2014-04-29 08:51:49 |
Grzegorz Gutowski |
bug |
|
|
added bug |
2014-04-29 11:31:35 |
Launchpad Janitor |
unity (Ubuntu): status |
New |
Confirmed |
|
2014-04-29 11:41:23 |
Ivo Maintz |
bug |
|
|
added subscriber Ivo Maintz |
2014-04-30 12:38:35 |
Sebastien Bacher |
unity (Ubuntu): importance |
Undecided |
High |
|
2014-04-30 12:38:39 |
Sebastien Bacher |
bug task added |
|
unity |
|
2014-04-30 12:38:45 |
Sebastien Bacher |
unity: importance |
Undecided |
High |
|
2014-04-30 12:38:47 |
Sebastien Bacher |
unity: status |
New |
Confirmed |
|
2014-05-06 12:58:57 |
Nick Piggott |
bug |
|
|
added subscriber Nick Piggott |
2014-05-14 12:28:15 |
Alex Bachmeier |
bug |
|
|
added subscriber Alex Bachmeier |
2014-05-27 04:14:12 |
Alex Mauer |
bug |
|
|
added subscriber Alex Mauer |
2014-05-27 07:19:39 |
Jan Groenewald |
bug |
|
|
added subscriber AIMS |
2014-05-27 08:12:08 |
Jan Groenewald |
bug watch added |
|
https://bugzilla.redhat.com/show_bug.cgi?id=638279 |
|
2014-05-28 15:53:26 |
Andrea Azzarone |
unity: status |
Confirmed |
Incomplete |
|
2014-05-28 15:53:29 |
Andrea Azzarone |
unity (Ubuntu): status |
Confirmed |
Incomplete |
|
2014-06-23 14:13:22 |
Stefano Fedrigo |
bug |
|
|
added subscriber Stefano Fedrigo |
2014-09-09 20:32:54 |
Mark Crocker |
bug |
|
|
added subscriber Mark Crocker |
2014-09-27 11:13:58 |
Jakob Reiter |
bug |
|
|
added subscriber Jakob Reiter |
2014-10-12 10:31:08 |
Marcos Alano |
bug |
|
|
added subscriber Marcos Alano |
2015-01-30 17:07:59 |
Vincent Jestin |
bug |
|
|
added subscriber Vincent Jestin |
2015-02-06 17:23:18 |
Ryan Tandy |
bug |
|
|
added subscriber Ryan Tandy |
2015-02-06 18:51:34 |
Ryan Tandy |
unity: status |
Incomplete |
Confirmed |
|
2015-02-06 18:51:37 |
Ryan Tandy |
unity (Ubuntu): status |
Incomplete |
Confirmed |
|
2015-02-12 18:08:15 |
Ryan Tandy |
bug task added |
|
nss-pam-ldapd (Ubuntu) |
|
2015-02-12 18:09:05 |
Ryan Tandy |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706913 |
|
2015-02-12 18:09:05 |
Ryan Tandy |
bug task added |
|
nss-pam-ldapd (Debian) |
|
2015-02-12 18:43:37 |
Bug Watch Updater |
nss-pam-ldapd (Debian): status |
Unknown |
Fix Released |
|
2015-02-12 18:53:53 |
Vincent Jestin |
removed subscriber Vincent Jestin |
|
|
|
2015-02-12 19:56:51 |
Ryan Tandy |
description |
My setup is:
Ubuntu 14.04 LTS,
ldap accounts,
krb5 authentication,
Lightdm,
Unity session
ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine.
I am able to login in console without any problems.
I was able to login in lightdm.
Then I used the lock screen.
I could not disable the lock screen using my password.
I rebooted my computer.
Now:
After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password.
From my short inspection of auth.log and unix_chkpwd sources it seems, that unix_chkpwd works fine when called from lightdm and fails to get user info when called from unity lockscreen.
lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04
apt-cache policy unity lightdm libpam-modules
unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
*** 7.2.0+14.04.20140416-0ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
*** 1.10.0-0ubuntu3 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
*** 1.1.8-1ubuntu2 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
Contents of /var/log/auth.log:
Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost= user=user
Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): session closed for user lightdm
Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user (user)
Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost= user=user
Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info (user)
Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info (user)
Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
cat /etc/pam.d/common-auth
account required pam_unix.so
auth required pam_group.so
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_afs_session.so minimum_uid=200
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
cat /etc/pam.d/common-account
account required pam_unix.so
cat /etc/pam.d/lightdm
auth requisite pam_nologin.so
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
auth optional pam_group.so
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password |
SRU justification:
[Impact]
* Summary: in Trusty, when libnss-ldapd is used, LDAP users are not able to unlock the Unity lockscreen. Utopic and later are not affected. Some workarounds are listed in comment #29.
* nslcd in Trusty and earlier does not permit unprivileged users to read shadow entries. When invoked by the Unity lockscreen, running as the logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in pam_acct_mgmt when it tries to get password expiry information from shadow. This leads to an authorization failure, so Unity refuses to unlock the screen. pam_ldap is not consulted for pam_acct_mgmt after pam_unix fails because its rule is in the Additional section.
* In Utopic and later, nslcd returns partial shadow entries to unprivileged users. This is enough for the expiry check in pam_unix to succeed, so the screen can be unlocked. See http://bugs.debian.org/706913 for a discussion of the upstream fix.
* This proposed SRU backports the upstream solution to Trusty's nslcd. This is a change of behaviour for shadow queries from unprivileged users, compared to the current package. An alternative, more targeted fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from pam_acct_mgmt, like gnome-screensaver already does (see comment #29). The nslcd change is a more general fix for not just Unity, but any PAM-using program run by an unprivileged user.
[Test Case]
* Install and configure libnss-ldapd. Ensure ldap is enabled for at least the passwd and shadow services in /etc/nsswitch.conf.
* Log into Unity as an LDAP user, lock the screen, and then try to unlock it again.
[Regression Potential]
* The patch is minimal, was written by the upstream author, and was backported (adjusting for whitespace changes) to Trusty. The change has already been released in Utopic and will be included in Debian Jessie as well.
* Regression testing should include checking that shadow queries, both by name and for listing all users, are unchanged when issued as root.
[Other Info]
* Packages for testing are available in ppa:rtandy/lp1314095
Original description:
My setup is:
Ubuntu 14.04 LTS,
ldap accounts,
krb5 authentication,
Lightdm,
Unity session
ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine.
I am able to login in console without any problems.
I was able to login in lightdm.
Then I used the lock screen.
I could not disable the lock screen using my password.
I rebooted my computer.
Now:
After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password.
From my short inspection of auth.log and unix_chkpwd sources it seems, that unix_chkpwd works fine when called from lightdm and fails to get user info when called from unity lockscreen.
lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04
apt-cache policy unity lightdm libpam-modules
unity:
Installed: 7.2.0+14.04.20140416-0ubuntu1
Candidate: 7.2.0+14.04.20140416-0ubuntu1
Version table:
*** 7.2.0+14.04.20140416-0ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
lightdm:
Installed: 1.10.0-0ubuntu3
Candidate: 1.10.0-0ubuntu3
Version table:
*** 1.10.0-0ubuntu3 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
libpam-modules:
Installed: 1.1.8-1ubuntu2
Candidate: 1.1.8-1ubuntu2
Version table:
*** 1.1.8-1ubuntu2 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
Contents of /var/log/auth.log:
Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost= user=user
Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): session closed for user lightdm
Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user (user)
Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost= user=user
Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK
Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info (user)
Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info (user)
Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
cat /etc/pam.d/common-auth
account required pam_unix.so
auth required pam_group.so
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_afs_session.so minimum_uid=200
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
cat /etc/pam.d/common-account
account required pam_unix.so
cat /etc/pam.d/lightdm
auth requisite pam_nologin.so
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
auth optional pam_group.so
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password |
|
2015-02-12 19:58:45 |
Ryan Tandy |
attachment added |
|
nss-pam-ldapd_0.8.13-3ubuntu1.debdiff https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1314095/+attachment/4318206/+files/nss-pam-ldapd_0.8.13-3ubuntu1.debdiff |
|
2015-02-12 19:59:07 |
Ryan Tandy |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2015-02-18 15:42:57 |
Launchpad Janitor |
nss-pam-ldapd (Ubuntu): status |
New |
Confirmed |
|
2015-02-18 15:46:24 |
Erik |
bug |
|
|
added subscriber Erik |
2015-02-20 21:40:02 |
Yözen Hernández |
bug |
|
|
added subscriber Yözen Hernández |
2015-04-03 10:33:32 |
Sebastien Bacher |
unity: status |
Confirmed |
Invalid |
|
2015-04-03 10:33:37 |
Sebastien Bacher |
unity (Ubuntu): status |
Confirmed |
Invalid |
|
2015-05-10 00:47:32 |
John Center |
bug |
|
|
added subscriber John Center |
2015-05-18 21:47:13 |
Steve Langasek |
bug |
|
|
added subscriber Steve Langasek |
2015-05-18 21:47:17 |
Steve Langasek |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2015-05-18 21:47:26 |
Steve Langasek |
nominated for series |
|
Ubuntu Utopic |
|
2015-05-18 21:47:26 |
Steve Langasek |
bug task added |
|
nss-pam-ldapd (Ubuntu Utopic) |
|
2015-05-18 21:47:26 |
Steve Langasek |
bug task added |
|
unity (Ubuntu Utopic) |
|
2015-05-18 21:47:26 |
Steve Langasek |
nominated for series |
|
Ubuntu Trusty |
|
2015-05-18 21:47:26 |
Steve Langasek |
bug task added |
|
nss-pam-ldapd (Ubuntu Trusty) |
|
2015-05-18 21:47:26 |
Steve Langasek |
bug task added |
|
unity (Ubuntu Trusty) |
|
2015-05-18 21:47:54 |
Steve Langasek |
nss-pam-ldapd (Ubuntu Utopic): status |
New |
Fix Released |
|
2015-05-18 21:48:00 |
Steve Langasek |
nss-pam-ldapd (Ubuntu): status |
Confirmed |
Fix Released |
|
2015-05-18 21:48:06 |
Steve Langasek |
unity (Ubuntu Trusty): status |
New |
Invalid |
|
2015-05-18 21:48:20 |
Steve Langasek |
unity (Ubuntu Utopic): status |
New |
Invalid |
|
2015-06-03 14:13:19 |
Chris J Arges |
nss-pam-ldapd (Ubuntu Trusty): status |
New |
Fix Committed |
|
2015-06-03 14:13:23 |
Chris J Arges |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2015-06-03 14:13:27 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
2015-06-03 14:13:36 |
Chris J Arges |
tags |
lockscreen |
lockscreen verification-needed |
|
2015-06-16 21:11:42 |
Mathew Hodson |
tags |
lockscreen verification-needed |
lockscreen verification-done |
|
2015-06-17 15:52:16 |
Launchpad Janitor |
nss-pam-ldapd (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2015-06-17 15:52:20 |
Chris J Arges |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2015-10-28 20:18:03 |
Mathew Hodson |
affects |
unity |
ubuntu-translations |
|
2015-10-28 20:18:23 |
Mathew Hodson |
bug task deleted |
ubuntu-translations |
|
|
2015-10-28 20:18:33 |
Mathew Hodson |
bug task deleted |
unity (Ubuntu) |
|
|
2015-10-28 20:18:41 |
Mathew Hodson |
bug task deleted |
unity (Ubuntu Utopic) |
|
|
2015-10-28 20:18:47 |
Mathew Hodson |
bug task deleted |
unity (Ubuntu Trusty) |
|
|
2015-10-28 20:19:02 |
Mathew Hodson |
nss-pam-ldapd (Ubuntu Utopic): importance |
Undecided |
High |
|
2015-10-28 20:19:03 |
Mathew Hodson |
nss-pam-ldapd (Ubuntu Trusty): importance |
Undecided |
High |
|
2015-10-28 20:19:05 |
Mathew Hodson |
nss-pam-ldapd (Ubuntu): importance |
Undecided |
High |
|