Ubuntu
nss-pam-ldapd package

Bug #1314095
Comment #26

Comment 26 for bug 1314095

Revision history for this message

Jan Groenewald (jan-aims) wrote on 2015-01-30: Re: [Aims] [Bug 1314095] Re: Unity Lockscreen in 14.04 can't unlock when using LDAP account

#26

Do you have this exactly?
0 root@muizenberg:~#ls -l /sbin/unix_chkpwd
-rwsr-sr-x 1 root shadow 35536 Feb 1 2014 /sbin/unix_chkpwd

I am uising libpam-ldap*d* and it works. Note the d.

Regards,
Jan

On 30 January 2015 at 19:05, Vincent Jestin <email address hidden> wrote:

> Hello,
>
> Same problem here after doing an upgrade from 12.04 to 14.04.
>
> On the affected machine, some users (basically admins) have both unix
> accounts and LDAP accounts.
>
> Users with both accounts can log in with unix or ldap password. However,
> when the desktop is locked, the only way to unlock is to use a unix
> password.
>
> I've tried unix_chkpwd suid workaround (no success) and checked
> /etc/shadow file permissions (was ok).
>
> I'm using libpam-ldap.
>
> --
> You received this bug notification because you are a member of AIMS,
> which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1314095
>
> Title:
> Unity Lockscreen in 14.04 can't unlock when using LDAP account
>
> Status in Unity:
> Incomplete
> Status in unity package in Ubuntu:
> Incomplete
>
> Bug description:
> My setup is:
>
> Ubuntu 14.04 LTS,
> ldap accounts,
> krb5 authentication,
> Lightdm,
> Unity session
>
> ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent
> passwd and getent shadow works fine.
> I am able to login in console without any problems.
> I was able to login in lightdm.
> Then I used the lock screen.
> I could not disable the lock screen using my password.
> I rebooted my computer.
>
> Now:
> After logging in through lightdm, the unity lockscreen locks the screen
> immediately and I can not disable it using my password.
>
> From my short inspection of auth.log and unix_chkpwd sources it seems,
> that unix_chkpwd works fine when called from lightdm and fails to get
> user info when called from unity lockscreen.
>
>
> lsb_release -rd
> Description: Ubuntu 14.04 LTS
> Release: 14.04
>
> apt-cache policy unity lightdm libpam-modules
> unity:
> Installed: 7.2.0+14.04.20140416-0ubuntu1
> Candidate: 7.2.0+14.04.20140416-0ubuntu1
> Version table:
> *** 7.2.0+14.04.20140416-0ubuntu1 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
> lightdm:
> Installed: 1.10.0-0ubuntu3
> Candidate: 1.10.0-0ubuntu3
> Version table:
> *** 1.10.0-0ubuntu3 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
> libpam-modules:
> Installed: 1.1.8-1ubuntu2
> Candidate: 1.1.8-1ubuntu2
> Version table:
> *** 1.1.8-1ubuntu2 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> Contents of /var/log/auth.log:
>
> Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth):
> requirement "user ingroup nopasswdlogin" not met by user "user"
> Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth):
> authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=
> user=user
> Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user
> authenticated as user@NETWORK
> Apr 29 06:49:32 localhost lightdm[15604]:
> pam_unix(lightdm-greeter:session): session closed for user lightdm
> Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
> Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for
> user (user)
> Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication
> failure; logname= uid=1001 euid=1001 tty= ruser= rhost= user=user
> Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user
> authenticated as user@NETWORK
> Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info
> (user)
> Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info
> (user)
> Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth):
> requirement "user ingroup nopasswdlogin" not met by user "user"
>
> cat /etc/pam.d/common-auth
> account required pam_unix.so
> auth required pam_group.so
> auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
> auth [success=1 default=ignore] pam_krb5.so try_first_pass
> minimum_uid=200
> auth requisite pam_deny.so
> auth required pam_permit.so
>
> auth optional pam_afs_session.so minimum_uid=200
> auth optional pam_ecryptfs.so unwrap
> auth optional pam_cap.so
>
> cat /etc/pam.d/common-account
> account required pam_unix.so
>
> cat /etc/pam.d/lightdm
> auth requisite pam_nologin.so
> auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
> @include common-auth
> auth optional pam_gnome_keyring.so
> @include common-account
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so close
> auth optional pam_group.so
> session required pam_limits.so
> @include common-session
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open
> session optional pam_gnome_keyring.so auto_start
> session required pam_env.so readenv=1
> session required pam_env.so readenv=1 user_readenv=1
> envfile=/etc/default/locale
> @include common-password
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions
>
> --
> Mailing list: https://launchpad.net/~aims
> Post to : <email address hidden>
> Unsubscribe : https://launchpad.net/~aims
> More help : https://help.launchpad.net/ListHelp
>

--
.~.
/V\ Jan Groenewald
/( )\ www.aims.ac.za
^^-^^

Do you have this exactly?
0 root@muizenberg:~#ls -l /sbin/unix_chkpwd
-rwsr-sr-x 1 root shadow 35536 Feb  1  2014 /sbin/unix_chkpwd

I am uising libpam-ldap*d* and it works. Note the d.

