Login issue: Lightdm + LDAP + Kerberos

Bug #1228079 reported by R. Ernst on 2013-09-20
66
This bug affects 13 people
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Critical
Wojciech

Bug Description

lightdm 1.7.15-0ubuntu1, Ubuntu 13.10

- Local users can login without problems on command line and LightDM
- Kerberos/LDAP authenticated users can login on command line

- Kerberos/LDAP authenticated users cannot login with LigthDM. If you provide a valid user/password the screen gets blank before you return to the login screen. The .xession-errors includes "/usr/sbin/lightdm-session: 5: exec: init: not found"

- If you add init to the users path (e.g., ln -s /sbin/init /bin/init) the user does no longer return back to LightDM but gets a blank screen. Several errors related to "init" in the .xsession-errors. First of them is "init: Failed to spawn upstart-file-bridge main process: unable to execute: No such file or directory"

.xession-errors for both setup attached to this bug report

No problems with Ubuntu 12.04.

ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: lightdm 1.7.15-0ubuntu1
ProcVersionSignature: Ubuntu 3.11.0-7.14-generic 3.11.1
Uname: Linux 3.11.0-7-generic x86_64
ApportVersion: 2.12.1-0ubuntu4
Architecture: amd64
Date: Fri Sep 20 12:21:13 2013
InstallationDate: Installed on 2013-09-20 (0 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Alpha amd64 (20130917)
MarkForUpload: True
ProcEnviron:
 LANGUAGE=de_DE
 TERM=xterm
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)

R. Ernst (ernst-l) wrote :
Robert Ancell (robert-ancell) wrote :

Would you be able to try this with another display manager, e.g. gdm?

Can you see what $PATH is set to when logging in on a terminal? It looks at first glance like the session can't find upstart, and that can't find the session processes to run.

Changed in lightdm (Ubuntu):
status: New → Incomplete
R. Ernst (ernst-l) wrote :

Installed GDM and set is as default display manger.

service lightdm stop
service gdm start

gives a blank screen. A reboot never goes to the login screen but the splash screen stays forever. Login on the console is possible.

Ubuntu 13.04: LightDM works without any problems.

Mike Loebl (mloebl) wrote :

I believe I am seeing the same problem. I use pbis-open for integration with Active DIrectory. If I log in as a local user, works fine. However if I login as a user on the domain, I see the identical problems and errors in the log as ernst-l.

Mike Loebl (mloebl) wrote :

Also noticed if I log in via terminal as a domain user, stop lighdm, run startx, desktop comes up (but no indicator panel on bar.)

I should have also noted in the previous post I was on 13.04 and it worked fine, and didn't have any problems until upgrading to 13.10.

Julian Alarcon (alarconj) wrote :

Same problem here, I just upgraded Ubuntu from 13.04 to 13.10
Right now I'm using pbis-open lastest version (7.5.2.1527). This versions worked fine justa few hours before upgrade.

Upgrade was normal, but when I tried to start session with any domain user I got a few flashes and returned to lightdm login screen.

After cheking the message error "/usr/sbin/lightdm-session: 5: exec: init: not found" I found another bug:
https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1184878

I made the sgestion of make a symlink running this:
sudo ln -s /sbin/init /bin/init

Now when I try to login with a domain user, I got a blank screen and mouse works, but nothing else show up. No background, no terminal with "Alt+T" combination, no bars, no icons, nothing.. Hey.. but mouse moves!

This is the new log from the file .xsessions-errors

Script for ibus started at run_im.
Script for auto started at run_im.
Script for default started at run_im.
init: unity-gtk-module main process (3055) terminated with status 127
init: logrotate pre-start process (3053) terminated with status 127
init: dbus pre-start process (3056) terminated with status 127
init: ssh-agent pre-start process (3054) terminated with status 127
init: ssh-agent post-stop process (3062) terminated with status 127

I got this errors using nouveau (I thought that maybe nvidia drivers were the problem, but I was wrong)

Mike Loebl (mloebl) wrote :

Hmm, I wonder if this could be some odd path issue, status 127 means command not found. Also would explain why we had to do the symbolic link for /sbin/init . $PATH getting squashed somehow?

