Marking as public as the change was released into Debian, in LightDM releases and is in public branches.
** Description changed: - Package: lightdm - Version: 1.2.2-4 - Severity: important + [Impact] + LightDM does not correctly use PAM to change users passwords when they expire. This causes some PAM modules (e.g. pam_ldap) to not correctly perform password changing. - Dear Maintainer, - I have a working authentication configuration with ldap on my debian - wheezy workstation. Everything works fine except with lightdm when a - ldap user have to change his password due to expiration. The user is - able to login but in the next prompt, in place of asking new password, - the ldap administrator password is asked. I've seen i have the same - behaviour when i try to change a ldap user password via passwd as - root. - My nslcd configuration doesn't allow local root user to behave like - ldap administrator. - I've tried with gdm3 greeter and it works; it asks for new password - and it allows to change the password properly. - I've seen this different behaviour in auth.log: + [Test Case] + 1. Setup LDAP logins + 2. Expire users password + 3. Attempt to log into greeter + Expected result: + - User is prompted to change password. Password limitations are correctly enforced. + Observed result: + - User is prompted to change password. Password limitations are not correctly enforced. - with gdm3: - - debian gdm3][10414]: pam_ldap(gdm3:auth): nslcd authentication; user=test - debian gdm3][10414]: pam_ldap(gdm3:auth): authentication succeeded - debian gdm3][10414]: pam_unix(gdm3:account): expired password for user - test (password aged) - debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained - debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not - exist in /etc/passwd - debian gdm3][10414]: pam_ldap(gdm3:chauthtok): nslcd authentication; user=test - debian gdm3][10414]: pam_ldap(gdm3:chauthtok): authentication succeeded - debian gdm3][10414]: pam_unix(gdm3:chauthtok): username [test] obtained - debian gdm3][10414]: pam_unix(gdm3:chauthtok): user "test" does not - exist in /etc/passwd - - with lightdm: - - debian lightdm: pam_ldap(lightdm:auth): nslcd authentication; user=test - debian lightdm: pam_ldap(lightdm:auth): authentication succeeded - debian lightdm: pam_unix(lightdm:account): expired password for user - test (password aged) - debian lightdm: pam_unix(lightdm:chauthtok): username [test] obtained - debian lightdm: pam_unix(lightdm:chauthtok): user "test" does not - exist in /etc/passwd - debian lightdm: pam_ldap(lightdm:chauthtok): nslcd authentication; user= - debian lightdm: pam_ldap(lightdm:chauthtok): user not handled by nslcd - - As you can see nslcd authentication have user value set in gdm3. - Lightdm have a blank value instead. - - I've tried with lightdm-gtk-greeter and lightdm-crowd-greeter just to - check if it was a greeter problem but the problem remains with both. - - - -- System Information: - Debian Release: 7.3 - APT prefers stable-updates - APT policy: (500, 'stable-updates'), (500, 'stable') - Architecture: i386 (i686) - - Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores) - Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) - Shell: /bin/sh linked to /bin/dash - - Versions of packages lightdm depends on: - ii adduser 3.113+nmu3 - ii consolekit 0.4.5-3.1 - ii dbus 1.6.8-1+deb7u1 - ii debconf [debconf-2.0] 1.5.49 - ii libc6 2.13-38 - ii libglib2.0-0 2.33.12+really2.32.4-5 - ii libpam0g 1.1.3-7.1 - ii libxcb1 1.8.1-2+deb7u1 - ii libxdmcp6 1:1.1.1-1 - ii lightdm-gtk-greeter [lightdm-greeter] 1.1.6-2 - - Versions of packages lightdm recommends: - ii xserver-xorg 1:7.7+3~deb7u1 - - Versions of packages lightdm suggests: - ii accountsservice 0.6.21-8 - ii upower 0.9.17-1 - - -- Configuration Files: - /etc/lightdm/lightdm.conf: - [LightDM] - [SeatDefaults] - xserver-allow-tcp=false - greeter-session=lightdm-greeter - greeter-hide-users=true - user-session=gnome-session - session-wrapper=/etc/X11/Xsession - [XDMCPServer] - [VNCServer] - enabled=true - port=5900 - width=1024 - height=768 - depth=8 - - /etc/pam.d/lightdm: - auth requisite pam_nologin.so - auth required pam_env.so readenv=1 - auth required pam_env.so readenv=1 envfile=/etc/default/locale - @include common-auth - @include common-account - session [success=ok ignore=ignore module_unknown=ignore default=bad] - pam_selinux.so close - session required pam_limits.so - session required pam_loginuid.so - @include common-session - session [success=ok ignore=ignore module_unknown=ignore default=bad] - pam_selinux.so open - @include common-password - - In addition to these files my configuration is: - - nslcd.conf: - uid nslcd - gid nslcd - uri ldap://ldap2 - uri ldap://ldap1 - base passwd ou=people,dc=myorg - base shadow ou=people,dc=myorg - base group ou=groups,dc=myorg - ldap_version 3 - binddn cn=reader,dc=myorg - bindpw readerpass - ssl start_tls - tls_reqcert allow - - common-auth: - - auth [success=5 default=ignore] pam_unix.so nullok_secure debug - auth [success=3 authinfo_unavail=ignore default=1] pam_ldap.so - minimum_uid=1000 use_first_pass debug - auth [success=3 default=ignore] pam_ccreds.so action=validate use_first_pass - auth [default=bad] pam_ccreds.so action=update - auth requisite pam_deny.so - auth [default=ignore] pam_ccreds.so action=store - auth required pam_permit.so - - common-account: - - account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so - account [success=1 new_authtok_reqd=done authinfo_unavail=1 - default=ignore] pam_ldap.so minimum_uid=1000 debug - account requisite pam_deny.so - account required pam_permit.so - - common-password: - - password [success=2 default=ignore] pam_unix.so obscure sha512 debug - password [success=1 new_authtok_reqd=1 default=ignore] - pam_ldap.so minimum_uid=1000 try_first_pass debug - #password [default=1] pam_ldap.so minimum_uid=1000 - try_first_pass debug - password requisite pam_deny.so - password required pam_permit.so - - common-session: - - session [default=ok] pam_permit.so - session [default=ignore] pam_unix.so - session [default=ignore] pam_ldap.so minimum_uid=1000 - session [default=ignore] pam_mkhomedir.so skel=/etc/skel umask=0022 - - -- debconf information: - lightdm/daemon_name: /usr/sbin/lightdm - * shared/default-x-display-manager: lightdm - - Thank you for support. + [Regression Potential] + Any PAM module that relied on the previous incorrect behaviour might behave differently. It is not expected that any module would intentionally do this. ** Information type changed from Private to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1270118 Title: lightdm ask ldap administrator password when changing an expired password To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1270118/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
