gnome-screensaver should allow screen unlock even if account is locked out

Bug #404321 reported by Alex Mauer
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-screensaver (Ubuntu)
New
Wishlist
Unassigned
likewise-open (Ubuntu)
Triaged
Wishlist
Unassigned

Bug Description

Binary package hint: gnome-screensaver

Currently, if one's account is locked out, gnome-screensaver will not allow the user to unlock the screen. It should.

This is on karmic, with likewise-open authentication against Active Directory.

Revision history for this message
Thierry Carrez (ttx) wrote :

@Alex: could you provide a rationale for *why* it should ?

Changed in likewise-open (Ubuntu):
status: New → Incomplete
Revision history for this message
Alex Mauer (hawke) wrote :

Sure: so that a PC doesn't become totally unusable just because someone entered the wrong password a few times somewhere else.

Revision history for this message
Thierry Carrez (ttx) wrote :

Well, it's not "totally unusable" since you can still switch to another user. And there should be other users available if you're under a domain setup. The whole "account locking" AD feature is buggy, since every large AD domain user knows they can easily lock out someone else's account.

I guess in the end it all depends on how "being locked out" translates, since I can imagine a bug asking for the complete contrary of what you're asking.

In that discussion, it might be worth considering that Microsoft does not apply lockout policy to the "screen unlock" dialog: http://support.microsoft.com/kb/188700

Maybe gnome-screensaver's unlock screen dialog could be taught to recognize a specific "locked" error code, but I'm far from convinced we should do that.

Changed in likewise-open (Ubuntu):
status: Incomplete → New
Changed in gnome-screensaver (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Alex Mauer (hawke) wrote :

It's totally unusable to me, since I only have one AD account so switching to another user isn't really viable.

Obviously there's the workaround of going to a console session as root and killing gnome-screensaver, but that's just silly in my opinion.

Interesting that the microsoft support link doesn't give a rationale either way for this policy. It would probably be good to have it as a configurable option though, rather than forcing it to work one way or the other.

Wouldn't a locked account result in a successful pam auth, but unsuccessful pam account result, rather than checking for a specific error code?

Revision history for this message
Chuck McKenzie (redchuck) wrote :

It would be handy if it would at least tell a user that their account was locked out. As is, I had a user change their password and forget change their cached password in Evolution (or on their smartphone) and they were locked out of their desktop whenever the screen saver kicked in. They could still get in via rebooting, they just couldn't unlock once it was locked.

Chuck Short (zulcss)
Changed in likewise-open (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.