Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: libpam-mklocalu...@packages.debian.org, debian-...@lists.debian.org Control: affects -1 + src:libpam-mklocaluser
[ Reason ] In Debian Edu, we provide roaming workstations. The mechanism of persistent user creation is handled by libpam-mklocaluser (Users in LDAP get created as local users on such machines when logging in on the school's network. From then on, the user exists locally on that machine). It was observed that with LightDM it would always take two logins to complete this process. The first login would create the user but bump back into the login manager. With GDM3 this is not the case. While investigating this deeper, it was discovered that it is important to place libpam-mklocaluser at the very top of the PAM session type stack. This is provided with the changeset of this package. Furthermore, we cherry-picked a change that fixes various (awful) grammar mistakes and typos in the README. [ Impact ] Users will continue to login twice on Debian Edu roaming workstations. There will also be a fix to LightDM, that we plan to propose as a bookworm-pu. If that finds its way into bookworm, having this change is mandatory, otherwise the successful initial login will have broken systemd user services. [ Tests ] Manual tests on Debian Edu 12 (preview installations). [ Risks ] Not much, libpam-mklocaluser seems to be used by Debian Edu, only, it seems. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] + [ Mihai Moldovan ] + * README: Typo and grammar fixes. -> the mentioned language fixes... + [ Guido Berhoerster ] + * debian/pam-auth-update/mklocaluser: + + Ensure this PAM module is ordered before other session type modules. + Since this potentially changes the home directory, the module should be + ordered before others which require the correct location of the home + directory and/or start executables, particularly pam_systemd. (Closes: + #1052475). -> the priority bump for pam-auth-update. [ Other info ] None.
diff -Nru libpam-mklocaluser-0.18/debian/changelog libpam-mklocaluser-0.18+deb12u1/debian/changelog --- libpam-mklocaluser-0.18/debian/changelog 2020-05-22 18:01:47.000000000 +0200 +++ libpam-mklocaluser-0.18+deb12u1/debian/changelog 2023-09-22 18:50:27.000000000 +0200 @@ -1,3 +1,18 @@ +libpam-mklocaluser (0.18+deb12u1) bookworm; urgency=medium + + [ Mihai Moldovan ] + * README: Typo and grammar fixes. + + [ Guido Berhoerster ] + * debian/pam-auth-update/mklocaluser: + + Ensure this PAM module is ordered before other session type modules. + Since this potentially changes the home directory, the module should be + ordered before others which require the correct location of the home + directory and/or start executables, particularly pam_systemd. (Closes: + #1052475). + + -- Mike Gabriel <sunwea...@debian.org> Fri, 22 Sep 2023 18:50:27 +0200 + libpam-mklocaluser (0.18) unstable; urgency=medium * Team upload. diff -Nru libpam-mklocaluser-0.18/debian/control libpam-mklocaluser-0.18+deb12u1/debian/control --- libpam-mklocaluser-0.18/debian/control 2020-05-22 17:58:46.000000000 +0200 +++ libpam-mklocaluser-0.18+deb12u1/debian/control 2023-09-22 18:49:18.000000000 +0200 @@ -18,13 +18,13 @@ ${python3:Depends}, libpam-python Suggests: libpam-ccreds | libpam-sss, -Description: Configure PAM to create a local user if it do not exist already +Description: Configure PAM to create a local user if it does not exist already When the user logs in for the first time, a local POSIX user account is - created in /etc/passwd and primary group created in /etc/group, and a + created in /etc/passwd, a primary group is created in /etc/group, and a local home directory is created in /home. . This is useful on roaming computers when the password is set up to be - cached by for example libpam-ccreds or sssd to allow login without + cached by, for example, libpam-ccreds or sssd to allow login without network connectivity using the password provided by a network authentication service like Kerberos or LDAP. . diff -Nru libpam-mklocaluser-0.18/debian/pam-auth-update/mklocaluser libpam-mklocaluser-0.18+deb12u1/debian/pam-auth-update/mklocaluser --- libpam-mklocaluser-0.18/debian/pam-auth-update/mklocaluser 2020-05-22 07:52:53.000000000 +0200 +++ libpam-mklocaluser-0.18+deb12u1/debian/pam-auth-update/mklocaluser 2023-09-22 18:47:33.000000000 +0200 @@ -1,6 +1,6 @@ Name: Create local accounts and home directory on first time login Default: yes -Priority: 0 +Priority: 1024 Session-Interactive-Only: yes Session-Type: Additional Session-Final: diff -Nru libpam-mklocaluser-0.18/debian/README libpam-mklocaluser-0.18+deb12u1/debian/README --- libpam-mklocaluser-0.18/debian/README 2020-05-22 07:52:53.000000000 +0200 +++ libpam-mklocaluser-0.18+deb12u1/debian/README 2023-09-22 18:49:18.000000000 +0200 @@ -1,11 +1,12 @@ -libpam-mklocalusre +libpam-mklocaluser =================== -PAM configuration to enable add users able to log in, presumably using -some network directory information like NIS or LDAP, and when they log -in a local users with the uid and gid information from the networked -directory is created, and their password is cached on the local disk -to allow them to log in also when disconnected from the net. +PAM configuration to enable locally unknown users to log in, presumably using +some network directory information like NIS or LDAP. When they log +in and the user name is locally unknown, a new local user with the UID and +GID information from the networked directory is created, and their password +is cached on the local disk to allow them to log in also when disconnected +from the network. For sites using a path to home directories on the form /site/hostname/partition/username/, it would be confusing if the local @@ -14,7 +15,7 @@ with /home/username/ as the home directory, allowing the remote file system to be automounted on /site/hostname/partition/. -This package depend on pam_python from +This package depends on pam_python from http://www.stuart.id.au/russell/files/pam_python Submit patches to debian-...@lists.debian.org.