Regards,
Jan

On 30 January 2015 at 19:05, Vincent Jestin <mazargman@gmail.com> wrote:

> Hello,
>
> Same problem here after doing an upgrade from 12.04 to 14.04.
>
> On the affected machine, some users (basically admins) have both  unix
> accounts and LDAP accounts.
>
> Users with both accounts can log in with unix or ldap password. However,
> when the desktop is locked, the only way to unlock is to use a unix
> password.
>
> I've tried unix_chkpwd suid workaround (no success) and checked
> /etc/shadow file permissions (was ok).
>
> I'm using libpam-ldap.
>
> --
> You received this bug notification because you are a member of AIMS,
> which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1314095
>
> Title:
>   Unity Lockscreen in 14.04 can't unlock when using LDAP account
>
> Status in Unity:
>   Incomplete
> Status in unity package in Ubuntu:
>   Incomplete
>
> Bug description:
>   My setup is:
>
>   Ubuntu 14.04 LTS,
>   ldap accounts,
>   krb5 authentication,
>   Lightdm,
>   Unity session
>
>   ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent
> passwd and getent shadow works fine.
>   I am able to login in console without any problems.
>   I was able to login in lightdm.
>   Then I used the lock screen.
>   I could not disable the lock screen using my password.
>   I rebooted my computer.
>
>   Now:
>   After logging in through lightdm, the unity lockscreen locks the screen
> immediately and I can not disable it using my password.
>
>   From my short inspection of auth.log and unix_chkpwd sources it seems,
>   that unix_chkpwd works fine when called from lightdm and fails to get
>   user info when called from unity lockscreen.
>
>
>   lsb_release -rd
>   Description:  Ubuntu 14.04 LTS
>   Release:      14.04
>
>   apt-cache policy unity lightdm libpam-modules
>   unity:
>     Installed: 7.2.0+14.04.20140416-0ubuntu1
>     Candidate: 7.2.0+14.04.20140416-0ubuntu1
>     Version table:
>    *** 7.2.0+14.04.20140416-0ubuntu1 0
>           500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
>           100 /var/lib/dpkg/status
>   lightdm:
>     Installed: 1.10.0-0ubuntu3
>     Candidate: 1.10.0-0ubuntu3
>     Version table:
>    *** 1.10.0-0ubuntu3 0
>           500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
>           100 /var/lib/dpkg/status
>   libpam-modules:
>     Installed: 1.1.8-1ubuntu2
>     Candidate: 1.1.8-1ubuntu2
>     Version table:
>    *** 1.1.8-1ubuntu2 0
>           500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
>           100 /var/lib/dpkg/status
>
>   Contents of /var/log/auth.log:
>
>   Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth):
> requirement "user ingroup nopasswdlogin" not met by user "user"
>   Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth):
> authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost=
> user=user
>   Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user
> authenticated as user@NETWORK
>   Apr 29 06:49:32 localhost lightdm[15604]:
> pam_unix(lightdm-greeter:session): session closed for user lightdm
>   Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown
>   Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for
> user (user)
>   Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication
> failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user
>   Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user
> authenticated as user@NETWORK
>   Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info
> (user)
>   Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info
> (user)
>   Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth):
> requirement "user ingroup nopasswdlogin" not met by user "user"
>
>   cat /etc/pam.d/common-auth
>   account     required    pam_unix.so
>   auth        required    pam_group.so
>   auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure
>   auth [success=1 default=ignore] pam_krb5.so try_first_pass
> minimum_uid=200
>   auth        requisite   pam_deny.so
>   auth        required    pam_permit.so
>
>   auth        optional    pam_afs_session.so minimum_uid=200
>   auth        optional    pam_ecryptfs.so unwrap
>   auth        optional    pam_cap.so
>
>   cat /etc/pam.d/common-account
>   account     required    pam_unix.so
>
>   cat /etc/pam.d/lightdm
>   auth        requisite   pam_nologin.so
>   auth        sufficient  pam_succeed_if.so user ingroup nopasswdlogin
>   @include common-auth
>   auth        optional    pam_gnome_keyring.so
>   @include common-account
>   session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so close
>   auth        optional    pam_group.so
>   session     required    pam_limits.so
>   @include common-session
>   session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open
>   session     optional    pam_gnome_keyring.so auto_start
>   session     required    pam_env.so readenv=1
>   session     required    pam_env.so readenv=1 user_readenv=1
> envfile=/etc/default/locale
>   @include common-password
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions
>
> --
> Mailing list: https://launchpad.net/~aims
> Post to     : aims@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~aims
> More help   : https://help.launchpad.net/ListHelp
>

-- 
  .~.
  /V\     Jan Groenewald
 /( )\    www.aims.ac.za
 ^^-^^

Ubuntunss-pam-ldapd package

Comment 26 for bug 1314095

Ubuntu
nss-pam-ldapd package