[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Launchpad Bug Tracker]

This bug was fixed in the package nss-pam-ldapd - 0.8.13-3ubuntu1

---
nss-pam-ldapd (0.8.13-3ubuntu1) trusty; urgency=medium

  * return-partial-shadow-information-to-non-root-users.patch: backport
upstream patch to return partial shadow information (leaving out password
hashes) to non-root users. This fixes pam_unix failing in pam_acct_mgmt
while trying to get password expiry information from shadow, thereby
preventing the Unity lockscreen from being unlocked by LDAP users. (LP:
#1314095)

 -- Ryan Tandy rta...@sd63.bc.ca  Thu, 12 Feb 2015 11:10:41 -0800

** Changed in: nss-pam-ldapd (Ubuntu Trusty)
   Status: Fix Committed = Fix Released

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Invalid
Status in nss-pam-ldapd package in Ubuntu:
  Fix Released
Status in unity package in Ubuntu:
  Invalid
Status in nss-pam-ldapd source package in Trusty:
  Fix Released
Status in unity source package in Trusty:
  Invalid
Status in nss-pam-ldapd source package in Utopic:
  Fix Released
Status in unity source package in Utopic:
  Invalid
Status in nss-pam-ldapd package in Debian:
  Fix Released

Bug description:
  SRU justification:

  [Impact]

  * Summary: in Trusty, when libnss-ldapd is used, LDAP users are not
  able to unlock the Unity lockscreen. Utopic and later are not
  affected. Some workarounds are listed in comment #29.

  * nslcd in Trusty and earlier does not permit unprivileged users to
  read shadow entries. When invoked by the Unity lockscreen, running as
  the logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in
  pam_acct_mgmt when it tries to get password expiry information from
  shadow. This leads to an authorization failure, so Unity refuses to
  unlock the screen. pam_ldap is not consulted for pam_acct_mgmt after
  pam_unix fails because its rule is in the Additional section.

  * In Utopic and later, nslcd returns partial shadow entries to
  unprivileged users. This is enough for the expiry check in pam_unix to
  succeed, so the screen can be unlocked. See
  http://bugs.debian.org/706913 for a discussion of the upstream fix.

  * This proposed SRU backports the upstream solution to Trusty's nslcd.
  This is a change of behaviour for shadow queries from unprivileged
  users, compared to the current package. An alternative, more targeted
  fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from
  pam_acct_mgmt, like gnome-screensaver already does (see comment #29).
  The nslcd change is a more general fix for not just Unity, but any
  PAM-using program run by an unprivileged user.

  [Test Case]

  * Install and configure libnss-ldapd. Ensure ldap is enabled for at
  least the passwd and shadow services in /etc/nsswitch.conf.

  * Log into Unity as an LDAP user, lock the screen, and then try to
  unlock it again.

  [Regression Potential]

  * The patch is minimal, was written by the upstream author, and was
  backported (adjusting for whitespace changes) to Trusty. The change
  has already been released in Utopic and will be included in Debian
  Jessie as well.

  * Regression testing should include checking that shadow queries, both
  by name and for listing all users, are unchanged when issued as root.

  [Other Info]

  * Packages for testing are available in ppa:rtandy/lp1314095

  Original description:

  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.

  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
    Installed: 7.2.0+14.04.20140416-0ubuntu1
    Candidate: 7.2.0+14.04.20140416-0ubuntu1
    Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
    Installed: 1.10.0-0ubuntu3
    Candidate: 1.10.0-0ubuntu3
    Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
    Installed: 1.1.8-1ubuntu2
    

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Mathew Hodson]

Tagging verification-done based on comment #34.

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Invalid
Status in nss-pam-ldapd package in Ubuntu:
  Fix Released
Status in unity package in Ubuntu:
  Invalid
Status in nss-pam-ldapd source package in Trusty:
  Fix Committed
Status in unity source package in Trusty:
  Invalid
Status in nss-pam-ldapd source package in Utopic:
  Fix Released
Status in unity source package in Utopic:
  Invalid
Status in nss-pam-ldapd package in Debian:
  Fix Released

Bug description:
  SRU justification:

  [Impact]

  * Summary: in Trusty, when libnss-ldapd is used, LDAP users are not
  able to unlock the Unity lockscreen. Utopic and later are not
  affected. Some workarounds are listed in comment #29.

  * nslcd in Trusty and earlier does not permit unprivileged users to
  read shadow entries. When invoked by the Unity lockscreen, running as
  the logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in
  pam_acct_mgmt when it tries to get password expiry information from
  shadow. This leads to an authorization failure, so Unity refuses to
  unlock the screen. pam_ldap is not consulted for pam_acct_mgmt after
  pam_unix fails because its rule is in the Additional section.

  * In Utopic and later, nslcd returns partial shadow entries to
  unprivileged users. This is enough for the expiry check in pam_unix to
  succeed, so the screen can be unlocked. See
  http://bugs.debian.org/706913 for a discussion of the upstream fix.

  * This proposed SRU backports the upstream solution to Trusty's nslcd.
  This is a change of behaviour for shadow queries from unprivileged
  users, compared to the current package. An alternative, more targeted
  fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from
  pam_acct_mgmt, like gnome-screensaver already does (see comment #29).
  The nslcd change is a more general fix for not just Unity, but any
  PAM-using program run by an unprivileged user.