Changed in lightdm (Ubuntu):
status: Incomplete → Confirmed
Mike Loebl (mloebl) wrote :

I'm also seeing this on Gnome Ubuntu as well after staging up a VM to test it. I have to do the sym link to init, and then once i log in, get the black screen with a cursor. Not looking like a lightdm issue now.

jobu1324 (jbulcher) wrote :

This affects installs based on the latest PowerBroker Identity Services software (downloaded directly from their site, not installed via the Ubuntu repositories).

In my case, I had PBIS 7.5.1 installed and working before I upgraded. I did not think to unbind myself from the domain before upgrading from Ubuntu 13.04 to 13.10, but I did purge PBIS and install the latest edition (7.5.2.1527). My symptoms seem to be identical to those listed above; I've created a question on askubuntu.com: http://askubuntu.com/questions/363869/powerbroker-likewise-open-ubuntu-13-04-13-10-upgrade

Mike Loebl (mloebl) wrote :

Ok, I may have a workaround (not sure yet of any side effects or what else could be broken...)

Since we did the symlink to /bin/init, this is what .Xsession looks like as we know:
init: unity-gtk-module main process (3055) terminated with status 127
init: logrotate pre-start process (3053) terminated with status 127
init: dbus pre-start process (3056) terminated with status 127
init: ssh-agent pre-start process (3054) terminated with status 127
init: ssh-agent post-stop process (3062) terminated with status 127

If you look at ~/.cache/upstart as your LDAP based user, you'll notice in log files for dbus, etc for errors, sure enough the error is it can't find initctl:
/proc/self/fd/9: 3: /proc/self/fd/9: initctl: not found
/proc/self/fd/9: 3: /proc/self/fd/9: initctl: not found
/proc/self/fd/9: 3: /proc/self/fd/9: initctl: not found

I added a symlink from /sbin/initctl to /bin like we did with init, and I am now able to log in again.

Mike Loebl (mloebl) wrote :

After I put in the symlink for initctl into /bin path above and could log in, I ran into an issue where I was having odd errors like not authorized in the disk tool, and Network settings within UI were inaccessible, etc This is beyond the other weird issues with the path stuff from above... I found an old bug here:
https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/1162836

I had the same problem where after I finally logged in, my $PATH variable was a ways off from what the local user. Per that bug, I updated /etc/pam.d/common-session and made the following change the line:
session sufficient pam_lsass.so
to:
session [success=ok default=ignore] pam_lsass.s

After a reboot, my path was ok, and everything seems to be working as normal again. I am going to test removing the symlinks that were added, as I suspect with the path fixed, they may not be needed. I will report back what I find.

Mike Loebl (mloebl) wrote :

No symlinks needed for init or initctl and able to log in using pbis as a domain user with the common-session change.

Is this a bug with Ubuntu or pbis?

The workaround with common-session allowed me to log in on my pbis activated machine as well.

jobu1324 (jbulcher) wrote :

This worked for me as well. After applying the fix, unbinding from AD recognizes that the PAM configuration was manually edited and asks the user if he wants the system to administer the configuration, or if he would like to do so manually going forward.

Obviously typical PBIS users want the system to administer their PAM configuration. I assume that after the bug is fixed this won't be a problem, but I'm noting the issue here just in case.

Changed in lightdm (Ubuntu):
importance: Undecided → Critical
Dimitri John Ledkov (xnox) wrote :

/sbin must be in all users path on Ubuntu. It is the default, and many thing will not work, if /sbin is not the default path.

Default path on ubuntu is usually set in /etc/environment and has:
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"

Can you please verify what PATH is set on the affected environments?

Rob A (docsmooth) wrote :

Hi, I've filed a bug internally on the PBIS Open bugzilla, to change the "common-session" entry from "sufficient" to "optional" (which is the same as [success=ok default=ignore] and looks cleaner).

Thanks for picking this up for us!

Mike Loebl (mloebl) wrote :

@Rob A - Thanks for the follow-up! I can confirm on 14.04 it's also working well.

Thanks @mloebl, it works

Wojciech (wojaugustow) on 2015-12-09
Changed in lightdm (Ubuntu):
assignee: nobody → Wojciech (wojaugustow)
status: Confirmed → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers