Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here
On 10-08 14:01, Josselin Mouette wrote: Le mercredi 08 octobre 2008 à 11:15 +0200, Witold Baryluk a écrit : Does it happen for all users or only one? Yes, all LDAP users. Local users are only root and system accounts. Just created guest account in /etc/{passwd,shadow} - unlocking works. Does it still happen if you add the following in /etc/pam.d/gnome-screensaver: @include common-account The same problem. What lines are appearing in /var/log/auth.log at the moment of the failure? I think there is a problem in pam_ldap and no-suid programs. Will try to investigate this deeper. Oct 10 10:15:16 romeo gnome-screensaver-dialog: PAM unable to dlopen(/lib/security/pam_gnome_keyring.so): /lib/security/pam_gnome_keyring.so: nie można otworzyć pliku obiektu dzielonego: Nie ma takiego pliku ani katalogu Oct 10 10:15:16 romeo gnome-screensaver-dialog: PAM adding faulty module: /lib/security/pam_gnome_keyring.so Oct 10 10:15:21 romeo unix_chkpwd[15228]: check pass; user unknown Oct 10 10:15:21 romeo unix_chkpwd[15228]: password check failed for user (baryluk) Oct 10 10:15:21 romeo gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=694 euid=694 tty=:0.0 ruser= rhost= user=baryluk Oct 10 10:15:23 romeo gnome-screensaver-dialog: PAM unable to dlopen(/lib/security/pam_gnome_keyring.so): /lib/security/pam_gnome_keyring.so: nie można otworzyć pliku obiektu dzielonego: Nie ma takiego pliku ani katalogu Oct 10 10:15:23 romeo gnome-screensaver-dialog: PAM adding faulty module: /lib/security/pam_gnome_keyring.so Oct 10 10:15:30 romeo login[15230]: ROOT LOGIN on 'tty1' Oct 10 10:15:32 romeo login[32534]: pam_mail(login:session): pam_putenv: delete non-existent entry; MAIL -- Witold Baryluk MAIL: [EMAIL PROTECTED] JID: [EMAIL PROTECTED] signature.asc Description: Digital signature
Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here
On 10-06 11:03, Josselin Mouette wrote: Le dimanche 05 octobre 2008 à 19:12 +0200, Witold Baryluk a écrit : Hi, i'm using LDAP configuration without problem on dozen of workstations, with everything working. Everything but one, screensaver unlocking. This is very iritating. I added pam_permit to /etc/pam.d/gnome-screensaver but this isn't the best way... Debug log in attachment AIUI, the debug log merely indicates that the PAM authentication check returns FALSE. Does it happen for all users or only one? Yes, all LDAP users. Local users are only root and system accounts. Just created guest account in /etc/{passwd,shadow} - unlocking works. What is your locale? Does it also happen in C locale? pl_PL.UTF-8. Just tested with C locale - same problem. Are there any 8-bit characters in the password? No. /etc/nsswitch.conf : passwd: compat ldap group: compat ldap shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis /etc/libnss-ldap.conf : uri ldaps://ldapserver.smp.if.uj.edu.pl ssl on ldap_version 3 tls_cacertfile /etc/ssl/certs/SMP_Root_Certification_Authority.pem rootbinddn cn=ldapadmin,dc=smp,dc=if,dc=uj,dc=edu,dc=pl base dc=smp,dc=if,dc=uj,dc=edu,dc=pl scope sub # ustawione bo udev przy bootowaniu jest skopany bind_policy soft nss_base_passwd ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl nss_base_shadow ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl nss_base_group ou=Group,dc=smp,dc=if,dc=uj,dc=edu,dc=pl nss_base_aliasesou=Aliases,dc=smp,dc=if,dc=uj,dc=edu,dc=pl /etc/pam_ldap.conf : uri ldaps://ldapserver.smp.if.uj.edu.pl ssl on ldap_version 3 tls_cacertfile /etc/ssl/certs/SMP_Root_Certification_Authority.pem rootbinddn cn=ldapadmin,dc=smp,dc=if,dc=uj,dc=edu,dc=pl base dc=smp,dc=if,dc=uj,dc=edu,dc=pl scope one pam_filter objectclass=posixAccount pam_password md5 nss_base_passwd ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl nss_base_shadow ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl nss_base_group ou=Group,dc=smp,dc=if,dc=uj,dc=edu,dc=pl nss_base_aliasesou=Aliases,dc=smp,dc=if,dc=uj,dc=edu,dc=pl /etc/ldap/ldap.conf : BASEdc=smp,dc=if,dc=uj,dc=edu,dc=pl URI ldaps://ldapserver.smp.if.uj.edu.pl TLS_CACERT /etc/ssl/certs/SMP_Root_Certification_Authority.pem TLS_REQCERT hard #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never /etc/pam.d/common-auth : authoptionalpam_group.so authsufficient pam_unix.so nullok_secure likeauth authsufficient pam_ldap.so use_first_pass # ignore_authinfo_unavail authrequiredpam_deny.so /etc/pam.d/common-account : account sufficient pam_unix.so account sufficient pam_ldap.so account requiredpam_deny.so /etc/pam.d/gnome-screensaver : #auth sufficient pam_permit.so @include common-auth auth optional pam_gnome_keyring.so -- Witold Baryluk MAIL: [EMAIL PROTECTED] JID: [EMAIL PROTECTED] signature.asc Description: Digital signature
Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here
Le mercredi 08 octobre 2008 à 11:15 +0200, Witold Baryluk a écrit : Does it happen for all users or only one? Yes, all LDAP users. Local users are only root and system accounts. Just created guest account in /etc/{passwd,shadow} - unlocking works. Does it still happen if you add the following in /etc/pam.d/gnome-screensaver: @include common-account What lines are appearing in /var/log/auth.log at the moment of the failure? Thanks, -- .''`. : :' : We are debian.org. Lower your prices, surrender your code. `. `' We will add your hardware and software distinctiveness to `-our own. Resistance is futile. signature.asc Description: Ceci est une partie de message numériquement signée
Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here
Le dimanche 05 octobre 2008 à 19:12 +0200, Witold Baryluk a écrit : Hi, i'm using LDAP configuration without problem on dozen of workstations, with everything working. Everything but one, screensaver unlocking. This is very iritating. I added pam_permit to /etc/pam.d/gnome-screensaver but this isn't the best way... Debug log in attachment AIUI, the debug log merely indicates that the PAM authentication check returns FALSE. Does it happen for all users or only one? What is your locale? Does it also happen in C locale? Are there any 8-bit characters in the password? Cheers, -- .''`. : :' : We are debian.org. Lower your prices, surrender your code. `. `' We will add your hardware and software distinctiveness to `-our own. Resistance is futile. signature.asc Description: Ceci est une partie de message numériquement signée