6 11:19:54 jaxi lightdm[11362]: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :0 Jul 6 11:19:55 jaxi gnome-keyring-daemon[11380]: The Secret Service was already initialized Jul 6 11:19:55 jaxi gnome-keyring-daemon[11380]: The PKCS#11 component was already initialized Jul 6 11:19:55 jaxi gnome-keyring-daemon[11380]: The SSH agent was already initialized Jul 6 11:20:05 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context Jul 6 11:20:09 jaxi mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=153641 euid=153641 tty=:0.0 ruser= rhost= user=mbw Jul 6 11:20:09 jaxi mate-screensaver-dialog: pam_ldap(mate-screensaver:auth): Authentication failure; user=mbw Jul 6 11:20:11 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context Jul 6 11:20:15 jaxi mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=153641 euid=153641 tty=:0.0 ruser= rhost= user=mbw Jul 6 11:20:15 jaxi mate-screensaver-dialog: pam_ldap(mate-screensaver:auth): Authentication failure; user=mbw Jul 6 11:20:17 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context Jul 6 11:20:54 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context Jul 6 11:21:49 jaxi su[11726]: Successful su for root by mbw I dont intend for this to be a support request - Im happy to go read forums or other docs on how to resolve this if it is user error (mine) or my configuration problem - please point me in the right direction. My googling so far has not helped. My next thing to try is to log in as a user in /etc/passwd (local user, not krb not ldap) and see if I can unlock the screen. I'll update the ticket soon with that information. thanks for supporting Debian! Matt *** End of the template - remove these template lines *** -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages mate-screensaver depends on: ii dbus-x11 1.10.18-1 ii libatk1.0-0 2.22.0-1 ii libc6 2.24-11+deb9u1 ii libcairo-gobject2 1.14.8-1 ii libcairo2 1.14.8-1 ii libdbus-1-3 1.10.18-1 ii libdbus-glib-1-2 0.108-2 ii libgdk-pixbuf2.0-0 2.36.5-2 ii libgl1-mesa-glx [libgl1] 13.0.6-1+b2 ii libglib2.0-0 2.50.3-2 ii libgtk-3-0 3.22.11-1 ii libice6 2:1.0.9-2 ii libmate-desktop-2-17 1.16.2-2 ii libmate-menu2 1.16.0-2 ii libmatekbd4 1.16.0-2 ii libnotify4 0.7.7-2 ii libpam0g 1.1.8-3.6 ii libpango-1.0-0 1.40.5-1 ii libpangocairo-1.0-0 1.40.5-1 ii libsm6 2:1.2.2-1+b3 ii libstartup-notification0 0.12-4+b2 ii libsystemd0 232-25 ii libx11-6 2:1.6.4-3 ii libxext6 2:1.3.3-1+b2 ii libxklavier16 5.4-2 ii libxss1 1:1.2.2-1 ii libxxf86vm1 1:1.1.4-1+b2 ii mate-desktop-common 1.16.2-2 ii mate-screensaver-common 1.16.1-1 ii mate-session-manager 1.16.1-1 Versions of packages mate-screensaver recommends: ii mate-power-manager 1.16.2-1 Versions of packages mate-screensaver suggests: pn rss-glx <none> pn xscreensaver-data <none> -- Configuration Files: /etc/pam.d/mate-screensaver changed [not included] -- no debconf information