LTSP5

Screen Lock does not prompt for password

Bug #1316320 reported by Charlie Ott
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
LTSP5
Fix Released
Medium
Unassigned
Unity
Invalid
High
Unassigned
unity (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

I am using LTSP fat clients, created with:

$ sudo ltsp-build-image --arch amd64 --fat-client-desktop ubuntu-desktop

LTSP server has sssd authentication utilizing pam and ldap. Users can log in without issue and the home folder is available. Everything works as expected except for screen locking.

When locking the screen, the displays first go blank and the monitor goes to sleep.

Then if i move the mouse or press a keystroke, They go black but the mouse is visible.

Once I move the mouse or strike a key the second time, everything comes back up without password prompt. However, password prompt is enabled in "Brightness & Lock"

The client hardware is an Intel NUC D34010WYK

Also maybe related, there seems to be no system tray. No clock or username/logout buttons. I am using Ctrl + Alt + L to lock the screen. (See attached screenshot)

This is a security vulnerability and I can not make the new 14.04 image available as fat clients, since they users cannot lock their workstation.

See original description
Tags: lockscreen
Revision history for this message
Charlie Ott (charlieott) wrote :
information type: Private Security → Public
description: updated
Revision history for this message
Charlie Ott (charlieott) wrote :

Installed using DVD for Ubuntu 14.04 Server Edition.

Intalled ltsp-server-standalone (with dhcpd) package using apt.

Hardware is an HP ProLiant DL380 G7

Revision history for this message
Charlie Ott (charlieott) wrote :

I think the issue here is that since users on the Terminal server are authenticated with sssd/ldap the client images need to be able to authenticate as well.

As a temporary work around I have installed xscreensaver and sssd. With the same sssd.conf from the server, the xscreensaver lock works just as well.

Marco Trevisan (Treviño) (3v1n0)
tags: added: lockscreen
Revision history for this message
Andrea Azzarone (azzar1) wrote :

I can confirm the issue. Thin clients look fine, fat clients don't.

Changed in unity:
status: New → Confirmed
Changed in unity (Ubuntu):
status: New → Confirmed
Changed in unity:
importance: Undecided → High
Revision history for this message
Charlie Ott (charlieott) wrote :
Download full text (8.2 KiB)

I've noticed some errors that may be related inside the ~/.Xsession-errors file:

Xsession: X session started for cott at Thu May 15 10:10:22 EDT 2014
localuser:cott being added to access control list
Script for ibus started at run_im.
Script for auto started at run_im.
Script for default started at run_im.
Script for ibus started at run_im.
Script for auto started at run_im.
Script for default started at run_im.
x-session-manager[13561]: WARNING: Could not parse desktop file gnome-screensaver.desktop or it references a not found TryExec binary
GNOME_KEYRING_CONTROL=/run/user/59319/keyring-w66G9H
GNOME_KEYRING_PID=13690
GNOME_KEYRING_CONTROL=/run/user/59319/keyring-w66G9H
SSH_AUTH_SOCK=/run/user/59319/keyring-w66G9H/ssh
GNOME_KEYRING_CONTROL=/run/user/59319/keyring-w66G9H
GNOME_KEYRING_CONTROL=/run/user/59319/keyring-w66G9H
SSH_AUTH_SOCK=/run/user/59319/keyring-w66G9H/ssh
GPG_AGENT_INFO=/run/user/59319/keyring-w66G9H/gpg:0:1

** (unity-settings-daemon:13702): WARNING **: Name taken or bus went away - shutting down
compiz (core) - Info: Loading plugin: core
compiz (core) - Info: Starting plugin: core
compiz (core) - Info: Loading plugin: ccp
compiz (core) - Info: Starting plugin: ccp

(gnome-settings-daemon:13694): media-keys-plugin-WARNING **: Grab failed for some keys, another application may already have access the them.

(gnome-settings-daemon:13694): dconf-WARNING **: failed to commit changes to dconf: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code24: Failed to rename file '/home/cott/.config/dconf/user.DRS4FX' to '/home/cott/.config/dconf/user': g_rename() failed: Device or resource busy

** (process:13749): CRITICAL **: bluez.vala:104: GDBus.Error:org.bluez.Error.NoSuchAdapter: No such adapter
compiz (core) - Info: Loading plugin: composite
compiz (core) - Info: Starting plugin: composite

(process:13803): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed
compiz (core) - Info: Loading plugin: opengl

** (process:13765): CRITICAL **: volume_control_set_volume_internal: assertion '_tmp1_ == PA_CONTEXT_READY' failed
compiz (core) - Info: Unity is fully supported by your hardware.
compiz (core) - Info: Unity is not supported by your hardware. Enabling software rendering instead (slow).

** (indicator-printers-service:13759): WARNING **: Error subscribing to CUPS notifications: Bad file descriptor

compiz (core) - Info: Starting plugin: opengl

** (process:13765): CRITICAL **: file /build/buildd/indicator-sound-12.10.2+14.04.20140401/obj-x86_64-linux-gnu/src/volume-control.c: line 1775: uncaught error: GDBus.Error:org.freedesktop.DBus.Error.InvalidArgs: No such interface (g-dbus-error-quark, 16)
compiz (core) - Info: Loading plugin: place
compiz (core) - Info: Starting plugin: place
compiz (core) - Info: Loading plugin: regex
compiz (core) - Info: Starting plugin: regex
compiz (core) - Info: Loading plugin: resize
compiz (core) - Info: Starting plugin: resize
compiz (core) - Info: Loading plugin: session
compiz (core) - Info: Starting plugin: session
I/O warning : failed to load external entity "/home/cott/.compiz/session/10ae8d458df8cacea2140016302341646600000135610001"
compiz (core)...

Read more...

Revision history for this message
Andrea Azzarone (azzar1) wrote :

Ok i managed to reproduce it on a VM. Btw does not look like a unity bug to me. Can you execute on the fat client this command:
gsettings get org.gnome.desktop.lockdown disable-lock-screen

It's "true" here and this explains why lockscreen is not working. Also unity does not control the value of the settings, so we should retarget the bug.

Changed in unity:
status: Confirmed → Incomplete
Changed in unity (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Andrea Azzarone (azzar1) wrote :

Seems like it's something wanted:
ltsp-5.5.1/client/Debian/share/ltsp/init-ltsp.d/50-gsettings-overrides:disable-lock-screen=true

So marking unity as invalid.

Changed in unity:
status: Incomplete → Invalid
Changed in unity (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

LDM uses `ssh user@server` to authenticate users.
It then copies the user /etc/passwd information from the server to the client,
but it doesn't copy the /etc/shadow part, i.e. the user password hash.

So fat client and localapps users do not have a password set, and thus cannot use `sudo`, cannot unlock a screensaver etc.

The fix would be to let LDM/ssh.c write the hash of the password it gets from the user, locally to /etc/passwd.
Patches welcome for that.

In the future, for LTSP 6, the plan is to drop LDM completely and use pam to authenticate users, so there won't be issues like that there. But without contributors, LTSP 6 might take a long while to arrive... :)

Alkis Georgopoulos (alkisg)
Changed in ltsp:
status: New → Triaged
Revision history for this message
Charlie Ott (charlieott) wrote :

In my environment, I wanted users to authenticate with thick clients using their LDAP binding credentials.

I was able to enable SSSD authentication and add my LDAP cn to the sudoers file on the fat client image. After doing an ltsp-update-image, I am able to use the sudo command with the fat client and xscreensaver is able to authenticate allowing unlock. So I believe Alkis, you are correct, copying the /etc/shadow part would work for users specifically added to the LTSP server's /etc/passwd & shadow.

Should I open another bug in regard to the gnome applets not loading? I'm also missing the Clock, Volume Control, Network information, etc. (See screenshot with original request). I would like my users to at least know what time it is. ;p

Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

The panel part might be because gnome-settings-daemon gets loaded before unity-settings-daemon, and thus unity-panel-service doesn't start at all.
Try manually running /usr/lib/unity/unity-panel-service, if then the panel applets get loaded, yeah file a separate bug against Unity*.

I don't know details about that, I've never used Unity, I'm using gnome-fallback/flashback.

Revision history for this message
Charlie Ott (charlieott) wrote :

Ah! Alkis you're the best. That was exactly the issue! Thanks!

Revision history for this message
Charlie Ott (charlieott) wrote :

Hmm... I see, the Unity Panel allows the User to enable the gnome screen lock, which is not using SSSD (even though I have it installed) so it just hangs in a loop when trying to unlock the screen.

Also the keyring seems to have the same problem, generating hundreds of thousands of keyring.temp files in /home/user/.local/share/keyring

Unfortunately Google chrome prompts users to enable the keyring every time :(

Had to use the find . -type file -delete command to remove them all.

Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

The "no tray" issue was fix-committed in https://bugs.launchpad.net/ubuntu/+source/ltsp/+bug/1457730
The "no lock screen" issue was fix-committed with LDM_PASSWORD_HASH.

Changed in ltsp:
status: Triaged → Fix Committed
Vagrant Cascadian (vagrantc)
Changed in ltsp:
importance: Undecided → Medium
Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

Fix released in LDM 2.2.15.

Changed in ltsp:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.