lightdm doesn't allow expired passwords

Status changed to 'Confirmed' because the bug affects multiple users.

I see the same behaivior on using gdm to login....i have a feeling there is more going on behind the scenes

Robert, could you have a look to this issue? Seems a pam interaction one, you probably know best about that topic, we would like to see it fixed for .1 LTS

Hi Robert,

Curious what your workload is like and if this bug is on your radar for our 12.04.1 release?

Thank you,
Adam

Hi, what pam module generates this prompt?

In my case, it is pam_krb5.

I had a look at the pam_krb5 source and it seems to generate standard prompt (like the ones we regression test for).

If you have this could you please attach /var/log/lightdm/lightdm.log and /var/log/lightdm/x-0-greeter.log after this occurs (it will show some information about what messages were sent between the daemon and the greeter).

Also could someone give steps to set up the simplest Kereberos environment to reproduce this.

Thanks.

I've attached the logs for trying to log in as user "cmo-testuser" with a password set to require a change.

The following should help you set up Kerberos for testing: https://help.ubuntu.com/community/Kerberos

Password expiration seems to have problem with other PAM modules as well in LightDM; in #1023854 eCryptFS' password updating fails, while it works with passwd.

I think I've been able to get pam_krb5 to ask for the new password properly by using the "defer_pwchange" option which moves asking for the replacement password from pam_authenticate() to pam_acct_mgmt(). See the man page for pam_krb5. However, the solution isn't perfect based on this note from the man page:

           If this option is set, pam-krb5 uses the fully correct PAM mechanism for
           handling expired accounts instead of failing in pam_authenticate(). Due
           to the security risk of widespread broken applications, be very careful
           about enabling this option. It should normally only be turned on to solve
           a specific problem (such as using Solaris Kerberos libraries that don't
           support prompting for password changes during authentication), and then
           only for specific applications known to call pam_acct_mgmt() and check its
           return status properly.

OK, I finally have Kerberos set up. I can confirm this works in 12.10 but not 12.04. Will work on a fix for 12.04.

I have a fix for this in lightdm 1.2.3 and unity-greeter 0.2.9

BTW Andrew thanks for finding that workaround. I wonder if the warning still applies - the password change should be done in pam_acct_mgmt and lightdm does handle this case correctly.

I've rejected the unity-greeter upload from the precise-proposed queue, because the package drops the changes from the previous SRU, 0.2.8-0ubuntu1.4. Please merge these changes in and reupload.

Hello Andrew, or anyone else affected,

Accepted lightdm into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lightdm/1.2.3-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello everyone,

Unfortunately I've tested lightdm 1.2.3-0ubuntu1 and it behaves the same as before with the "defer_pwchange" workaround disabled.

I have noticed that Robert Ancell mentioned unity-greeter 0.2.9 was involved as well, but was rejected by Steve Langasek. I suspect that I need to upgrade both packages before I can confirm the fix. As lightdm failed on it's own, I'm not sure if the tag should be changed.

Thank you

Hello Andrew, or anyone else affected,

Accepted unity-greeter into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/unity-greeter/0.2.9-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello everyone,

It appears to still not work correctly without defer_pwchange.

ii lightdm 1.2.3-0ubuntu1 Display Manager
ii unity-greeter 0.2.9-0ubuntu1 Unity Greeter

Does it break anything or create regression or just keep not working? The update fixes other issues, should the verification fail block the update to reach precise-updates or is it just to state that the fix for this bug is not enough?

I haven't extensivly tested it, but it does behave normally so far. I am able to login as I was before with the workaround. My change of the tag was only to reflect the expired password issue not being fixed.

I am fully in favour of having the KDE logo appear properly :)

This bug was fixed in the package lightdm - 1.2.3-0ubuntu1

---------------
lightdm (1.2.3-0ubuntu1) precise-proposed; urgency=low

  * New upstream release:
    - Correctly implement and test autologin timeouts (LP: #902852)
    - Move from QString::fromLocal8Bit to QString::fromUtf8 when converting from
      gchar
    - Support multiple simultaneous PAM prompts (LP: #972537)
    - Write utmp records for sessions
    - Add missing regression test script
  * debian/liblightdm-gobject-1-0.symbols:
    - Updated
  * debian/patches/05_utmp.patch:
    - Applied upstream
 -- Robert Ancell <email address hidden> Wed, 21 Nov 2012 15:43:29 +1300

And reopening since, as explained in previous comments, this bug does not appear to be fixed yet.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package unity-greeter - 0.2.9-0ubuntu1

---------------
unity-greeter (0.2.9-0ubuntu1) precise-proposed; urgency=low

  * New upstream release:
    - Backport better keyboard focus handling from upstream as new windows
      appear and disappear. This fixes keyboard navigation in dialogs
    - Don't write garbage data to state cache file
    - Make sure background alpha is never stuck at non-1.0 value, blocking
      login
    - When the default session is changed in lightdm.conf, don't still show the
      Ubuntu badge
    - Recognize the "kde-plasma" session as "kde" so it gets a properly branded
      icon in the greeter
    - Try to run unity_support_test for ubuntu for pre-caching the result in
      /tmp for further call while the user is typing his password
    - Support multiple prompts from PAM (LP: #972537)
    - Support timed login (LP: #902852)
  * debian/control:
    - Bump build-depends on liblightdm-gobject-1-dev
  * debian/patches/fix-focus.patch:
  * debian/patches/fix-hung-logging-in.patch:
  * debian/patches/recognize-kde-plasma.patch:
  * debian/patches/run_unity_support_test.patch:
  * debian/patches/show-changed-default-badge.patch:
  * debian/patches/state-file-garbage.patch:
    - Applied upstream
 -- Robert Ancell <email address hidden> Wed, 21 Nov 2012 15:41:57 +1300

... and reopening again for the same reason as in comment 24. Sorry for the noise! I've resubscribed ubuntu-sru too.

Issue still here! I even can't login if my password expires in 12 days!

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release