Lightdm does not allow to change an expired password with pam_winbind
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Light Display Manager |
New
|
Medium
|
Unassigned | ||
lightdm (Debian) |
Fix Released
|
Unknown
|
Bug Description
Using oneiric in a workstation joined to an AD domain, I have found that when the password of domain user is expired, lightdm does not present the correct steps to change the password.
Here is what happens (lightdm messages are inside ""):
1 - ******** (first enter expired password);
2 - "(current) NT password" --> ******** (expired password)
3 - "Retype new NT password" --> ******** (new password)
4 - "Invalid password, please try again"
There is a step missing between 2 and 3, and it should be "Enter new NT password".
Also lightdm should display, before step 2, a message saying that the password is expired and need to be changed.
Using su in a text console to login, the correct password changing dialog is presented:
renzo@vmo-amb20:~$ su rbag
Password:
You need to change your password now
Changing password for rbag
(current) NT password:
Enter new NT password:
Retype new NT password:
rbag@vmo-
Also reported in comments #5 of Bug #856269, but had no feedback...
Changed in lightdm: | |
importance: | Undecided → Medium |
Changed in lightdm (Debian): | |
status: | Unknown → Confirmed |
Changed in lightdm (Debian): | |
status: | Confirmed → Fix Released |
I tried to reproduce the bug in precise, with latest updates (lightdm 1.1.9-0ubuntu1) and found this:
First of all, the unity-greeter does not have anymore an entry to allow login for "other" users than local ones. Since winbind domain users are not listed in /etc/passwd, the only possibility to login for such users is to manually add them to this file, after having obtained the data with "getent passwd".
Then, if I try to login as a domain user with the default PAM configuration set up by the various PAM modules, I obtain this:
1 - ******** (first enter expired password);
2 - "You need to change your password now"
"Enter new Unix password" --> ******** (new password)
3 - "Retype new Unix password" --> ******** (new password)
4 - (login performed, but NT password is not changed)
5 - Subsequent logins are allowed with old NT expired password
(without asking to change it) or with new Unix password
[In this case the content of /etc/pam. d/common- password is this:
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
... ]
If I reverse the order of pam_unix.so and pam_winbind.so, I obtain this:
1 - ******** (first enter expired password);
2 - "You need to change your password now"
"(current) NT password" --> ******** (expired password)
3 - "Enter new Unix password" --> ******** (new password)
4 - "Retype new Unix password" --> ******** (new password)
5 - "Invalid password, please try again"
[ In this case the content of /etc/pam. d/common- password is this:
password [success=2 default=ignore] pam_winbind.so use_authtok
password [success=1 default=ignore] pam_unix.so obscure sha512 try_first_pass
... ]