[Dx-packages] [Bug 1314095] [NEW] Unity Lockscreen in 14.04 can't unlock when using LDAP account
Public bug reported: My setup is: Ubuntu 14.04 LTS, ldap accounts, krb5 authentication, Lightdm, Unity session ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine. I am able to login in console without any problems. I was able to login in lightdm. Then I used the lock screen. I could not disable the lock screen using my password. I rebooted my computer. Now: After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password. From my short inspection of auth.log and unix_chkpwd sources it seems, that unix_chkpwd works fine when called from lightdm and fails to get user info when called from unity lockscreen. lsb_release -rd Description:Ubuntu 14.04 LTS Release:14.04 apt-cache policy unity lightdm libpam-modules unity: Installed: 7.2.0+14.04.20140416-0ubuntu1 Candidate: 7.2.0+14.04.20140416-0ubuntu1 Version table: *** 7.2.0+14.04.20140416-0ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 100 /var/lib/dpkg/status lightdm: Installed: 1.10.0-0ubuntu3 Candidate: 1.10.0-0ubuntu3 Version table: *** 1.10.0-0ubuntu3 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 100 /var/lib/dpkg/status libpam-modules: Installed: 1.1.8-1ubuntu2 Candidate: 1.1.8-1ubuntu2 Version table: *** 1.1.8-1ubuntu2 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 100 /var/lib/dpkg/status Contents of /var/log/auth.log: Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement user ingroup nopasswdlogin not met by user user Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost= user=user Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): session closed for user lightdm Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user (user) Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost= user=user Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info (user) Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info (user) Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement user ingroup nopasswdlogin not met by user user cat /etc/pam.d/common-auth account requiredpam_unix.so authrequiredpam_group.so auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200 authrequisite pam_deny.so authrequiredpam_permit.so authoptionalpam_afs_session.so minimum_uid=200 authoptionalpam_ecryptfs.so unwrap authoptionalpam_cap.so cat /etc/pam.d/common-account account requiredpam_unix.so cat /etc/pam.d/lightdm authrequisite pam_nologin.so authsufficient pam_succeed_if.so user ingroup nopasswdlogin @include common-auth authoptionalpam_gnome_keyring.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close authoptionalpam_group.so session requiredpam_limits.so @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open session optionalpam_gnome_keyring.so auto_start session requiredpam_env.so readenv=1 session requiredpam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale @include common-password ** Affects: unity (Ubuntu) Importance: Undecided Status: New ** Tags: lockscreen -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1314095 Title: Unity Lockscreen in 14.04 can't unlock when using LDAP account Status in “unity” package in Ubuntu: New Bug description: My setup is: Ubuntu 14.04 LTS, ldap accounts, krb5 authentication, Lightdm, Unity session ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine. I am able to login in console without any problems. I was able to login in lightdm. Then I used the lock screen. I could not disable the lock screen using my password. I rebooted my computer. Now: After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password. From my short inspection
[Dx-packages] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account
When I add suid root to unix_chkpwd binary: chmod u+s /sbin/unix_chkpwd then everything works as expected: both lightdm and unity lockscreen are accepting my password. Without suid it seems that call (with correct username) to getspnam in function get_account_info in file passverify.c in pam/modules/pam_unix returns NULL. I don't understand this behaviour. I wrote a simple c program that calls getspnam and it works as expected when called from unprivileged user. When unix_chkpwd (both suid root and not) is called by lightdm, then it always works good. -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1314095 Title: Unity Lockscreen in 14.04 can't unlock when using LDAP account Status in “unity” package in Ubuntu: Confirmed Bug description: My setup is: Ubuntu 14.04 LTS, ldap accounts, krb5 authentication, Lightdm, Unity session ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine. I am able to login in console without any problems. I was able to login in lightdm. Then I used the lock screen. I could not disable the lock screen using my password. I rebooted my computer. Now: After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password. From my short inspection of auth.log and unix_chkpwd sources it seems, that unix_chkpwd works fine when called from lightdm and fails to get user info when called from unity lockscreen. lsb_release -rd Description: Ubuntu 14.04 LTS Release: 14.04 apt-cache policy unity lightdm libpam-modules unity: Installed: 7.2.0+14.04.20140416-0ubuntu1 Candidate: 7.2.0+14.04.20140416-0ubuntu1 Version table: *** 7.2.0+14.04.20140416-0ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 100 /var/lib/dpkg/status lightdm: Installed: 1.10.0-0ubuntu3 Candidate: 1.10.0-0ubuntu3 Version table: *** 1.10.0-0ubuntu3 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 100 /var/lib/dpkg/status libpam-modules: Installed: 1.1.8-1ubuntu2 Candidate: 1.1.8-1ubuntu2 Version table: *** 1.1.8-1ubuntu2 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 100 /var/lib/dpkg/status Contents of /var/log/auth.log: Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement user ingroup nopasswdlogin not met by user user Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost= user=user Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): session closed for user lightdm Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user (user) Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost= user=user Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info (user) Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info (user) Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement user ingroup nopasswdlogin not met by user user cat /etc/pam.d/common-auth account requiredpam_unix.so authrequiredpam_group.so auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200 authrequisite pam_deny.so authrequiredpam_permit.so authoptionalpam_afs_session.so minimum_uid=200 authoptionalpam_ecryptfs.so unwrap authoptionalpam_cap.so cat /etc/pam.d/common-account account requiredpam_unix.so cat /etc/pam.d/lightdm authrequisite pam_nologin.so authsufficient pam_succeed_if.so user ingroup nopasswdlogin @include common-auth authoptionalpam_gnome_keyring.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close authoptionalpam_group.so session requiredpam_limits.so @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open session optionalpam_gnome_keyring.so auto_start session requiredpam_env.so readenv=1 session requiredpam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale