diff -Nru nss-pam-ldapd-0.8.13/debian/changelog nss-pam-ldapd-0.8.13/debian/changelog --- nss-pam-ldapd-0.8.13/debian/changelog 2013-10-17 14:52:04.000000000 -0700 +++ nss-pam-ldapd-0.8.13/debian/changelog 2015-02-12 11:13:31.000000000 -0800 @@ -1,3 +1,14 @@ +nss-pam-ldapd (0.8.13-3ubuntu1) trusty; urgency=medium + + * return-partial-shadow-information-to-non-root-users.patch: backport + upstream patch to return partial shadow information (leaving out password + hashes) to non-root users. This fixes pam_unix failing in pam_acct_mgmt + while trying to get password expiry information from shadow, thereby + preventing the Unity lockscreen from being unlocked by LDAP users. (LP: + #1314095) + + -- Ryan Tandy Thu, 12 Feb 2015 11:10:41 -0800 + nss-pam-ldapd (0.8.13-3) unstable; urgency=low * implement-nofork.patch: introduce a -n, --nofork option that skips the diff -Nru nss-pam-ldapd-0.8.13/debian/patches/return-partial-shadow-information-to-non-root-users.patch nss-pam-ldapd-0.8.13/debian/patches/return-partial-shadow-information-to-non-root-users.patch --- nss-pam-ldapd-0.8.13/debian/patches/return-partial-shadow-information-to-non-root-users.patch 1969-12-31 16:00:00.000000000 -0800 +++ nss-pam-ldapd-0.8.13/debian/patches/return-partial-shadow-information-to-non-root-users.patch 2015-02-12 11:10:29.000000000 -0800 @@ -0,0 +1,98 @@ +Description: Return partial shadow information to non-root users + This also returns everything except the password hash from the shadow + database to non-root users (nothing was returned before). This allows + non-root users to do PAM authentication in some configurations. + . + On some systems there is a setgid executable that is allowed to read + /etc/shadow for authentication by e.g. screensavers. Returning no + shadow information will cause pam_unix to deny authorisation in common + configurations. +Origin: backport, commit:d58f163b5aceb570aa7bd41b2c8edb3307a3a980 +Author: Arthur de Jong +Bug-Debian: http://bugs.debian.org/706913 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1314095 +Applied-Upstream: 0.9.1 +Last-Update: 2015-02-12 + +Index: nss-pam-ldapd-0.8.13/nslcd/common.h +=================================================================== +--- nss-pam-ldapd-0.8.13.orig/nslcd/common.h 2015-02-12 10:36:57.945109531 -0800 ++++ nss-pam-ldapd-0.8.13/nslcd/common.h 2015-02-12 10:39:12.309113398 -0800 +@@ -215,8 +215,8 @@ + int nslcd_service_byname(TFILE *fp,MYLDAP_SESSION *session); + int nslcd_service_bynumber(TFILE *fp,MYLDAP_SESSION *session); + int nslcd_service_all(TFILE *fp,MYLDAP_SESSION *session); +-int nslcd_shadow_byname(TFILE *fp,MYLDAP_SESSION *session); +-int nslcd_shadow_all(TFILE *fp,MYLDAP_SESSION *session); ++int nslcd_shadow_byname(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid); ++int nslcd_shadow_all(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid); + int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid); + int nslcd_pam_authz(TFILE *fp,MYLDAP_SESSION *session); + int nslcd_pam_sess_o(TFILE *fp,MYLDAP_SESSION *session); +Index: nss-pam-ldapd-0.8.13/nslcd/nslcd.c +=================================================================== +--- nss-pam-ldapd-0.8.13.orig/nslcd/nslcd.c 2015-02-12 10:36:57.945109531 -0800 ++++ nss-pam-ldapd-0.8.13/nslcd/nslcd.c 2015-02-12 10:38:57.545112973 -0800 +@@ -459,10 +459,8 @@ + case NSLCD_ACTION_SERVICE_BYNAME: (void)nslcd_service_byname(fp,session); break; + case NSLCD_ACTION_SERVICE_BYNUMBER: (void)nslcd_service_bynumber(fp,session); break; + case NSLCD_ACTION_SERVICE_ALL: (void)nslcd_service_all(fp,session); break; +- case NSLCD_ACTION_SHADOW_BYNAME: if (uid==0) (void)nslcd_shadow_byname(fp,session); +- else log_log(LOG_DEBUG,"denied shadow request by non-root user"); break; +- case NSLCD_ACTION_SHADOW_ALL: if (uid==0) (void)nslcd_shadow_all(fp,session); +- else log_log(LOG_DEBUG,"denied shadow request by non-root user"); break; ++ case NSLCD_ACTION_SHADOW_BYNAME: (void)nslcd_shadow_byname(fp,session,uid); break; ++ case NSLCD_ACTION_SHADOW_ALL: (void)nslcd_shadow_all(fp,session,uid); break; + case NSLCD_ACTION_PAM_AUTHC: (void)nslcd_pam_authc(fp,session,uid); break; + case NSLCD_ACTION_PAM_AUTHZ: (void)nslcd_pam_authz(fp,session); break; + case NSLCD_ACTION_PAM_SESS_O: (void)nslcd_pam_sess_o(fp,session); break; +Index: nss-pam-ldapd-0.8.13/nslcd/shadow.c +=================================================================== +--- nss-pam-ldapd-0.8.13.orig/nslcd/shadow.c 2015-02-12 10:36:57.945109531 -0800 ++++ nss-pam-ldapd-0.8.13/nslcd/shadow.c 2015-02-12 10:41:12.829116868 -0800 +@@ -281,7 +281,8 @@ + return rc; + } + +-static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser) ++static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser, ++ uid_t calleruid) + { + int32_t tmpint32; + const char **usernames; +@@ -305,7 +306,7 @@ + } + /* get password */ + passwd=get_userpassword(entry,attmap_shadow_userPassword,passbuffer,sizeof(passbuffer)); +- if (passwd==NULL) ++ if ((passwd == NULL) || (calleruid != 0)) + passwd=default_shadow_userPassword; + /* get expiry properties */ + get_shadow_properties(entry,&lastchangedate,&mindays,&maxdays,&warndays, +@@ -362,7 +363,7 @@ + return NULL; + } + +-NSLCD_HANDLE( ++NSLCD_HANDLE_UID( + shadow,byname, + char name[256]; + char filter[4096]; +@@ -370,14 +371,14 @@ + log_setrequest("shadow=\"%s\"",name);, + NSLCD_ACTION_SHADOW_BYNAME, + mkfilter_shadow_byname(name,filter,sizeof(filter)), +- write_shadow(fp,entry,name) ++ write_shadow(fp,entry,name,calleruid) + ) + +-NSLCD_HANDLE( ++NSLCD_HANDLE_UID( + shadow,all, + const char *filter; + log_setrequest("shadow(all)");, + NSLCD_ACTION_SHADOW_ALL, + (filter=shadow_filter,0), +- write_shadow(fp,entry,NULL) ++ write_shadow(fp,entry,NULL,calleruid) + ) diff -Nru nss-pam-ldapd-0.8.13/debian/patches/series nss-pam-ldapd-0.8.13/debian/patches/series --- nss-pam-ldapd-0.8.13/debian/patches/series 2013-08-18 06:12:57.000000000 -0700 +++ nss-pam-ldapd-0.8.13/debian/patches/series 2015-02-12 11:10:29.000000000 -0800 @@ -1 +1,2 @@ implement-nofork.patch +return-partial-shadow-information-to-non-root-users.patch