  [Test Case]

  * Install and configure libnss-ldapd. Ensure ldap is enabled for at
  least the passwd and shadow services in /etc/nsswitch.conf.

  * Log into Unity as an LDAP user, lock the screen, and then try to
  unlock it again.

  [Regression Potential]

  * The patch is minimal, was written by the upstream author, and was
  backported (adjusting for whitespace changes) to Trusty. The change
  has already been released in Utopic and will be included in Debian
  Jessie as well.

  * Regression testing should include checking that shadow queries, both
  by name and for listing all users, are unchanged when issued as root.

  [Other Info]

  * Packages for testing are available in ppa:rtandy/lp1314095

  Original description:

  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.

  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
    Installed: 7.2.0+14.04.20140416-0ubuntu1
    Candidate: 7.2.0+14.04.20140416-0ubuntu1
    Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
    Installed: 1.10.0-0ubuntu3
    Candidate: 1.10.0-0ubuntu3
    Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
    Installed: 1.1.8-1ubuntu2
    Candidate: 1.1.8-1ubuntu2
    Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Ryan Tandy]

Installed a pristine trusty system, configured lib{nss,pam}-ldapd, and
confirmed that updating to nslcd 0.8.13-3ubuntu1 from trusty-proposed
allows LDAP users to unlock the Unity lockscreen.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Invalid
Status in nss-pam-ldapd package in Ubuntu:
  Fix Released
Status in unity package in Ubuntu:
  Invalid
Status in nss-pam-ldapd source package in Trusty:
  Fix Committed
Status in unity source package in Trusty:
  Invalid
Status in nss-pam-ldapd source package in Utopic:
  Fix Released
Status in unity source package in Utopic:
  Invalid
Status in nss-pam-ldapd package in Debian:
  Fix Released

Bug description:
  SRU justification:

  [Impact]

  * Summary: in Trusty, when libnss-ldapd is used, LDAP users are not
  able to unlock the Unity lockscreen. Utopic and later are not
  affected. Some workarounds are listed in comment #29.

  * nslcd in Trusty and earlier does not permit unprivileged users to
  read shadow entries. When invoked by the Unity lockscreen, running as
  the logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in
  pam_acct_mgmt when it tries to get password expiry information from
  shadow. This leads to an authorization failure, so Unity refuses to
  unlock the screen. pam_ldap is not consulted for pam_acct_mgmt after
  pam_unix fails because its rule is in the Additional section.

  * In Utopic and later, nslcd returns partial shadow entries to
  unprivileged users. This is enough for the expiry check in pam_unix to
  succeed, so the screen can be unlocked. See
  http://bugs.debian.org/706913 for a discussion of the upstream fix.

  * This proposed SRU backports the upstream solution to Trusty's nslcd.
  This is a change of behaviour for shadow queries from unprivileged
  users, compared to the current package. An alternative, more targeted
  fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from
  pam_acct_mgmt, like gnome-screensaver already does (see comment #29).
  The nslcd change is a more general fix for not just Unity, but any
  PAM-using program run by an unprivileged user.

  [Test Case]

  * Install and configure libnss-ldapd. Ensure ldap is enabled for at
  least the passwd and shadow services in /etc/nsswitch.conf.

  * Log into Unity as an LDAP user, lock the screen, and then try to
  unlock it again.

  [Regression Potential]

  * The patch is minimal, was written by the upstream author, and was
  backported (adjusting for whitespace changes) to Trusty. The change
  has already been released in Utopic and will be included in Debian
  Jessie as well.

  * Regression testing should include checking that shadow queries, both
  by name and for listing all users, are unchanged when issued as root.

  [Other Info]

  * Packages for testing are available in ppa:rtandy/lp1314095

  Original description:

  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.

  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
    Installed: 7.2.0+14.04.20140416-0ubuntu1
    Candidate: 7.2.0+14.04.20140416-0ubuntu1
    Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
    Installed: 1.10.0-0ubuntu3
    Candidate: 1.10.0-0ubuntu3
    Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
    Installed: 1.1.8-1ubuntu2
    Candidate: 1.1.8-1ubuntu2
    Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Chris J Arges]

Hello Grzegorz, or anyone else affected,

Accepted nss-pam-ldapd into trusty-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/nss-pam-
ldapd/0.8.13-3ubuntu1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: nss-pam-ldapd (Ubuntu Trusty)
   Status: New = Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Invalid
Status in nss-pam-ldapd package in Ubuntu:
  Fix Released
Status in unity package in Ubuntu:
  Invalid
Status in nss-pam-ldapd source package in Trusty:
  Fix Committed
Status in unity source package in Trusty:
  Invalid
Status in nss-pam-ldapd source package in Utopic:
  Fix Released
Status in unity source package in Utopic:
  Invalid
Status in nss-pam-ldapd package in Debian:
  Fix Released

Bug description:
  SRU justification:

  [Impact]

  * Summary: in Trusty, when libnss-ldapd is used, LDAP users are not
  able to unlock the Unity lockscreen. Utopic and later are not
  affected. Some workarounds are listed in comment #29.

  * nslcd in Trusty and earlier does not permit unprivileged users to
  read shadow entries. When invoked by the Unity lockscreen, running as
  the logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in
  pam_acct_mgmt when it tries to get password expiry information from
  shadow. This leads to an authorization failure, so Unity refuses to
  unlock the screen. pam_ldap is not consulted for pam_acct_mgmt after
  pam_unix fails because its rule is in the Additional section.

  * In Utopic and later, nslcd returns partial shadow entries to
  unprivileged users. This is enough for the expiry check in pam_unix to
  succeed, so the screen can be unlocked. See
  http://bugs.debian.org/706913 for a discussion of the upstream fix.

  * This proposed SRU backports the upstream solution to Trusty's nslcd.
  This is a change of behaviour for shadow queries from unprivileged
  users, compared to the current package. An alternative, more targeted
  fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from
  pam_acct_mgmt, like gnome-screensaver already does (see comment #29).
  The nslcd change is a more general fix for not just Unity, but any
  PAM-using program run by an unprivileged user.

  [Test Case]

  * Install and configure libnss-ldapd. Ensure ldap is enabled for at
  least the passwd and shadow services in /etc/nsswitch.conf.

  * Log into Unity as an LDAP user, lock the screen, and then try to
  unlock it again.

  [Regression Potential]

  * The patch is minimal, was written by the upstream author, and was
  backported (adjusting for whitespace changes) to Trusty. The change
  has already been released in Utopic and will be included in Debian
  Jessie as well.

  * Regression testing should include checking that shadow queries, both
  by name and for listing all users, are unchanged when issued as root.

  [Other Info]

  * Packages for testing are available in ppa:rtandy/lp1314095

  Original description:

  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.

  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
    Installed: 7.2.0+14.04.20140416-0ubuntu1
    Candidate: 7.2.0+14.04.20140416-0ubuntu1
    

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Steve Langasek]

** Also affects: nss-pam-ldapd (Ubuntu Utopic)
   Importance: Undecided
   Status: New

** Also affects: unity (Ubuntu Utopic)
   Importance: Undecided
   Status: New

** Also affects: nss-pam-ldapd (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: unity (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: nss-pam-ldapd (Ubuntu Utopic)
   Status: New = Fix Released

** Changed in: nss-pam-ldapd (Ubuntu)
   Status: Confirmed = Fix Released

** Changed in: unity (Ubuntu Trusty)
   Status: New = Invalid

** Changed in: unity (Ubuntu Utopic)
   Status: New = Invalid

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Invalid
Status in nss-pam-ldapd package in Ubuntu:
  Fix Released
Status in unity package in Ubuntu:
  Invalid
Status in nss-pam-ldapd source package in Trusty:
  New
Status in unity source package in Trusty:
  Invalid
Status in nss-pam-ldapd source package in Utopic:
  Fix Released
Status in unity source package in Utopic:
  Invalid
Status in nss-pam-ldapd package in Debian:
  Fix Released

Bug description:
  SRU justification:

  [Impact]

  * Summary: in Trusty, when libnss-ldapd is used, LDAP users are not
  able to unlock the Unity lockscreen. Utopic and later are not
  affected. Some workarounds are listed in comment #29.

  * nslcd in Trusty and earlier does not permit unprivileged users to
  read shadow entries. When invoked by the Unity lockscreen, running as
  the logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in
  pam_acct_mgmt when it tries to get password expiry information from
  shadow. This leads to an authorization failure, so Unity refuses to
  unlock the screen. pam_ldap is not consulted for pam_acct_mgmt after
  pam_unix fails because its rule is in the Additional section.

  * In Utopic and later, nslcd returns partial shadow entries to
  unprivileged users. This is enough for the expiry check in pam_unix to
  succeed, so the screen can be unlocked. See
  http://bugs.debian.org/706913 for a discussion of the upstream fix.

  * This proposed SRU backports the upstream solution to Trusty's nslcd.
  This is a change of behaviour for shadow queries from unprivileged
  users, compared to the current package. An alternative, more targeted
  fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from
  pam_acct_mgmt, like gnome-screensaver already does (see comment #29).
  The nslcd change is a more general fix for not just Unity, but any
  PAM-using program run by an unprivileged user.

  [Test Case]

  * Install and configure libnss-ldapd. Ensure ldap is enabled for at
  least the passwd and shadow services in /etc/nsswitch.conf.

  * Log into Unity as an LDAP user, lock the screen, and then try to
  unlock it again.

  [Regression Potential]

  * The patch is minimal, was written by the upstream author, and was
  backported (adjusting for whitespace changes) to Trusty. The change
  has already been released in Utopic and will be included in Debian
  Jessie as well.

  * Regression testing should include checking that shadow queries, both
  by name and for listing all users, are unchanged when issued as root.

  [Other Info]

  * Packages for testing are available in ppa:rtandy/lp1314095

  Original description:

  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.

  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
    Installed: 7.2.0+14.04.20140416-0ubuntu1
    Candidate: 7.2.0+14.04.20140416-0ubuntu1
    Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
    Installed: 1.10.0-0ubuntu3
    Candidate: 1.10.0-0ubuntu3
    Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
    Installed: 1.1.8-1ubuntu2
    Candidate: 1.1.8-1ubuntu2
    Version table:
   *** 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Sebastien Bacher]

** Changed in: unity
   Status: Confirmed = Invalid

** Changed in: unity (Ubuntu)
   Status: Confirmed = Invalid

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Invalid
Status in nss-pam-ldapd package in Ubuntu:
  Confirmed
Status in unity package in Ubuntu:
  Invalid
Status in nss-pam-ldapd package in Debian:
  Fix Released

Bug description:
  SRU justification:

  [Impact]

  * Summary: in Trusty, when libnss-ldapd is used, LDAP users are not
  able to unlock the Unity lockscreen. Utopic and later are not
  affected. Some workarounds are listed in comment #29.

  * nslcd in Trusty and earlier does not permit unprivileged users to
  read shadow entries. When invoked by the Unity lockscreen, running as
  the logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in
  pam_acct_mgmt when it tries to get password expiry information from
  shadow. This leads to an authorization failure, so Unity refuses to
  unlock the screen. pam_ldap is not consulted for pam_acct_mgmt after
  pam_unix fails because its rule is in the Additional section.

  * In Utopic and later, nslcd returns partial shadow entries to
  unprivileged users. This is enough for the expiry check in pam_unix to
  succeed, so the screen can be unlocked. See
  http://bugs.debian.org/706913 for a discussion of the upstream fix.

  * This proposed SRU backports the upstream solution to Trusty's nslcd.
  This is a change of behaviour for shadow queries from unprivileged
  users, compared to the current package. An alternative, more targeted
  fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from
  pam_acct_mgmt, like gnome-screensaver already does (see comment #29).
  The nslcd change is a more general fix for not just Unity, but any
  PAM-using program run by an unprivileged user.

  [Test Case]

  * Install and configure libnss-ldapd. Ensure ldap is enabled for at
  least the passwd and shadow services in /etc/nsswitch.conf.

  * Log into Unity as an LDAP user, lock the screen, and then try to
  unlock it again.

  [Regression Potential]

  * The patch is minimal, was written by the upstream author, and was
  backported (adjusting for whitespace changes) to Trusty. The change
  has already been released in Utopic and will be included in Debian
  Jessie as well.

  * Regression testing should include checking that shadow queries, both
  by name and for listing all users, are unchanged when issued as root.

  [Other Info]

  * Packages for testing are available in ppa:rtandy/lp1314095

  Original description:

  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.

  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
    Installed: 7.2.0+14.04.20140416-0ubuntu1
    Candidate: 7.2.0+14.04.20140416-0ubuntu1
    Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
    Installed: 1.10.0-0ubuntu3
    Candidate: 1.10.0-0ubuntu3
    Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
    Installed: 1.1.8-1ubuntu2
    Candidate: 1.1.8-1ubuntu2
    Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: nss-pam-ldapd (Ubuntu)
   Status: New = Confirmed

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Confirmed
Status in nss-pam-ldapd package in Ubuntu:
  Confirmed
Status in unity package in Ubuntu:
  Confirmed
Status in nss-pam-ldapd package in Debian:
  Fix Released

Bug description:
  SRU justification:

  [Impact]

  * Summary: in Trusty, when libnss-ldapd is used, LDAP users are not
  able to unlock the Unity lockscreen. Utopic and later are not
  affected. Some workarounds are listed in comment #29.

  * nslcd in Trusty and earlier does not permit unprivileged users to
  read shadow entries. When invoked by the Unity lockscreen, running as
  the logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in
  pam_acct_mgmt when it tries to get password expiry information from
  shadow. This leads to an authorization failure, so Unity refuses to
  unlock the screen. pam_ldap is not consulted for pam_acct_mgmt after
  pam_unix fails because its rule is in the Additional section.

  * In Utopic and later, nslcd returns partial shadow entries to
  unprivileged users. This is enough for the expiry check in pam_unix to
  succeed, so the screen can be unlocked. See
  http://bugs.debian.org/706913 for a discussion of the upstream fix.

  * This proposed SRU backports the upstream solution to Trusty's nslcd.
  This is a change of behaviour for shadow queries from unprivileged
  users, compared to the current package. An alternative, more targeted
  fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from
  pam_acct_mgmt, like gnome-screensaver already does (see comment #29).
  The nslcd change is a more general fix for not just Unity, but any
  PAM-using program run by an unprivileged user.

  [Test Case]

  * Install and configure libnss-ldapd. Ensure ldap is enabled for at
  least the passwd and shadow services in /etc/nsswitch.conf.

  * Log into Unity as an LDAP user, lock the screen, and then try to
  unlock it again.

  [Regression Potential]

  * The patch is minimal, was written by the upstream author, and was
  backported (adjusting for whitespace changes) to Trusty. The change
  has already been released in Utopic and will be included in Debian
  Jessie as well.

  * Regression testing should include checking that shadow queries, both
  by name and for listing all users, are unchanged when issued as root.

  [Other Info]

  * Packages for testing are available in ppa:rtandy/lp1314095

  Original description:

  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.

  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
    Installed: 7.2.0+14.04.20140416-0ubuntu1
    Candidate: 7.2.0+14.04.20140416-0ubuntu1
    Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
    Installed: 1.10.0-0ubuntu3
    Candidate: 1.10.0-0ubuntu3
    Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
    Installed: 1.1.8-1ubuntu2
    Candidate: 1.1.8-1ubuntu2
    Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Ryan Tandy]

Hello sponsors,

Please consider uploading the attached nslcd patch to trusty-proposed to
resolve this bug. Thank you!

