Ubuntu
lightdm package

incorrect password policy messages

Bug #1009013 reported by muzzol
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I've configured LDAP auth with sssd package and lightdm is not understanding policy messages.

when user password is expired it says "Password incorrect" and that's not true.

in /var/log/auth.log it says:

  Jun 5 15:25:48 cprli0554 lightdm: pam_sss(lightdm:auth): received for user pepet6: 13 (User account has expired)

also, when user is in "warning" state there's a message that appears for very short time in screen and user is not able not read it.

again in /var/log/auth.log:

  Jun 5 15:28:50 cprli0554 lightdm: pam_sss(lightdm:auth): User info message: Your password will expire in 4 day(s).

I'm planning a huge migration and these kind of bugs gives lot of confusion to users (so lot of tickets opened for support).

ask for further info.

# lsb_release -rd
Description: Ubuntu 12.04 LTS
Release: 12.04

# apt-cache policy lightdm
lightdm:
  Instaŀlat: 1.2.1-0ubuntu1
  Candidat: 1.2.1-0ubuntu1
  Taula de versió:
 *** 1.2.1-0ubuntu1 0
        500 http://fr.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
        100 /var/lib/dpkg/status

maybe related:

https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/972537
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/856269
---
ApportVersion: 2.0.1-0ubuntu9
Architecture: i386
DistroRelease: Ubuntu 12.04
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release i386 (20120423.2)
Package: lightdm 1.2.1-0ubuntu1
PackageArchitecture: i386
ProcVersionSignature: Ubuntu 3.2.0-25.40-generic-pae 3.2.18
Tags: precise
Uname: Linux 3.2.0-25-generic-pae i686
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

mtime.conffile..etc.pam.d.lightdm: 2012-05-31T10:52:21.210434

See original description
muzzol (muzzol)
description: updated
Revision history for this message
Evan Peck (colors) wrote :

Muzzol,

Can you give exact steps to reproduce this? Also, please run:
apport-collect 1009013
to collect necessary information for Triagers to work on it.

Thank you!
Evan Peck

Changed in lightdm (Ubuntu):
status: New → Incomplete
Revision history for this message
muzzol (muzzol) wrote : Dependencies.txt

apport information

tags: added: apport-collected precise
description: updated
Revision history for this message
muzzol (muzzol) wrote : ProcEnviron.txt

apport information

Revision history for this message
muzzol (muzzol) wrote : modified.conffile..etc.pam.d.lightdm.txt

apport information

Revision history for this message
muzzol (muzzol) wrote :

to reproduce:

1 configure sssd with one LDAP domain
2 force some user password expiration changing 'shadowLastChange'
3 try to login with that user

result: user login is rejected and appears a message that says password is incorrect

expected result: a message telling user that password is expired and gives user chance to set a new one.

Revision history for this message
muzzol (muzzol) wrote :

this is my sssd.conf file:

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = XXXXXX.net

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/XXXXXX.net]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap.XXXXXX.net
ldap_search_base = dc=XXXX,dc=global
ldap_group_search_base = cn=rol-domini,ou=Rols,ou=Groups,dc=XXXX,dc=global?base?(cn=rol-domini)?ou=Groups,dc=XXXX,dc=global?onelevel?
ldap_user_search_base = ou=Users,dc=XXXX,dc=global?subtree?(objectclass=inetorgperson)
ldap_tls_reqcert = allow
ldap_tls_cacertdir = /etc/ssl/certs
ldap_pwd_policy = shadow

Revision history for this message
muzzol (muzzol) wrote :

I'm not sure if this should be two separated issues:

 - lightdm not displaying PAM messages: when some module shows a message (Your password is expiring in 5 days) ligthdm should wait for some seconds or even wait for user interaction (OK button).

 - lightdm not giving option to change expired password: when user password is expired there should appear a dialog for changing it.

Revision history for this message
Evan Peck (colors) wrote :

Muzzol,

Thank you for all that juicy debug-file-stuff. :)
Really.
Also, (on #7), I personally would classify that as two issues, but may be caused by the same problem, so don't create a seperated bug for each of those just yet.

Muchas Gracias!
Evan Peck ;~)

Revision history for this message
muzzol (muzzol) wrote :

Hi,

I've done some more tests and I've found that using server side policy instead of shadow policies it asks for new password as it should.

warning message behaves the same and it's too fast for user to see something.

I've detecte a new problem about localization. when new password is asked to user, some strings are translated and some others aren't. I'm not sure if these strings belong to lightdm or sssd.

so to be accurate there's three problems:

 - lightdm doesn't understand shadow password expiration

 - lightdm doesn't show pam warnings correctly

 - localization incomplete for password changing

Revision history for this message
raerek (raerek) wrote :

"lightdm doesn't show pam warnings correctly" - and if it does then for far too short time

Revision history for this message
muzzol (muzzol) wrote :

why this bug is still marked as Incomplete?

must I provide more info?

is there anything else I can do to help in this issue?

Sebastien Bacher (seb128)
Changed in lightdm (Ubuntu):
status: Incomplete → New
Revision history for this message
Evan Peck (colors) wrote :

CONFIRMED-
Affects multiple people
Has steps to reproduce

Changed in lightdm (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.