Public bug reported:
Hi,
1) Test system
My client is a fresh installation of Ubuntu 10.04 LTS x86. It has been
fully patched.
libnss-ldap and dependencies have then been installed with Synaptic
package manager using the local administrator account created during
installation of Ubuntu.
/etc/ldap.conf has been modified to point to an OpenDJ v2.4.2 LDAP
server running on the local network,using ldaps://server:port
nomenclature. I am not using SSL.
A dedicated bind account has been created in the LDAP server and this
has been specified in /etc/ldap.conf with the bind password recorded at
/etc/ldap.secret
PAM configuration files at /etc/pam.d have been modified to contain the
following, in order common-account, common-auth, common-password and
common-session:
account sufficient pam_ldap.so
account required pam_unix.so
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
password sufficient pam_ldap.so nullok
password required pam_unix.so nullok obscure min=4 max=8 md5
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session optional pam_ldap.so
/etc/nsswitch.conf has been modified accordingly to contain the
following information:
passwd: files ldap
group: files ldap
shadow: files ldap
LDAP users can log in to the client successfully, and home directories
are created automatically. In LDAP, my test user accounts have been
assigned the gidNumber attribute value of 119 (admin).
2) What I expect to happen
As an LDAP user (note *not* as a local administrator), I expect to be
able to launch a Gnome application such as Ubuntu Software Center and
have Policykit validate my LDAP credentials correctly, such that I can
install or remove applications (or otherwise perform administrative
tasks).
3) What happened instead
Logging in to the system as an LDAP user, I can launch Ubuntu Software
Center. Upon (for example) attempting to install an application, I am
prompted for my credentials. I enter these (the same credentials used to
log into the system), but they are rejected with an "Authentication
Failure" error.
Also, Policykit seems to want to only accept the credentials of the
local administrator account created during installation of the OS, as
the authentication window prompts for "Password for itadmin" ('itadmin'
being my local administrator account).
4) Additional information
Using the same LDAP account and credentials, I can authenticate to and
use Synaptic Package Manager to install applications without issue.
Logged in as the LDAP user, the id command returns the following, where
"dave" is the LDAP username:
$ id
uid=1001(dave) gid=119(admin) groups=119(admin)
Policykit version details:
$ apt-cache policy policykit-1
policykit-1:
Installed: 0.96-2ubuntu0.1
Candidate: 0.96-2ubuntu0.1
Version table:
*** 0.96-2ubuntu0.1 0
500 http://nz.archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
100 /var/lib/dpkg/status
0.96-2 0
500 http://nz.archive.ubuntu.com/ubuntu/ lucid/main Packages
** Affects: policykit-1 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/892680
Title:
PAM with LDAP breaks authentication to Policykit enabled Gnome
applications using LDAP credentials
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/892680/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
