Public bug reported: In attempting to fix bug #43465 I have stumbled across this additional issue.
My common-auth file follows: auth [default=die success=done authinfo_unavail=reset] pam_unix.so debug auth [default=die success=1 service_err=reset auth_err=die] pam_krb5.so use_first_pass debug forwardable auth [default=die success=done] pam_ccreds.so action=validate use_first_pass auth [default=done] pam_ccreds.so action=store use_first_pass The basic idea here is that pam_unix should return success only when it is successful, and the process should exit successfully. If pam_unix returns "authinfo_unavail", which basically indicates that no password is assigned to this user locally or in shadow, the stack should proceed to the next module. Any other exit value, such as auth_err, should result in immediate termination. When run with login, ssh, gdm, and most other pam applications, this works exactly as expected. When run from gnome-screensaver, while trying to unlock the screen, this does not work. The difference is that gnome-screensaver does not run as root. I suspect this improperly alters the exit code. Even when run as non-root, the exit code should still be the same, there is no local shadow entry for this user and he does not appear in /etc/passwd. He is delivered by nss_ldap. This bug is blocking the network-authentication spec. ** Affects: pam (Ubuntu) Importance: Undecided Status: Unconfirmed -- pam_unix returns incorrect return value when not run as root https://launchpad.net/bugs/67276 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs