gnome-screensaver should allow screen unlock even if account is locked out

Bug #404321 reported by Alex Mauer on 2009-07-24
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-screensaver (Ubuntu)
likewise-open (Ubuntu)

Bug Description

Binary package hint: gnome-screensaver

Currently, if one's account is locked out, gnome-screensaver will not allow the user to unlock the screen. It should.

This is on karmic, with likewise-open authentication against Active Directory.

Thierry Carrez (ttx) wrote :

@Alex: could you provide a rationale for *why* it should ?

Changed in likewise-open (Ubuntu):
status: New → Incomplete
Alex Mauer (hawke) wrote :

Sure: so that a PC doesn't become totally unusable just because someone entered the wrong password a few times somewhere else.

Thierry Carrez (ttx) wrote :

Well, it's not "totally unusable" since you can still switch to another user. And there should be other users available if you're under a domain setup. The whole "account locking" AD feature is buggy, since every large AD domain user knows they can easily lock out someone else's account.

I guess in the end it all depends on how "being locked out" translates, since I can imagine a bug asking for the complete contrary of what you're asking.

In that discussion, it might be worth considering that Microsoft does not apply lockout policy to the "screen unlock" dialog:

Maybe gnome-screensaver's unlock screen dialog could be taught to recognize a specific "locked" error code, but I'm far from convinced we should do that.

Changed in likewise-open (Ubuntu):
status: Incomplete → New
Changed in gnome-screensaver (Ubuntu):
importance: Undecided → Wishlist
Alex Mauer (hawke) wrote :

It's totally unusable to me, since I only have one AD account so switching to another user isn't really viable.

Obviously there's the workaround of going to a console session as root and killing gnome-screensaver, but that's just silly in my opinion.

Interesting that the microsoft support link doesn't give a rationale either way for this policy. It would probably be good to have it as a configurable option though, rather than forcing it to work one way or the other.

Wouldn't a locked account result in a successful pam auth, but unsuccessful pam account result, rather than checking for a specific error code?

Chuck McKenzie (redchuck) wrote :

It would be handy if it would at least tell a user that their account was locked out. As is, I had a user change their password and forget change their cached password in Evolution (or on their smartphone) and they were locked out of their desktop whenever the screen saver kicked in. They could still get in via rebooting, they just couldn't unlock once it was locked.

Chuck Short (zulcss) on 2009-10-09
Changed in likewise-open (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers