Unity Lockscreen in 14.04 can't unlock when using LDAP account

Bug #1314095 reported by Grzegorz Gutowski on 2014-04-29
138
This bug affects 25 people
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Debian)
Fix Released
Unknown
nss-pam-ldapd (Ubuntu)
High
Unassigned
Trusty
High
Unassigned
Utopic
High
Unassigned

Bug Description

SRU justification:

[Impact]

* Summary: in Trusty, when libnss-ldapd is used, LDAP users are not able to unlock the Unity lockscreen. Utopic and later are not affected. Some workarounds are listed in comment #29.

* nslcd in Trusty and earlier does not permit unprivileged users to read shadow entries. When invoked by the Unity lockscreen, running as the logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in pam_acct_mgmt when it tries to get password expiry information from shadow. This leads to an authorization failure, so Unity refuses to unlock the screen. pam_ldap is not consulted for pam_acct_mgmt after pam_unix fails because its rule is in the Additional section.

* In Utopic and later, nslcd returns partial shadow entries to unprivileged users. This is enough for the expiry check in pam_unix to succeed, so the screen can be unlocked. See http://bugs.debian.org/706913 for a discussion of the upstream fix.

* This proposed SRU backports the upstream solution to Trusty's nslcd. This is a change of behaviour for shadow queries from unprivileged users, compared to the current package. An alternative, more targeted fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from pam_acct_mgmt, like gnome-screensaver already does (see comment #29). The nslcd change is a more general fix for not just Unity, but any PAM-using program run by an unprivileged user.

[Test Case]

* Install and configure libnss-ldapd. Ensure ldap is enabled for at least the passwd and shadow services in /etc/nsswitch.conf.

* Log into Unity as an LDAP user, lock the screen, and then try to unlock it again.

[Regression Potential]

* The patch is minimal, was written by the upstream author, and was backported (adjusting for whitespace changes) to Trusty. The change has already been released in Utopic and will be included in Debian Jessie as well.

* Regression testing should include checking that shadow queries, both by name and for listing all users, are unchanged when issued as root.

[Other Info]

* Packages for testing are available in ppa:rtandy/lp1314095

Original description:

My setup is:

Ubuntu 14.04 LTS,
ldap accounts,
krb5 authentication,
Lightdm,
Unity session

ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine.
I am able to login in console without any problems.
I was able to login in lightdm.
Then I used the lock screen.
I could not disable the lock screen using my password.
I rebooted my computer.

Now:
After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password.

From my short inspection of auth.log and unix_chkpwd sources it seems, that unix_chkpwd works fine when called from lightdm and fails to get user info when called from unity lockscreen.

lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04

apt-cache policy unity lightdm libpam-modules
unity:
  Installed: 7.2.0+14.04.20140416-0ubuntu1
  Candidate: 7.2.0+14.04.20140416-0ubuntu1
  Version table:
 *** 7.2.0+14.04.20140416-0ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status
lightdm:
  Installed: 1.10.0-0ubuntu3
  Candidate: 1.10.0-0ubuntu3
  Version table:
 *** 1.10.0-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status
libpam-modules:
  Installed: 1.1.8-1ubuntu2
  Candidate: 1.1.8-1ubuntu2
  Version table:
 *** 1.1.8-1ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

Contents of /var/log/auth.log:

Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost= user=user
Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): session closed for user lightdm
Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user (user)
Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost= user=user
Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info (user)
Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info (user)
Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"

cat /etc/pam.d/common-auth
account required pam_unix.so
auth required pam_group.so
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
auth requisite pam_deny.so
auth required pam_permit.so

auth optional pam_afs_session.so minimum_uid=200
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so

cat /etc/pam.d/common-account
account required pam_unix.so

cat /etc/pam.d/lightdm
auth requisite pam_nologin.so
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
auth optional pam_group.so
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity (Ubuntu):
status: New → Confirmed
Grzegorz Gutowski (gzegzol) wrote :

When I add suid root to unix_chkpwd binary:

chmod u+s /sbin/unix_chkpwd

then everything works as expected: both lightdm and unity lockscreen are accepting my password.

Without suid it seems that call (with correct username) to getspnam in function get_account_info in file passverify.c in pam/modules/pam_unix returns NULL. I don't understand this behaviour. I wrote a simple c program that calls getspnam and it works as expected when called from unprivileged user.
When unix_chkpwd (both suid root and not) is called by lightdm, then it always works good.

Changed in unity (Ubuntu):
importance: Undecided → High
Changed in unity:
importance: Undecided → High
status: New → Confirmed
Callum Dickinson (callum-v) wrote :

Hi, I'd just like to chime in here and say that the workaround specified in #2 works for me, as well. I'm running Kerberos 5 authentication with LDAP user accounts, LightDM with Unity greeter and lock screen. Ubuntu 14.04 LTS on both server and clients.

Alex Bachmeier (cebalrai) wrote :

I've switched to sssd and that also seemed to do the trick. If you need a workaround, this way you won't have to modify any system files.

Nick Piggott (nick-piggott) wrote :

Workaround in #2 also working for me.

Jan Groenewald (jan-aims) wrote :

Same behavior on ldap without kerberos.

root@muizenberg:~# lsb_release -d; apt-cache policy unity lightdm libpam-modules|grep Installed; grep unix_chkpwd /var/log/auth.log|tail -3
Description: Ubuntu 14.04 LTS
  Installed: 7.2.0+14.04.20140423-0ubuntu1.2
  Installed: 1.10.1-0ubuntu1
  Installed: 1.1.8-1ubuntu2
May 27 09:07:11 muizenberg unix_chkpwd[4186]: check pass; user unknown
May 27 09:07:11 muizenberg unix_chkpwd[4186]: password check failed for user (jan)
May 27 09:07:11 muizenberg unix_chkpwd[4187]: could not obtain user info (jan)

Workaround in #2 also works for me.

Jan Groenewald (jan-aims) wrote :

Some reference (marked as WONTFIX)
https://bugzilla.redhat.com/show_bug.cgi?id=638279

Above might suggest a configuration that fixes this: check ldap first in common-auth, which currently does:

# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass

That should not be a default (having ldap first) but could be a better workaround than setuid unix_chkpwd ?

Andrea Azzarone (azzar1) wrote :

I managed to setup a working system using this guide:
https://www.digitalocean.com/community/articles/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps

So not sure it's a unity issue. If you are using something special please help to to replicate your configuration.

Changed in unity:
status: Confirmed → Incomplete
Changed in unity (Ubuntu):
status: Confirmed → Incomplete
Download full text (5.5 KiB)

We did not have this problem on 12.04. Only now on 14.04

Regards,
Jan

On 28 May 2014 17:53, Andrea Azzarone <email address hidden> wrote:

> I managed to setup a working system using this guide:
>
> https://www.digitalocean.com/community/articles/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps
>
> So not sure it's a unity issue. If you are using something special
> please help to to replicate your configuration.
>
> ** Changed in: unity
> Status: Confirmed => Incomplete
>
> ** Changed in: unity (Ubuntu)
> Status: Confirmed => Incomplete
>
> --
> You received this bug notification because you are a member of AIMS,
> which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1314095
>
> Title:
> Unity Lockscreen in 14.04 can't unlock when using LDAP account
>
> Status in Unity:
> Incomplete
> Status in "unity" package in Ubuntu:
> Incomplete
>
> Bug description:
> My setup is:
>
> Ubuntu 14.04 LTS,
> ldap accounts,
> krb5 authentication,
> Lightdm,
> Unity session
>
> ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent
> passwd and getent shadow works fine.
> I am able to login in console without any problems.
> I was able to login in lightdm.
> Then I used the lock screen.
> I could not disable the lock screen using my password.
> I rebooted my computer.
>
> Now:
> After logging in through lightdm, the unity lockscreen locks the screen
> immediately and I can not disable it using my password.
>
> From my short inspection of auth.log and unix_chkpwd sources it seems,
> that unix_chkpwd works fine when called from lightdm and fails to get
> user info when called from unity lockscreen.
>
>
> lsb_release -rd
> Description: Ubuntu 14.04 LTS
> Release: 14.04
>
> apt-cache policy unity lightdm libpam-modules
> unity:
> Installed: 7.2.0+14.04.20140416-0ubuntu1
> Candidate: 7.2.0+14.04.20140416-0ubuntu1
> Version table:
> *** 7.2.0+14.04.20140416-0ubuntu1 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
> lightdm:
> Installed: 1.10.0-0ubuntu3
> Candidate: 1.10.0-0ubuntu3
> Version table:
> *** 1.10.0-0ubuntu3 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
> libpam-modules:
> Installed: 1.1.8-1ubuntu2
> Candidate: 1.1.8-1ubuntu2
> Version table:
> *** 1.1.8-1ubuntu2 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> Contents of /var/log/auth.log:
>
> Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth):
> requirement "user ingroup nopasswdlogin" not met by user "user"
> Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth):
> authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=
> user=user
> Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user
> authenticated as user@NETWORK
> Apr 29 06:49:32 localhost lightdm[15604]:
> pam_unix(lightdm-greeter:session): session closed for user lightdm
> Apr 29 06:49:37 localhost...