** Description changed:

+ SRU justification:
+ 
+ [Impact]
+ 
+ * Summary: in Trusty, when libnss-ldapd is used, LDAP users are not able
+ to unlock the Unity lockscreen. Utopic and later are not affected. Some
+ workarounds are listed in comment #29.
+ 
+ * nslcd in Trusty and earlier does not permit unprivileged users to read
+ shadow entries. When invoked by the Unity lockscreen, running as the
+ logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in pam_acct_mgmt
+ when it tries to get password expiry information from shadow. This leads
+ to an authorization failure, so Unity refuses to unlock the screen.
+ pam_ldap is not consulted for pam_acct_mgmt after pam_unix fails because
+ its rule is in the Additional section.
+ 
+ * In Utopic and later, nslcd returns partial shadow entries to
+ unprivileged users. This is enough for the expiry check in pam_unix to
+ succeed, so the screen can be unlocked. See
+ http://bugs.debian.org/706913 for a discussion of the upstream fix.
+ 
+ * This proposed SRU backports the upstream solution to Trusty's nslcd.
+ This is a change of behaviour for shadow queries from unprivileged
+ users, compared to the current package. An alternative, more targeted
+ fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from
+ pam_acct_mgmt, like gnome-screensaver already does (see comment #29).
+ The nslcd change is a more general fix for not just Unity, but any PAM-
+ using program run by an unprivileged user.
+ 
+ [Test Case]
+ 
+ * Install and configure libnss-ldapd. Ensure ldap is enabled for at
+ least the passwd and shadow services in /etc/nsswitch.conf.
+ 
+ * Log into Unity as an LDAP user, lock the screen, and then try to
+ unlock it again.
+ 
+ [Regression Potential]
+ 
+ * The patch is minimal, was written by the upstream author, and was
+ backported (adjusting for whitespace changes) to Trusty. The change has
+ already been released in Utopic and will be included in Debian Jessie as
+ well.
+ 
+ * Regression testing should include checking that shadow queries, both
+ by name and for listing all users, are unchanged when issued as root.
+ 
+ [Other Info]
+ 
+ * Packages for testing are available in ppa:rtandy/lp1314095
+ 
+ Original description:
+ 
  My setup is:
  
  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session
  
  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.
  
  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.
  
  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.
  
- 
  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04
  
  apt-cache policy unity lightdm libpam-modules
  unity:
-   Installed: 7.2.0+14.04.20140416-0ubuntu1
-   Candidate: 7.2.0+14.04.20140416-0ubuntu1
-   Version table:
-  *** 7.2.0+14.04.20140416-0ubuntu1 0
- 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
- 100 /var/lib/dpkg/status
+   Installed: 7.2.0+14.04.20140416-0ubuntu1
+   Candidate: 7.2.0+14.04.20140416-0ubuntu1
+   Version table:
+  *** 7.2.0+14.04.20140416-0ubuntu1 0
+ 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
+ 100 /var/lib/dpkg/status
  lightdm:
-   Installed: 1.10.0-0ubuntu3
-   Candidate: 1.10.0-0ubuntu3
-   Version table:
-  *** 1.10.0-0ubuntu3 0
- 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
- 100 /var/lib/dpkg/status
+   Installed: 1.10.0-0ubuntu3
+   Candidate: 1.10.0-0ubuntu3
+   Version table:
+  *** 1.10.0-0ubuntu3 0
+ 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
+ 100 /var/lib/dpkg/status
  libpam-modules:
-   Installed: 1.1.8-1ubuntu2
-   Candidate: 1.1.8-1ubuntu2
-   Version table:
-  *** 1.1.8-1ubuntu2 0
- 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
- 100 /var/lib/dpkg/status
+   Installed: 1.1.8-1ubuntu2
+   Candidate: 1.1.8-1ubuntu2
+   Version table:
+  *** 1.1.8-1ubuntu2 0
+ 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
+ 100 /var/lib/dpkg/status
  
  Contents of /var/log/auth.log:
  
  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Ryan Tandy]

Hi,

Grzegorz Gutowski (gzegzol) wrote on 2014-04-29: Without suid it seems
that call (with correct username) to getspnam in function
get_account_info in file passverify.c in pam/modules/pam_unix returns
NULL. I don't understand this behaviour. I wrote a simple c program that
calls getspnam and it works as expected when called from unprivileged
user.

A call to getspnam(3) as an unprivileged user returns NULL; that's
expected. (nss_compat returns errno = EACCESS since we can't read
/etc/shadow; nss_ldapd returns errno = ENOENT as a generic not found
code.)

The unix_chkpwd helper is sgid to shadow so that it can read
/etc/shadow, but nss_ldapd still returns ENOENT to shadow queries. If we
make unix_chkpwd suid, then nss_ldapd returns real shadow results; but
this is only a workaround (and a potentially dangerous one, at that).

What I see happening when I attempt to unlock the screen:

- the auth stack is fine;
- in the account stack, pam_unix returns PAM_AUTHINFO_UNAVAIL (from 
unix_chkpwd), and it falls into pam_deny after that (since pam_ldap is 
Additional).

gnome-screensaver works only because it actually ignores the result from
the account stack and proceeds anyway: http://bazaar.launchpad.net
/~ubuntu-branches/ubuntu/trusty/gnome-screensaver/trusty/view/head:/src
/gs-auth-pam.c#L519

Some possible workarounds are:

- chmod u+s /sbin/unix_chkpwd (potentially dangerous, not recommended);
- dpkg-reconfigure libnss-ldapd and disable the shadow service (then pam_unix 
doesn't try consulting it);
- use libnss-ldap instead of libnss-ldapd, since it allows everyone to read 
shadow entries;
- use libnss-sss instead of libnss-ldapd, since it does not support the shadow 
service at all (in trusty, at least);
- make libpam-ldapd's account rule Primary instead of Additional (but this was 
already done and subsequently reverted by its maintainer in 0.8.8-1 and 
0.8.8-2).

I'm not sure why some people reported experiencing this bug when using
libnss-ldap or libnss-sss. I'd want to review their PAM and NSS setups
in that case.

This is all about trusty so far... still have to look at utopic/vivid.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Confirmed
Status in unity package in Ubuntu:
  Confirmed

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Bug Watch Updater]

** Changed in: nss-pam-ldapd (Debian)
   Status: Unknown = Fix Released

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Confirmed
Status in nss-pam-ldapd package in Ubuntu:
  New
Status in unity package in Ubuntu:
  Confirmed
Status in nss-pam-ldapd package in Debian:
  Fix Released

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions

-- 
Mailing list: https://launchpad.net/~dx-packages
Post to : dx-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dx-packages
More help   : https://help.launchpad.net/ListHelp

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Ryan Tandy]

Ahh, right. So this is almost certainly the change that fixed it for
utopic:

- nslcd will now return partial shadow information to non-root users to
  avoid authorisation problems with setgid shadow authentication helpers
  with some PAM stacks (closes: #706913)

I bet backporting that to trusty will resolve this.

** Also affects: nss-pam-ldapd (Ubuntu)
   Importance: Undecided
   Status: New

** Bug watch added: Debian Bug tracker #706913
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706913

** Also affects: nss-pam-ldapd (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706913
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Confirmed
Status in nss-pam-ldapd package in Ubuntu:
  New
Status in unity package in Ubuntu:
  Confirmed
Status in nss-pam-ldapd package in Debian:
  Unknown

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Ryan Tandy]

This seems to be fixed in later releases. Using lib{nss,pam}-ldapd and
nslcd, with no custom configuration beyond dpkg-reconfigure nslcd, I
experience this bug in trusty, but not in utopic or vivid.

Also, in trusty I do not experience it when using alternative lockers
such as gnome-screensaver or light-locker, only with the Unity
lockscreen.

Setting status back to Confirmed, and I'll try to isolate the change
that fixed it.

** Changed in: unity
   Status: Incomplete = Confirmed

** Changed in: unity (Ubuntu)
   Status: Incomplete = Confirmed

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Confirmed
Status in unity package in Ubuntu:
  Confirmed

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Vincent Jestin]

Hello,

Same problem here after doing an upgrade from 12.04 to 14.04.

On the affected machine, some users (basically admins) have both  unix
accounts and LDAP accounts.

Users with both accounts can log in with unix or ldap password. However,
when the desktop is locked, the only way to unlock is to use a unix
password.

I've tried unix_chkpwd suid workaround (no success) and checked
/etc/shadow file permissions (was ok).

I'm using libpam-ldap.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Incomplete
Status in unity package in Ubuntu:
  Incomplete

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Mario Codeniera]

It same error here, based on my understanding it only fetch to the
/etc/shadow not on the nscd cache (/var/cache/nscd/passwd) where
pam_ldap is pointing with. But if I switch user, and login with the same
user it will retain the previous desktop during the lock screen (even
changing desktop say MATE, GNOME classic upon relogin). Tried with
gnome-screensaver and with mate-screensaver same result. Sadly not on
the Lock Screen as it generate the following log:

Jan 22 17:14:35 ambotlang gnome-screensaver-dialog: 
pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=104781 
euid=104781 tty=:1.0 ruser= rhost=  user=txunil
Jan 22 17:14:44 ambotlang lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=txunil

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Incomplete
Status in unity package in Ubuntu:
  Incomplete

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Stefan Michalowski]

I have the same problem, though I don't have any unix_chkpwd errors as
it's not installed on my systems.

I  was able to solve it by replacing:
1) libpam-ldap by libpam-ldapd
2) libnss-ldap by libnss-ldapd
3) nscd by nslcd

I think it is related to my use of self signed certificates that libpam-
ldap has trouble handling.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Incomplete
Status in “unity” package in Ubuntu:
  Incomplete

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions

-- 
Mailing list: https://launchpad.net/~dx-packages
Post to : 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Stefan Fleischmann]

I've seen the same behaviour after an upgrade from 12.04 to 14.04. Login was 
still possible but the screen did not unlock. I had this message in 
/var/log/auth.log:
hostname unix_chkpwd[26503]: could not obtain user info (username)

For me this was caused by wrong file permissions on /etc/shadow. The file was 
not readable by the shadow group. If the workaround mentioned in comment #2 
works, have a look at these file permissions:
-rw-r--r-- 1 root root925 sep  9 18:42 /etc/group
-rw-r--r-- 1 root root   1944 sep  9 18:42 /etc/passwd
-rw-r- 1 root shadow 1132 sep  9 18:42 /etc/shadow

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Incomplete
Status in “unity” package in Ubuntu:
  Incomplete

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session required

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Mark Crocker]

Alternate work-around:

I was able to login successfully by detaching the keyboard, and using
the mouse to 'click-in' my password with the on-screen keyboard.  I
usually had to click on Switch Account in the 'gear' drop-down menu to
get the assistive technology icon to appear to get to the on-screen
keyboard, but once I did, I could enter a password and that worked to
log me in.

It's somewhat bizarre that this would work since the setuid work-around
suggested above also worked for me.  If it is some problem running
unix_chkpwd, then shouldn't the on-screen keyboard have just as much
difficulty with that?

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Incomplete
Status in “unity” package in Ubuntu:
  Incomplete

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Joost Ringoot]

Hello  Jan,

Apparently the LTSP authentication method for the client is not the same
as for the server, I was to hastly to say that sssd was installed in the
LTSP client like it is on the server, it is not by default.

There are no errors unix_chkpwd  in the logs but:
Jul  9 08:44:58 zotac-44 compiz: PAM unable to dlopen(pam_kwallet.so): 
/lib/security/pam_kwallet.so: cannot open shared object file: No such file or 
directory
Jul  9 08:44:58 zotac-44 compiz: PAM adding faulty module: pam_kwallet.so
Jul  9 08:44:58 zotac-44 compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user testuser
Jul  9 08:45:12 zotac-44 unix_chkpwd[4847]: password check failed for user 
(testuser)
Jul  9 08:45:12 zotac-44 compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=2683 euid=2683 tty= ruser= rhost=  user=testuser
Jul  9 08:45:14 zotac-44 compiz: PAM unable to dlopen(pam_kwallet.so): 
/lib/security/pam_kwallet.so: cannot open shared object file: No such file or 
directory
Jul  9 08:45:14 zotac-44 compiz: PAM adding faulty module: pam_kwallet.so
Jul  9 08:45:14 zotac-44 compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user testuser

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Incomplete
Status in “unity” package in Ubuntu:
  Incomplete

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Joost Ringoot]

I have this behaviour on an LTSP client (ubuntu 14.04), 
chmod u+s /sbin/unix_chkpwd does not appear resolve it
and I am using sssd to authenticate to ldap


The screen-lock doesn't work by default in LTSP, I had to activate it with 
unity-tweak-tool.
But it is useless since unlock doesn't work.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Incomplete
Status in “unity” package in Ubuntu:
  Incomplete

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions

-- 
Mailing list: https://launchpad.net/~dx-packages
Post to : dx-packages@lists.launchpad.net

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Andrea Azzarone]

@Jan we are not unconfirming it (incomplete means that we still need to
figure out what and where is the problem). I have a branch that maybe
could help you. Next week I'll set up a ppa so you can test it.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Incomplete
Status in “unity” package in Ubuntu:
  Incomplete

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions

-- 
Mailing list: https://launchpad.net/~dx-packages
Post to : dx-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dx-packages
More help   : 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Jan Groenewald]

Perhaps this should then be changed to be a bug against another package
rather than unconfirming it. It affects more than one user. We don't
want to change our (simple) configurations to an out of date document,
we find that our LDAP setup works for logins but not lock screen, and
that there seems to be a precedent from the redhat bug.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Incomplete
Status in “unity” package in Ubuntu:
  Incomplete

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions

-- 
Mailing list: https://launchpad.net/~dx-packages
Post to

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Jan Groenewald]

Perhaps this should then be changed to be a bug against another package
rather than unconfirming it. It affects more than one user. We don't
want to change our (simple) configurations to an out of date document,
we find that our LDAP setup works for logins but not lock screen, and
that there seems to be a precedent from the redhat bug.

Since this bug seems to not occur with sssd (comment #4) or libpam-ldap
(comment #8) then maybe the bug is with

libpam-ldapd.

Can Grzegorz Gutowski , Callum Dickinson, Alex Bachmeier, and Nick
Piggott confirm that the original problem for them was with libpam-
ldapd?

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Incomplete
Status in “unity” package in Ubuntu:
  Incomplete

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Andrea Azzarone]

I managed to setup a working system using this guide:
https://www.digitalocean.com/community/articles/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps

So not sure it's a unity issue. If you are using something special
please help to to replicate your configuration.

** Changed in: unity
   Status: Confirmed = Incomplete

** Changed in: unity (Ubuntu)
   Status: Confirmed = Incomplete

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Incomplete
Status in “unity” package in Ubuntu:
  Incomplete

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Jan Groenewald]

Same behavior on ldap without kerberos.

root@muizenberg:~# lsb_release -d; apt-cache policy unity lightdm 
libpam-modules|grep Installed; grep unix_chkpwd /var/log/auth.log|tail -3
Description:Ubuntu 14.04 LTS
  Installed: 7.2.0+14.04.20140423-0ubuntu1.2
  Installed: 1.10.1-0ubuntu1
  Installed: 1.1.8-1ubuntu2
May 27 09:07:11 muizenberg unix_chkpwd[4186]: check pass; user unknown
May 27 09:07:11 muizenberg unix_chkpwd[4186]: password check failed for user 
(jan)
May 27 09:07:11 muizenberg unix_chkpwd[4187]: could not obtain user info (jan)

Workaround in #2 also works for me.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Confirmed
Status in “unity” package in Ubuntu:
  Confirmed

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Jan Groenewald]

Some reference (marked as WONTFIX)
https://bugzilla.redhat.com/show_bug.cgi?id=638279

Above might suggest a configuration that fixes this: check ldap first in
common-auth, which currently does:

# here are the per-package modules (the Primary block)
auth[success=2 default=ignore]  pam_unix.so nullok_secure
auth[success=1 default=ignore]  pam_ldap.so minimum_uid=1000 
use_first_pass

That should not be a default (having ldap first) but could be a better
workaround than setuid unix_chkpwd ?

** Bug watch added: Red Hat Bugzilla #638279
   https://bugzilla.redhat.com/show_bug.cgi?id=638279

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Confirmed
Status in “unity” package in Ubuntu:
  Confirmed

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session 

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Nick Piggott]

Workaround in #2 also working for me.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Confirmed
Status in “unity” package in Ubuntu:
  Confirmed

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions

-- 
Mailing list: https://launchpad.net/~dx-packages
Post to : dx-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dx-packages
More help   : https://help.launchpad.net/ListHelp

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Callum Dickinson]

Hi, I'd just like to chime in here and say that the workaround specified
in #2 works for me, as well. I'm running Kerberos 5 authentication with
LDAP user accounts, LightDM with Unity greeter and lock screen. Ubuntu
14.04 LTS on both server and clients.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Confirmed
Status in “unity” package in Ubuntu:
  Confirmed

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions

-- 
Mailing list: https://launchpad.net/~dx-packages
Post to : dx-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dx-packages

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Alex Bachmeier]

I've switched to sssd and that also seemed to do the trick. If you need
a workaround, this way you won't have to modify any system files.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in Unity:
  Confirmed
Status in “unity” package in Ubuntu:
  Confirmed

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions

-- 
Mailing list: https://launchpad.net/~dx-packages
Post to : dx-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dx-packages
More help   : https://help.launchpad.net/ListHelp

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: unity (Ubuntu)
   Status: New = Confirmed

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in “unity” package in Ubuntu:
  Confirmed

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale
  @include common-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1314095/+subscriptions

-- 
Mailing list: https://launchpad.net/~dx-packages
Post to : dx-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dx-packages
More help   : https://help.launchpad.net/ListHelp

[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

[Grzegorz Gutowski]

When I add suid root to unix_chkpwd binary:

chmod u+s /sbin/unix_chkpwd

then everything works as expected: both lightdm and unity lockscreen are
accepting my password.

Without suid it seems that call (with correct username) to getspnam in function 
get_account_info in file passverify.c in pam/modules/pam_unix returns NULL. I 
don't understand this behaviour. I wrote a simple c program that calls getspnam 
and it works as expected when called from unprivileged user.
When unix_chkpwd (both suid root and not) is called by lightdm, then it always 
works good.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1314095

Title:
  Unity Lockscreen in 14.04 can't unlock when using LDAP account

Status in “unity” package in Ubuntu:
  Confirmed

Bug description:
  My setup is:

  Ubuntu 14.04 LTS,
  ldap accounts,
  krb5 authentication,
  Lightdm,
  Unity session

  ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent 
passwd and getent shadow works fine.
  I am able to login in console without any problems.
  I was able to login in lightdm.
  Then I used the lock screen.
  I could not disable the lock screen using my password.
  I rebooted my computer.

  Now:
  After logging in through lightdm, the unity lockscreen locks the screen 
immediately and I can not disable it using my password.

  From my short inspection of auth.log and unix_chkpwd sources it seems,
  that unix_chkpwd works fine when called from lightdm and fails to get
  user info when called from unity lockscreen.


  lsb_release -rd
  Description:  Ubuntu 14.04 LTS
  Release:  14.04

  apt-cache policy unity lightdm libpam-modules
  unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
   *** 7.2.0+14.04.20140416-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
   *** 1.10.0-0ubuntu3 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status
  libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
   *** 1.1.8-1ubuntu2 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  100 /var/lib/dpkg/status

  Contents of /var/log/auth.log:

  Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user
  Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=  user=user
  Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
  Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user 
(user)
  Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication 
failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
  Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user 
authenticated as user@NETWORK
  Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info 
(user)
  Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement 
user ingroup nopasswdlogin not met by user user

  cat /etc/pam.d/common-auth 
  account requiredpam_unix.so
  authrequiredpam_group.so
  auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
  auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
  authrequisite   pam_deny.so
  authrequiredpam_permit.so

  authoptionalpam_afs_session.so minimum_uid=200
  authoptionalpam_ecryptfs.so unwrap
  authoptionalpam_cap.so

  cat /etc/pam.d/common-account 
  account requiredpam_unix.so

  cat /etc/pam.d/lightdm
  authrequisite   pam_nologin.so
  authsufficient  pam_succeed_if.so user ingroup nopasswdlogin
  @include common-auth
  authoptionalpam_gnome_keyring.so
  @include common-account
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
  authoptionalpam_group.so
  session requiredpam_limits.so
  @include common-session
  session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
  session optionalpam_gnome_keyring.so auto_start
  session requiredpam_env.so readenv=1
  session requiredpam_env.so readenv=1 user_readenv=1 
envfile=/etc/default/locale