subject:"Bug#383889\: gnome\-screensaver\: unlock dialog always reports password invalid \- same here"

Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here

2008-10-10 Thread Witold Baryluk

On 10-08 14:01, Josselin Mouette wrote:
 Le mercredi 08 octobre 2008 à 11:15 +0200, Witold Baryluk a écrit :
   Does it happen for all users or only one?
  Yes, all LDAP users. Local users are only root and system accounts.
  Just created guest account in /etc/{passwd,shadow} - unlocking
  works.
 
 Does it still happen if you add the following
 in /etc/pam.d/gnome-screensaver:
   @include common-account

The same problem.
 
 What lines are appearing in /var/log/auth.log at the moment of the
 failure?

I think there is a problem in pam_ldap and no-suid programs.
Will try to investigate this deeper.

Oct 10 10:15:16 romeo gnome-screensaver-dialog: PAM unable to 
dlopen(/lib/security/pam_gnome_keyring.so): /lib/security/pam_gnome_keyring.so: 
nie można otworzyć pliku obiektu dzielonego: Nie ma takiego pliku ani katalogu
Oct 10 10:15:16 romeo gnome-screensaver-dialog: PAM adding faulty module: 
/lib/security/pam_gnome_keyring.so
Oct 10 10:15:21 romeo unix_chkpwd[15228]: check pass; user unknown
Oct 10 10:15:21 romeo unix_chkpwd[15228]: password check failed for user 
(baryluk)
Oct 10 10:15:21 romeo gnome-screensaver-dialog: 
pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=694 
euid=694 tty=:0.0 ruser= rhost=  user=baryluk
Oct 10 10:15:23 romeo gnome-screensaver-dialog: PAM unable to 
dlopen(/lib/security/pam_gnome_keyring.so): /lib/security/pam_gnome_keyring.so: 
nie można otworzyć pliku obiektu dzielonego: Nie ma takiego pliku ani katalogu
Oct 10 10:15:23 romeo gnome-screensaver-dialog: PAM adding faulty module: 
/lib/security/pam_gnome_keyring.so
Oct 10 10:15:30 romeo login[15230]: ROOT LOGIN  on 'tty1'
Oct 10 10:15:32 romeo login[32534]: pam_mail(login:session): pam_putenv: delete 
non-existent entry; MAIL



-- 
Witold Baryluk
MAIL: [EMAIL PROTECTED]
JID: [EMAIL PROTECTED]


signature.asc
Description: Digital signature

Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here

2008-10-08 Thread Witold Baryluk

On 10-06 11:03, Josselin Mouette wrote:
 Le dimanche 05 octobre 2008 à 19:12 +0200, Witold Baryluk a écrit :
  Hi,
  
  i'm using LDAP configuration without problem on dozen of workstations,
  with everything working. Everything but one, screensaver unlocking.
  
  This is very iritating. I added pam_permit to
  /etc/pam.d/gnome-screensaver
  but this isn't the best way...
  
  Debug log in attachment
 
 AIUI, the debug log merely indicates that the PAM authentication check
 returns FALSE.
 
 Does it happen for all users or only one?
Yes, all LDAP users. Local users are only root and system accounts.
Just created guest account in /etc/{passwd,shadow} - unlocking
works.

 
 What is your locale? Does it also happen in C locale?
pl_PL.UTF-8. Just tested with C locale - same problem.

 
 Are there any 8-bit characters in the password?
No.




/etc/nsswitch.conf :

passwd: compat ldap
group:  compat ldap
shadow: compat

hosts:  files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:   files

protocols:  db files
services:   db files
ethers: db files
rpc:db files

netgroup:   nis



/etc/libnss-ldap.conf :

uri ldaps://ldapserver.smp.if.uj.edu.pl
ssl on
ldap_version 3
tls_cacertfile /etc/ssl/certs/SMP_Root_Certification_Authority.pem

rootbinddn cn=ldapadmin,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
base dc=smp,dc=if,dc=uj,dc=edu,dc=pl
scope sub

# ustawione bo udev przy bootowaniu jest skopany
bind_policy soft

nss_base_passwd ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_shadow ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_group  ou=Group,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_aliasesou=Aliases,dc=smp,dc=if,dc=uj,dc=edu,dc=pl



/etc/pam_ldap.conf : 

uri ldaps://ldapserver.smp.if.uj.edu.pl
ssl on
ldap_version 3
tls_cacertfile /etc/ssl/certs/SMP_Root_Certification_Authority.pem

rootbinddn cn=ldapadmin,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
base dc=smp,dc=if,dc=uj,dc=edu,dc=pl
scope one

pam_filter objectclass=posixAccount
pam_password md5

nss_base_passwd ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_shadow ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_group  ou=Group,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_aliasesou=Aliases,dc=smp,dc=if,dc=uj,dc=edu,dc=pl



/etc/ldap/ldap.conf :

BASEdc=smp,dc=if,dc=uj,dc=edu,dc=pl
URI ldaps://ldapserver.smp.if.uj.edu.pl

TLS_CACERT /etc/ssl/certs/SMP_Root_Certification_Authority.pem
TLS_REQCERT hard

#SIZELIMIT  12
#TIMELIMIT  15
#DEREF  never



/etc/pam.d/common-auth :

authoptionalpam_group.so
authsufficient  pam_unix.so nullok_secure likeauth
authsufficient  pam_ldap.so use_first_pass
# ignore_authinfo_unavail
authrequiredpam_deny.so




/etc/pam.d/common-account  : 

account sufficient  pam_unix.so
account sufficient  pam_ldap.so
account requiredpam_deny.so



/etc/pam.d/gnome-screensaver  :

#auth   sufficient  pam_permit.so
@include common-auth
auth optional pam_gnome_keyring.so

-- 
Witold Baryluk
MAIL: [EMAIL PROTECTED]
JID: [EMAIL PROTECTED]


signature.asc
Description: Digital signature

Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here

2008-10-08 Thread Josselin Mouette

Le mercredi 08 octobre 2008 à 11:15 +0200, Witold Baryluk a écrit :
  Does it happen for all users or only one?
 Yes, all LDAP users. Local users are only root and system accounts.
 Just created guest account in /etc/{passwd,shadow} - unlocking
 works.

Does it still happen if you add the following
in /etc/pam.d/gnome-screensaver:
@include common-account

What lines are appearing in /var/log/auth.log at the moment of the
failure?

Thanks,
-- 
 .''`.
: :' :  We are debian.org. Lower your prices, surrender your code.
`. `'   We will add your hardware and software distinctiveness to
  `-our own. Resistance is futile.


signature.asc
Description: Ceci est une partie de message	numériquement signée

Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here

2008-10-06 Thread Josselin Mouette

Le dimanche 05 octobre 2008 à 19:12 +0200, Witold Baryluk a écrit :
 Hi,
 
 i'm using LDAP configuration without problem on dozen of workstations,
 with everything working. Everything but one, screensaver unlocking.
 
 This is very iritating. I added pam_permit to
 /etc/pam.d/gnome-screensaver
 but this isn't the best way...
 
 Debug log in attachment

AIUI, the debug log merely indicates that the PAM authentication check
returns FALSE.

Does it happen for all users or only one?

What is your locale? Does it also happen in C locale?

Are there any 8-bit characters in the password?

Cheers,
-- 
 .''`.
: :' :  We are debian.org. Lower your prices, surrender your code.
`. `'   We will add your hardware and software distinctiveness to
  `-our own. Resistance is futile.


signature.asc
Description: Ceci est une partie de message	numériquement signée

Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here

Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here

Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here

Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here

4 matches

Site Navigation

Mail list logo

Footer information