Acknowledgement sent
to Peter Chubb <peter.chubb@nicta.com.au>:
New Bug report received and forwarded. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>.
(Fri, 19 Jul 2013 01:27:06 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lightdm: pam.d/lightdm-greeter doesn't use system settings for pam
Date: Fri, 19 Jul 2013 11:24:00 +1000
Package: lightdm
Version: 1.6.0-3
Severity: normal
Dear Maintainer,
We're running in an environment that authenticates via ldap, using sssd
locally. But pam.d/lightdm-greeter doesn't use common-session etc., so
the updates that sssd's installation did to pam.d/common-xxx don't apply.
I think that pam-greeter should use all the appropriate common-xxx files
in pam.d to manage authentication and so on, so that whatever the admin
has set up for authentication is obeyed by lightdm. As can be seen from
the attached file, I `fixed' it for now by manually adding an appropriate
pam_sssd line.
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.9-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lightdm depends on:
ii adduser 3.113+nmu3
ii consolekit 0.4.5-3.1
ii dbus 1.6.12-1
ii debconf [debconf-2.0] 1.5.50
ii libc6 2.17-7
ii libgcrypt11 1.5.2-3
ii libglib2.0-0 2.36.3-3
ii libpam0g 1.1.3-9
ii libxcb1 1.9.1-3
ii libxdmcp6 1:1.1.1-1
ii lightdm-gtk-greeter [lightdm-greeter] 1.6.0-1
Versions of packages lightdm recommends:
ii xserver-xorg 1:7.7+3
Versions of packages lightdm suggests:
ii accountsservice 0.6.34-1
ii upower 0.9.20-2
-- Configuration Files:
/etc/lightdm/lightdm.conf changed:
[LightDM]
[SeatDefaults]
xserver-allow-tcp=false
greeter-session=lightdm-greeter
greeter-hide-users=true
user-session=xfce
session-wrapper=/etc/X11/Xsession
[XDMCPServer]
[VNCServer]
/etc/pam.d/lightdm-greeter changed:
auth required pam_env.so envfile=/etc/default/locale
auth required pam_permit.so
account required pam_permit.so
password required pam_deny.so
session required pam_unix.so
session optional pam_sssd.so
-- debconf information:
lightdm/daemon_name: /usr/sbin/lightdm
* shared/default-x-display-manager: lightdm
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>.
(Fri, 19 Jul 2013 20:03:04 GMT) (full text, mbox, link).
control: tag -1 moreinfo
On ven., 2013-07-19 at 11:24 +1000, Peter Chubb wrote:
> Package: lightdm
> Version: 1.6.0-3
> Severity: normal
>
> Dear Maintainer,
> We're running in an environment that authenticates via ldap, using sssd
> locally. But pam.d/lightdm-greeter doesn't use common-session etc., so
> the updates that sssd's installation did to pam.d/common-xxx don't apply.
>
> I think that pam-greeter should use all the appropriate common-xxx files
> in pam.d to manage authentication and so on, so that whatever the admin
> has set up for authentication is obeyed by lightdm. As can be seen from
> the attached file, I `fixed' it for now by manually adding an appropriate
> pam_sssd line.
>
Can you tell us what exactly is broken by this? As far as I know this
pam file is only for the greeter, not for session run from them (they're
handled by /etc/pam.d/lightdm which correctly includes the common debian
files.
Regards,
--
Yves-Alexis
Acknowledgement sent
to Peter Chubb <peter.chubb@nicta.com.au>:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>.
(Sat, 20 Jul 2013 02:03:09 GMT) (full text, mbox, link).
Cc: Peter Chubb <peter.chubb@nicta.com.au>,
<717297@bugs.debian.org>
Subject: Re: [Pkg-xfce-devel] Bug#717297: lightdm: pam.d/lightdm-greeter doesn't use system settings for pam
Date: Sat, 20 Jul 2013 11:29:02 +1000
>>>>> "Yves-Alexis" == Yves-Alexis Perez <corsac@debian.org> writes:
Yves-Alexis> Can you tell us what exactly is broken by this? As far as
Yves-Alexis> I know this pam file is only for the greeter, not for
Yves-Alexis> session run from them (they're handled by
Yves-Alexis> /etc/pam.d/lightdm which correctly includes the common
Yves-Alexis> debian files.
People who authenticate only via ldap --- for whom pam_unix.so doesn't
work --- cannot log in, because username and password are not know to
pam_unix.so only to either pam_ldap.so or pam_sssd.so. I imagine
other authentication mechanisms will also fail.
What's more if there's any other policy set in common-account or
common-session, it's not obeyed (e.g., time-of-use or group membership
restrictions)
--
Dr Peter Chubb peter.chubb AT nicta.com.au
http://www.ssrg.nicta.com.au Software Systems Research Group/NICTA
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>.
(Sat, 20 Jul 2013 07:45:05 GMT) (full text, mbox, link).
On sam., 2013-07-20 at 11:29 +1000, Peter Chubb wrote:
> >>>>> "Yves-Alexis" == Yves-Alexis Perez <corsac@debian.org> writes:
>
>
> Yves-Alexis> Can you tell us what exactly is broken by this? As far as
> Yves-Alexis> I know this pam file is only for the greeter, not for
> Yves-Alexis> session run from them (they're handled by
> Yves-Alexis> /etc/pam.d/lightdm which correctly includes the common
> Yves-Alexis> debian files.
>
> People who authenticate only via ldap --- for whom pam_unix.so doesn't
> work --- cannot log in, because username and password are not know to
> pam_unix.so only to either pam_ldap.so or pam_sssd.so. I imagine
> other authentication mechanisms will also fail.
>
> What's more if there's any other policy set in common-account or
> common-session, it's not obeyed (e.g., time-of-use or group membership
> restrictions)
I'm pretty puzzled by this. Can you exactly describe what happens,
starting from when the greeter starts, and provide some logs?
As I already wrote, my feeling was that /etc/pam.d/lightdm-greeter was
*not* used for user authentication, so it should even matter in your
case.
Regads,
--
Yves-Alexis
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>: Bug#717297; Package lightdm.
(Fri, 10 Jan 2014 08:03:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>.
(Fri, 10 Jan 2014 08:03:09 GMT) (full text, mbox, link).
Subject: Re: [Pkg-xfce-devel] Bug#717297: Bug#717297: lightdm:
pam.d/lightdm-greeter doesn't use system settings for pam
Date: Fri, 10 Jan 2014 09:00:48 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Sat, Jul 20, 2013 at 09:43:07AM +0200, Yves-Alexis Perez wrote:
> On sam., 2013-07-20 at 11:29 +1000, Peter Chubb wrote:
> > >>>>> "Yves-Alexis" == Yves-Alexis Perez <corsac@debian.org> writes:
> >
> >
> > Yves-Alexis> Can you tell us what exactly is broken by this? As far as
> > Yves-Alexis> I know this pam file is only for the greeter, not for
> > Yves-Alexis> session run from them (they're handled by
> > Yves-Alexis> /etc/pam.d/lightdm which correctly includes the common
> > Yves-Alexis> debian files.
> >
> > People who authenticate only via ldap --- for whom pam_unix.so doesn't
> > work --- cannot log in, because username and password are not know to
> > pam_unix.so only to either pam_ldap.so or pam_sssd.so. I imagine
> > other authentication mechanisms will also fail.
> >
> > What's more if there's any other policy set in common-account or
> > common-session, it's not obeyed (e.g., time-of-use or group membership
> > restrictions)
>
> I'm pretty puzzled by this. Can you exactly describe what happens,
> starting from when the greeter starts, and provide some logs?
>
> As I already wrote, my feeling was that /etc/pam.d/lightdm-greeter was
> *not* used for user authentication, so it should even matter in your
> case.
>
Any news on this?
- --
Yves-Alexis Perez
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBCgAGBQJSz6ioAAoJEG3bU/KmdcClWakIAJqwiICqQ/xxeClRo6W/CsSg
6q9iAip4GTvC9hN+tU4WUKXZ9wGkV2Oo7G2MgJHdxBgys3U/VJr9zyY+u1tWGN+I
t7zriGr4xnXoD+TNgfD/Ct5o0kywZh7llYAg1R/b565/CoU2yy6dwuPIqaRM15tU
kZ0nqFpoyiNnSF3tisa9wtWEbh0b6rcEL6eOmQ0cS9X3ePwDwu2D24bi1CF0fOQY
Vs7ftZkNHOsvklWX6YPAC/8BbITsvm5iB7NkgO+/ugZfd0oPaeAfRkjV+CksmCpS
bLW2+oKJ8iH7FG7QERW100gXSm1HFOD4Z+BFUbvSMMlXycnfxVC6yKcxLcsaIPs=
=w7Bj
-----END PGP SIGNATURE-----
Reply sent
to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility.
(Tue, 28 Aug 2018 08:09:03 GMT) (full text, mbox, link).
Notification sent
to Peter Chubb <peter.chubb@nicta.com.au>:
Bug acknowledged by developer.
(Tue, 28 Aug 2018 08:09:03 GMT) (full text, mbox, link).
To: 717297-done@bugs.debian.org, Peter Chubb <peter.chubb@nicta.com.au>
Subject: Re: [Pkg-xfce-devel] Bug#717297: Bug#717297: Bug#717297: lightdm:
pam.d/lightdm-greeter doesn't use system settings for pam
Date: Tue, 28 Aug 2018 10:05:45 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, 2014-01-10 at 09:00 +0100, Yves-Alexis Perez wrote:
> > I'm pretty puzzled by this. Can you exactly describe what happens,
> > starting from when the greeter starts, and provide some logs?
> >
> > As I already wrote, my feeling was that /etc/pam.d/lightdm-greeter was
> > *not* used for user authentication, so it should even matter in your
> > case.
> >
>
> Any news on this?
Without news in more than four years, I guess we can close the bug.
Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAluFAlkACgkQ3rYcyPpX
RFvb6wgAgnLw00w0m8vuij+Hn9QL43Atoyf/oGQexA7ah4AcCd2qWng54ma1dtFX
V+qQDWKMmZ58Wv1uWd5HcX3iowBpzbipgVpUHm15xQLup+w7z8zX4+6M2WMTs9I+
y1T8V2p02NbuGdP6KIr+hWhz2HyW+UvZXeZVlbiOJx2yWXtwvVgL9xtKMqXT1jUY
wjjWB7/gKB3nQMnGRbKF+z9xHEmJO30PJb4Tki0uAL9M92g4TJSHq+1BZtRjU/5c
ZakNgnIz/IIwuffFpmHu0zbka12XbsTnp0AWUHqg55XjWVSCVfaj/E34SFl2tzUK
2RQuECg6MzUdXRg6InGFA0m1RErZzQ==
=5XS4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 26 Sep 2018 07:30:26 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.