Hello sponsors, Please consider uploading the attached nslcd patch to trusty-proposed to resolve this bug. Thank you!
** Description changed: + SRU justification: + + [Impact] + + * Summary: in Trusty, when libnss-ldapd is used, LDAP users are not able + to unlock the Unity lockscreen. Utopic and later are not affected. Some + workarounds are listed in comment #29. + + * nslcd in Trusty and earlier does not permit unprivileged users to read + shadow entries. When invoked by the Unity lockscreen, running as the + logged-in user, pam_unix returns PAM_AUTHINFO_UNAVAIL in pam_acct_mgmt + when it tries to get password expiry information from shadow. This leads + to an authorization failure, so Unity refuses to unlock the screen. + pam_ldap is not consulted for pam_acct_mgmt after pam_unix fails because + its rule is in the Additional section. + + * In Utopic and later, nslcd returns partial shadow entries to + unprivileged users. This is enough for the expiry check in pam_unix to + succeed, so the screen can be unlocked. See + http://bugs.debian.org/706913 for a discussion of the upstream fix. + + * This proposed SRU backports the upstream solution to Trusty's nslcd. + This is a change of behaviour for shadow queries from unprivileged + users, compared to the current package. An alternative, more targeted + fix would be to change Unity to ignore AUTHINFO_UNAVAIL results from + pam_acct_mgmt, like gnome-screensaver already does (see comment #29). + The nslcd change is a more general fix for not just Unity, but any PAM- + using program run by an unprivileged user. + + [Test Case] + + * Install and configure libnss-ldapd. Ensure ldap is enabled for at + least the passwd and shadow services in /etc/nsswitch.conf. + + * Log into Unity as an LDAP user, lock the screen, and then try to + unlock it again. + + [Regression Potential] + + * The patch is minimal, was written by the upstream author, and was + backported (adjusting for whitespace changes) to Trusty. The change has + already been released in Utopic and will be included in Debian Jessie as + well. + + * Regression testing should include checking that shadow queries, both + by name and for listing all users, are unchanged when issued as root. + + [Other Info] + + * Packages for testing are available in ppa:rtandy/lp1314095 + + Original description: + My setup is: Ubuntu 14.04 LTS, ldap accounts, krb5 authentication, Lightdm, Unity session ldap+krb5 is configured using nss-ldapd and nslcd. It works fine. getent passwd and getent shadow works fine. I am able to login in console without any problems. I was able to login in lightdm. Then I used the lock screen. I could not disable the lock screen using my password. I rebooted my computer. Now: After logging in through lightdm, the unity lockscreen locks the screen immediately and I can not disable it using my password. From my short inspection of auth.log and unix_chkpwd sources it seems, that unix_chkpwd works fine when called from lightdm and fails to get user info when called from unity lockscreen. - lsb_release -rd Description: Ubuntu 14.04 LTS Release: 14.04 apt-cache policy unity lightdm libpam-modules unity: - Installed: 7.2.0+14.04.20140416-0ubuntu1 - Candidate: 7.2.0+14.04.20140416-0ubuntu1 - Version table: - *** 7.2.0+14.04.20140416-0ubuntu1 0 - 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 7.2.0+14.04.20140416-0ubuntu1 + Candidate: 7.2.0+14.04.20140416-0ubuntu1 + Version table: + *** 7.2.0+14.04.20140416-0ubuntu1 0 + 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages + 100 /var/lib/dpkg/status lightdm: - Installed: 1.10.0-0ubuntu3 - Candidate: 1.10.0-0ubuntu3 - Version table: - *** 1.10.0-0ubuntu3 0 - 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 1.10.0-0ubuntu3 + Candidate: 1.10.0-0ubuntu3 + Version table: + *** 1.10.0-0ubuntu3 0 + 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages + 100 /var/lib/dpkg/status libpam-modules: - Installed: 1.1.8-1ubuntu2 - Candidate: 1.1.8-1ubuntu2 - Version table: - *** 1.1.8-1ubuntu2 0 - 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 1.1.8-1ubuntu2 + Candidate: 1.1.8-1ubuntu2 + Version table: + *** 1.1.8-1ubuntu2 0 + 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages + 100 /var/lib/dpkg/status Contents of /var/log/auth.log: Apr 29 06:49:27 localhost lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user" Apr 29 06:49:31 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:2 ruser= rhost= user=user Apr 29 06:49:31 localhost lightdm: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK Apr 29 06:49:32 localhost lightdm[15604]: pam_unix(lightdm-greeter:session): session closed for user lightdm Apr 29 06:49:37 localhost unix_chkpwd[15825]: check pass; user unknown Apr 29 06:49:37 localhost unix_chkpwd[15825]: password check failed for user (user) Apr 29 06:49:37 localhost compiz: pam_unix(lightdm:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost= user=user Apr 29 06:49:37 localhost compiz: pam_krb5(lightdm:auth): user user authenticated as user@NETWORK Apr 29 06:49:37 localhost unix_chkpwd[15826]: could not obtain user info (user) Apr 29 06:49:37 localhost unix_chkpwd[15827]: could not obtain user info (user) Apr 29 06:49:37 localhost compiz: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user" - cat /etc/pam.d/common-auth + cat /etc/pam.d/common-auth account required pam_unix.so auth required pam_group.so auth [success=2 default=ignore] pam_unix.so try_first_pass nullok_secure auth [success=1 default=ignore] pam_krb5.so try_first_pass minimum_uid=200 auth requisite pam_deny.so auth required pam_permit.so auth optional pam_afs_session.so minimum_uid=200 auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so - cat /etc/pam.d/common-account + cat /etc/pam.d/common-account account required pam_unix.so cat /etc/pam.d/lightdm auth requisite pam_nologin.so auth sufficient pam_succeed_if.so user ingroup nopasswdlogin @include common-auth auth optional pam_gnome_keyring.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close auth optional pam_group.so session required pam_limits.so @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open session optional pam_gnome_keyring.so auto_start session required pam_env.so readenv=1 session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale @include common-password ** Patch added: "nss-pam-ldapd_0.8.13-3ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1314095/+attachment/4318206/+files/nss-pam-ldapd_0.8.13-3ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1314095 Title: Unity Lockscreen in 14.04 can't unlock when using LDAP account To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1314095/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