Read more...

Jan Groenewald (jan-aims) wrote :

Perhaps this should then be changed to be a bug against another package rather than unconfirming it. It affects more than one user. We don't want to change our (simple) configurations to an out of date document, we find that our LDAP setup works for logins but not lock screen, and that there seems to be a precedent from the redhat bug.

Jan Groenewald (jan-aims) wrote :

Perhaps this should then be changed to be a bug against another package rather than unconfirming it. It affects more than one user. We don't want to change our (simple) configurations to an out of date document, we find that our LDAP setup works for logins but not lock screen, and that there seems to be a precedent from the redhat bug.

Since this bug seems to not occur with sssd (comment #4) or libpam-ldap (comment #8) then maybe the bug is with

libpam-ldapd.

Can Grzegorz Gutowski , Callum Dickinson, Alex Bachmeier, and Nick Piggott confirm that the original problem for them was with libpam-ldapd?

Nick Piggott (nick-piggott) wrote :

I can confirm I'm using libpam-ldapd:amd64 (0.8.13-3)

Andrea Azzarone (azzar1) wrote :

@Jan we are not unconfirming it (incomplete means that we still need to figure out what and where is the problem). I have a branch that maybe could help you. Next week I'll set up a ppa so you can test it.

Joost Ringoot (joost) wrote :

I have this behaviour on an LTSP client (ubuntu 14.04),
"chmod u+s /sbin/unix_chkpwd" does not appear resolve it
and I am using sssd to authenticate to ldap

The screen-lock doesn't work by default in LTSP, I had to activate it with unity-tweak-tool.
But it is useless since unlock doesn't work.

Jan Groenewald (jan-aims) wrote :
Download full text (5.7 KiB)

Hi

Are you getting the unix_chkpwd error in the logs like this?
May 27 09:07:11 muizenberg unix_chkpwd[4186]: check pass; user unknown
May 27 09:07:11 muizenberg unix_chkpwd[4186]: password check failed for
user (jan)
May 27 09:07:11 muizenberg unix_chkpwd[4187]: could not obtain user info
(jan)

Another commenter said sssd does not exhibit this bug. It sounds like
something else causing similar behaviour.

Regards,
Jan

On 8 July 2014 11:42, Joost Ringoot <email address hidden> wrote:

> I have this behaviour on an LTSP client (ubuntu 14.04),
> "chmod u+s /sbin/unix_chkpwd" does not appear resolve it
> and I am using sssd to authenticate to ldap
>
>
> The screen-lock doesn't work by default in LTSP, I had to activate it with
> unity-tweak-tool.
> But it is useless since unlock doesn't work.
>
> --
> You received this bug notification because you are a member of AIMS,
> which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1314095
>
> Title:
> Unity Lockscreen in 14.04 can't unlock when using LDAP account
>
> Status in Unity:
> Incomplete
> Status in "unity" package in Ubuntu:
> Incomplete
>
> Bug description:
> My setup is:
>
> Ubuntu 14.04 LTS,
> ldap accounts,
> krb5 authentication,
> Lightdm,
> Unity session
>
> ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent
> passwd and getent shadow works fine.
> I am able to login in console without any problems.
> I was able to login in lightdm.
> Then I used the lock screen.
> I could not disable the lock screen using my password.
> I rebooted my computer.
>
> Now:
> After logging in through lightdm, the unity lockscreen locks the screen
> immediately and I can not disable it using my password.
>
> From my short inspection of auth.log and unix_chkpwd sources it seems,
> that unix_chkpwd works fine when called from lightdm and fails to get
> user info when called from unity lockscreen.
>
>
> lsb_release -rd
> Description: Ubuntu 14.04 LTS
> Release: 14.04
>
> apt-cache policy unity lightdm libpam-modules
> unity:
> Installed: 7.2.0+14.04.20140416-0ubuntu1
> Candidate: 7.2.0+14.04.20140416-0ubuntu1
> Version table:
> *** 7.2.0+14.04.20140416-0ubuntu1 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
> lightdm:
> Installed: 1.10.0-0ubuntu3
> Candidate: 1.10.0-0ubuntu3
> Version table:
> *** 1.10.0-0ubuntu3 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
> libpam-modules:
> Installed: 1.1.8-1ubuntu2
> Candidate: 1.1.8-1ubuntu2
> Version table:
> *** 1.1.8-1ubuntu2 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> Contents of /var/log/auth.log:
>
> Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth):
> requirement "user ingroup nopasswdlogin" not met by user "user"
> Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth):
> authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=
> user=user
> Apr 29 06:49:31 localhost light...

Read more...

Joost Ringoot (joost) wrote :

Hello Jan,

Apparently the LTSP authentication method for the client is not the same as for the server, I was to hastly to say that sssd was installed in the LTSP client like it is on the server, it is not by default.

There are no errors "unix_chkpwd" in the logs but:
Jul 9 08:44:58 zotac-44 compiz: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Jul 9 08:44:58 zotac-44 compiz: PAM adding faulty module: pam_kwallet.so
Jul 9 08:44:58 zotac-44 compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "testuser"
Jul 9 08:45:12 zotac-44 unix_chkpwd[4847]: password check failed for user (testuser)
Jul 9 08:45:12 zotac-44 compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=2683 euid=2683 tty= ruser= rhost= user=testuser
Jul 9 08:45:14 zotac-44 compiz: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Jul 9 08:45:14 zotac-44 compiz: PAM adding faulty module: pam_kwallet.so
Jul 9 08:45:14 zotac-44 compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "testuser"

Jan Groenewald (jan-aims) wrote :
Download full text (8.0 KiB)

Hi Joost,

I think those kwallet errors are harmless if you don't use KDE; I commented
mine out.
0 root@muizenberg:/etc/pam.d#grep kwal *
lightdm:#auth optional pam_kwallet.so
lightdm:#session optional pam_kwallet.so auto_start
lightdm.all.allowed:#auth optional pam_kwallet.so
lightdm.all.allowed:#session optional pam_kwallet.so auto_start
lightdm-greeter:#auth optional pam_kwallet.so
lightdm-greeter:#session optional pam_kwallet.so auto_start
lightdm.user.allowed:#auth optional pam_kwallet.so
lightdm.user.allowed:#session optional pam_kwallet.so auto_start

I think you can ignore pam_succeed_if, I see that regularly.

You DO seem to have unix_chkpwd, but I also get that message after the fix;
from your logs:

Jul 9 08:45:12 zotac-44 unix_chkpwd[4847]: password check failed for user
(testuser)

This is me succesfully unlocking after the unix_chkpwd workaround:

0 root@muizenberg:~#ls -l /sbin/unix_chkpwd
-rwsr-sr-x 1 root shadow 35536 Feb 1 00:21 /sbin/unix_chkpwd
0 root@muizenberg:/var/log#tail -n 5 auth.log
Jul 9 11:10:35 muizenberg compiz: pam_succeed_if(lightdm:auth):
requirement "user ingroup nopasswdlogin" not met by user "jan"
Jul 9 11:10:37 muizenberg unix_chkpwd[22139]: password check failed for
user (jan)
Jul 9 11:10:37 muizenberg compiz: pam_unix(lightdm:auth): authentication
failure; logname= uid=10000 euid=10000 tty= ruser= rhost= user=jan
Jul 9 11:10:37 muizenberg compiz: gkr-pam: unlocked login keyring
Jul 9 11:10:37 muizenberg compiz: pam_group(lightdm:setcred): unable to
set the group membership for user: Operation not permitted
0 root@muizenberg:/var/log#

Another thought, are there any dconf/gsettings lockdown in LTSP that might
affect this?

Regards,
Jan

On 9 July 2014 10:42, Joost Ringoot <email address hidden> wrote:

> Hello Jan,
>
> Apparently the LTSP authentication method for the client is not the same
> as for the server, I was to hastly to say that sssd was installed in the
> LTSP client like it is on the server, it is not by default.
>
> There are no errors "unix_chkpwd" in the logs but:
> Jul 9 08:44:58 zotac-44 compiz: PAM unable to dlopen(pam_kwallet.so):
> /lib/security/pam_kwallet.so: cannot open shared object file: No such file
> or directory
> Jul 9 08:44:58 zotac-44 compiz: PAM adding faulty module: pam_kwallet.so
> Jul 9 08:44:58 zotac-44 compiz: pam_succeed_if(lightdm:auth): requirement
> "user ingroup nopasswdlogin" not met by user "testuser"
> Jul 9 08:45:12 zotac-44 unix_chkpwd[4847]: password check failed for user
> (testuser)
> Jul 9 08:45:12 zotac-44 compiz: pam_unix(lightdm:auth): authentication
> failure; logname= uid=2683 euid=2683 tty= ruser= rhost= user=testuser
> Jul 9 08:45:14 zotac-44 compiz: PAM unable to dlopen(pam_kwallet.so):
> /lib/security/pam_kwallet.so: cannot open shared object file: No such file
> or directory
> Jul 9 08:45:14 zotac-44 compiz: PAM adding faulty module: pam_kwallet.so
> Jul 9 08:45:14 zotac-44 compiz: pam_succeed_if(lightdm:auth): requirement
> "user ingroup nopasswdlogin" not met by user "testuser"
>
> --
> You received this bug notification because you are a member of AIMS,
> wh...

Read more...

Mark Crocker (mcrocker) wrote :

Alternate work-around:

I was able to login successfully by detaching the keyboard, and using the mouse to 'click-in' my password with the on-screen keyboard. I usually had to click on Switch Account in the 'gear' drop-down menu to get the assistive technology icon to appear to get to the on-screen keyboard, but once I did, I could enter a password and that worked to log me in.

It's somewhat bizarre that this would work since the setuid work-around suggested above also worked for me. If it is some problem running unix_chkpwd, then shouldn't the on-screen keyboard have just as much difficulty with that?

I've seen the same behaviour after an upgrade from 12.04 to 14.04. Login was still possible but the screen did not unlock. I had this message in /var/log/auth.log:
hostname unix_chkpwd[26503]: could not obtain user info (username)

For me this was caused by wrong file permissions on /etc/shadow. The file was not readable by the shadow group. If the workaround mentioned in comment #2 works, have a look at these file permissions:
-rw-r--r-- 1 root root 925 sep 9 18:42 /etc/group
-rw-r--r-- 1 root root 1944 sep 9 18:42 /etc/passwd
-rw-r----- 1 root shadow 1132 sep 9 18:42 /etc/shadow

I have the same problem, though I don't have any unix_chkpwd errors as it's not installed on my systems.

I was able to solve it by replacing:
1) libpam-ldap by libpam-ldapd
2) libnss-ldap by libnss-ldapd
3) nscd by nslcd

I think it is related to my use of self signed certificates that libpam-ldap has trouble handling.

brayan bautista (braybaut) wrote :

hello,.

I can confirm I'm using sssd

brayan bautista (braybaut) wrote :

caused Error by lighdm ???

Charlie Ott (charlieott) wrote :

confirming on my setup as well.

openstack VM (similar to amazon ec2)
Running GDM3 (apt-get install gnome-shell) w/ NX Server to xorg-server-dummy package (since vm is headless)
LDAP Authentication w/ SSSD Package

Once I connect to the server, I am able to log in the first time using my ldap account. Also since i already have a home folder (PAM mkhomedir) my LDAP 'firstName' and 'lastName' actually show up on the GDM3 login screen. Which was a pleasant surprise.

however, once locked. I'm getting the error in /var/log/auth.log:
Jan 8 05:19:10 onr-geoserver gdm-password][12480]: pam_succeed_if(gdm-password:auth): requirement "user ingroup nopasswdlogin" not met by user "cott"
Jan 8 05:19:17 onr-geoserver gdm-password][12480]: pam_unix(gdm-password:auth): authentication failure; logname=cott uid=0 euid=0 tty=:0 ruser= rhost= user=cott
Jan 8 05:19:19 onr-geoserver gdm-password][12480]: pam_sss(gdm-password:auth): authentication success; logname=cott uid=0 euid=0 tty=:0 ruser= rhost= user=cott
Jan 8 05:19:19 onr-geoserver gdm-password][12480]: gkr-pam: unlocked login keyring
Jan 8 05:19:19 onr-geoserver systemd-logind[1359]: Removed session 3.
Jan 8 05:19:19 onr-geoserver gdm-password][12708]: pam_succeed_if(gdm-password:auth): requirement "user ingroup nopasswdlogin" not met by user "cott"

it seems 'pam_sss' is happy (auth. success), but 'pam_unix' is not.

This is all purely package installs from ubuntu 14.04 cloud image. no custom configs except for the dummy monitor in xorg.conf. which i doubt is related.

It same error here, based on my understanding it only fetch to the /etc/shadow not on the nscd cache (/var/cache/nscd/passwd) where pam_ldap is pointing with. But if I switch user, and login with the same user it will retain the previous desktop during the lock screen (even changing desktop say MATE, GNOME classic upon relogin). Tried with gnome-screensaver and with mate-screensaver same result. Sadly not on the Lock Screen as it generate the following log:

Jan 22 17:14:35 ambotlang gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=104781 euid=104781 tty=:1.0 ruser= rhost= user=txunil
Jan 22 17:14:44 ambotlang lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=txunil

Vincent Jestin (mazargman) wrote :

Hello,

Same problem here after doing an upgrade from 12.04 to 14.04.

On the affected machine, some users (basically admins) have both unix accounts and LDAP accounts.

Users with both accounts can log in with unix or ldap password. However, when the desktop is locked, the only way to unlock is to use a unix password.

I've tried unix_chkpwd suid workaround (no success) and checked /etc/shadow file permissions (was ok).

I'm using libpam-ldap.

Jan Groenewald (jan-aims) wrote :
Download full text (5.7 KiB)

Hi

Do you have this exactly?
0 root@muizenberg:~#ls -l /sbin/unix_chkpwd
-rwsr-sr-x 1 root shadow 35536 Feb 1 2014 /sbin/unix_chkpwd

I am uising libpam-ldap*d* and it works. Note the d.

Regards,
Jan

On 30 January 2015 at 19:05, Vincent Jestin <email address hidden> wrote:

> Hello,
>
> Same problem here after doing an upgrade from 12.04 to 14.04.
>
> On the affected machine, some users (basically admins) have both unix
> accounts and LDAP accounts.
>
> Users with both accounts can log in with unix or ldap password. However,
> when the desktop is locked, the only way to unlock is to use a unix
> password.
>
> I've tried unix_chkpwd suid workaround (no success) and checked
> /etc/shadow file permissions (was ok).
>
> I'm using libpam-ldap.
>
> --
> You received this bug notification because you are a member of AIMS,
> which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1314095
>
> Title:
> Unity Lockscreen in 14.04 can't unlock when using LDAP account
>
> Status in Unity:
> Incomplete
> Status in unity package in Ubuntu:
> Incomplete
>
> Bug description:
> My setup is:
>
> Ubuntu 14.04 LTS,
> ldap accounts,
> krb5 authentication,
> Lightdm,
> Unity session
>
> ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent
> passwd and getent shadow works fine.
> I am able to login in console without any problems.
> I was able to login in lightdm.
> Then I used the lock screen.
> I could not disable the lock screen using my password.
> I rebooted my computer.
>
> Now:
> After logging in through lightdm, the unity lockscreen locks the screen
> immediately and I can not disable it using my password.
>
> From my short inspection of auth.log and unix_chkpwd sources it seems,
> that unix_chkpwd works fine when called from lightdm and fails to get
> user info when called from unity lockscreen.
>
>
> lsb_release -rd
> Description: Ubuntu 14.04 LTS
> Release: 14.04
>
> apt-cache policy unity lightdm libpam-modules
> unity:
> Installed: 7.2.0+14.04.20140416-0ubuntu1
> Candidate: 7.2.0+14.04.20140416-0ubuntu1
> Version table:
> *** 7.2.0+14.04.20140416-0ubuntu1 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
> lightdm:
> Installed: 1.10.0-0ubuntu3
> Candidate: 1.10.0-0ubuntu3
> Version table:
> *** 1.10.0-0ubuntu3 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
> libpam-modules:
> Installed: 1.1.8-1ubuntu2
> Candidate: 1.1.8-1ubuntu2
> Version table:
> *** 1.1.8-1ubuntu2 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> Contents of /var/log/auth.log:
>
> Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth):
> requirement "user ingroup nopasswdlogin" not met by user "user"
> Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth):
> authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=
> user=user
> Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user
> authenticat...

Read more...

Vincent Jestin (mazargman) wrote :

Hello

Thank you Jan!

I had the correct permissions for unix_chkpwd.

I replaced libpam-ldap by libpam-ldapd and now I can unlock the user session successfully.

However I have some other issues I didn't have before using libpam-ldapd like I'm unable to create a local user (non ldap) or su command which gives permission denied errors. All this is probably related to PAM configuration.

Anyway, thanks a lot!

Vincent.

Ryan Tandy (rtandy) wrote :

This seems to be fixed in later releases. Using lib{nss,pam}-ldapd and nslcd, with no custom configuration beyond "dpkg-reconfigure nslcd", I experience this bug in trusty, but not in utopic or vivid.

Also, in trusty I do not experience it when using alternative lockers such as gnome-screensaver or light-locker, only with the Unity lockscreen.

Setting status back to Confirmed, and I'll try to isolate the change that fixed it.

Changed in unity:
status: Incomplete → Confirmed
Changed in unity (Ubuntu):
status: Incomplete → Confirmed
Ryan Tandy (rtandy) wrote :

Hi,

Grzegorz Gutowski (gzegzol) wrote on 2014-04-29: "Without suid it seems that call (with correct username) to getspnam in function get_account_info in file passverify.c in pam/modules/pam_unix returns NULL. I don't understand this behaviour. I wrote a simple c program that calls getspnam and it works as expected when called from unprivileged user."

A call to getspnam(3) as an unprivileged user returns NULL; that's expected. (nss_compat returns errno = EACCESS since we can't read /etc/shadow; nss_ldapd returns errno = ENOENT as a generic "not found" code.)

The unix_chkpwd helper is sgid to shadow so that it can read /etc/shadow, but nss_ldapd still returns ENOENT to shadow queries. If we make unix_chkpwd suid, then nss_ldapd returns real shadow results; but this is only a workaround (and a potentially dangerous one, at that).

What I see happening when I attempt to unlock the screen:

- the auth stack is fine;
- in the account stack, pam_unix returns PAM_AUTHINFO_UNAVAIL (from unix_chkpwd), and it falls into pam_deny after that (since pam_ldap is Additional).

gnome-screensaver works only because it actually ignores the result from the account stack and proceeds anyway: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/gnome-screensaver/trusty/view/head:/src/gs-auth-pam.c#L519

Some possible workarounds are:

- chmod u+s /sbin/unix_chkpwd (potentially dangerous, not recommended);
- dpkg-reconfigure libnss-ldapd and disable the shadow service (then pam_unix doesn't try consulting it);
- use libnss-ldap instead of libnss-ldapd, since it allows everyone to read shadow entries;
- use libnss-sss instead of libnss-ldapd, since it does not support the shadow service at all (in trusty, at least);
- make libpam-ldapd's account rule Primary instead of Additional (but this was already done and subsequently reverted by its maintainer in 0.8.8-1 and 0.8.8-2).

I'm not sure why some people reported experiencing this bug when using libnss-ldap or libnss-sss. I'd want to review their PAM and NSS setups in that case.

This is all about trusty so far... still have to look at utopic/vivid.

Ryan Tandy (rtandy) wrote :

Ahh, right. So this is almost certainly the change that fixed it for utopic:

    - nslcd will now return partial shadow information to non-root users to
      avoid authorisation problems with setgid shadow authentication helpers
      with some PAM stacks (closes: #706913)

I bet backporting that to trusty will resolve this.

Changed in nss-pam-ldapd (Debian):
status: Unknown → Fix Released
Ryan Tandy (rtandy) wrote :

Hello sponsors,

Please consider uploading the attached nslcd patch to trusty-proposed to resolve this bug. Thank you!

description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nss-pam-ldapd (Ubuntu):
status: New → Confirmed
Changed in unity:
status: Confirmed → Invalid
Changed in unity (Ubuntu):
status: Confirmed → Invalid
Steve Langasek (vorlon) on 2015-05-18
Changed in nss-pam-ldapd (Ubuntu Utopic):
status: New → Fix Released
Changed in nss-pam-ldapd (Ubuntu):
status: Confirmed → Fix Released
Changed in unity (Ubuntu Trusty):
status: New → Invalid
Changed in unity (Ubuntu Utopic):
status: New → Invalid

Hello Grzegorz, or anyone else affected,

Accepted nss-pam-ldapd into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss-pam-ldapd/0.8.13-3ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in nss-pam-ldapd (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed
Ryan Tandy (rtandy) wrote :

Installed a pristine trusty system, configured lib{nss,pam}-ldapd, and confirmed that updating to nslcd 0.8.13-3ubuntu1 from trusty-proposed allows LDAP users to unlock the Unity lockscreen.

Mathew Hodson (mhodson) wrote :

Tagging verification-done based on comment #34.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss-pam-ldapd - 0.8.13-3ubuntu1

---------------
nss-pam-ldapd (0.8.13-3ubuntu1) trusty; urgency=medium

  * return-partial-shadow-information-to-non-root-users.patch: backport
    upstream patch to return partial shadow information (leaving out password
    hashes) to non-root users. This fixes pam_unix failing in pam_acct_mgmt
    while trying to get password expiry information from shadow, thereby
    preventing the Unity lockscreen from being unlocked by LDAP users. (LP:
    #1314095)

 -- Ryan Tandy <email address hidden> Thu, 12 Feb 2015 11:10:41 -0800

Changed in nss-pam-ldapd (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for nss-pam-ldapd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Mathew Hodson (mhodson) on 2015-10-28
affects: unity → ubuntu-translations
no longer affects: ubuntu-translations
no longer affects: unity (Ubuntu)
no longer affects: unity (Ubuntu Utopic)
no longer affects: unity (Ubuntu Trusty)
Changed in nss-pam-ldapd (Ubuntu Utopic):
importance: Undecided → High
Changed in nss-pam-ldapd (Ubuntu Trusty):
importance: Undecided → High
Changed in nss-pam-ldapd (Ubuntu):
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.