Bug#383889: gnome-screensaver: unlock dialog always reports password invalid - same here

Wed Oct 8 09:15:13 UTC 2008

On 10-06 11:03, Josselin Mouette wrote:
> Le dimanche 05 octobre 2008 à 19:12 +0200, Witold Baryluk a écrit :
> > Hi,
> > 
> > i'm using LDAP configuration without problem on dozen of workstations,
> > with everything working. Everything but one, screensaver unlocking.
> > 
> > This is very iritating. I added pam_permit to
> > /etc/pam.d/gnome-screensaver
> > but this isn't the best way...
> > 
> > Debug log in attachment
> 
> AIUI, the debug log merely indicates that the PAM authentication check
> returns FALSE.
> 
> Does it happen for all users or only one?
Yes, all LDAP users. Local users are only root and system accounts.
Just created "guest" account in /etc/{passwd,shadow} - unlocking
works.

> 
> What is your locale? Does it also happen in C locale?
pl_PL.UTF-8. Just tested with C locale - same problem.

> 
> Are there any 8-bit characters in the password?
No.


------------------------------------------------------------------------

/etc/nsswitch.conf :

passwd:         compat ldap
group:          compat ldap
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

------------------------------------------------------------------------

/etc/libnss-ldap.conf :

uri ldaps://ldapserver.smp.if.uj.edu.pl
ssl on
ldap_version 3
tls_cacertfile /etc/ssl/certs/SMP_Root_Certification_Authority.pem

rootbinddn cn=ldapadmin,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
base dc=smp,dc=if,dc=uj,dc=edu,dc=pl
scope sub

# ustawione bo udev przy bootowaniu jest skopany
bind_policy soft

nss_base_passwd		ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_shadow		ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_group		ou=Group,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_aliases	ou=Aliases,dc=smp,dc=if,dc=uj,dc=edu,dc=pl

------------------------------------------------------------------------

/etc/pam_ldap.conf : 

uri ldaps://ldapserver.smp.if.uj.edu.pl
ssl on
ldap_version 3
tls_cacertfile /etc/ssl/certs/SMP_Root_Certification_Authority.pem

rootbinddn cn=ldapadmin,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
base dc=smp,dc=if,dc=uj,dc=edu,dc=pl
scope one

pam_filter objectclass=posixAccount
pam_password md5

nss_base_passwd		ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_shadow		ou=People,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_group		ou=Group,dc=smp,dc=if,dc=uj,dc=edu,dc=pl
nss_base_aliases	ou=Aliases,dc=smp,dc=if,dc=uj,dc=edu,dc=pl

------------------------------------------------------------------------

/etc/ldap/ldap.conf :

BASE	dc=smp,dc=if,dc=uj,dc=edu,dc=pl
URI	ldaps://ldapserver.smp.if.uj.edu.pl

TLS_CACERT /etc/ssl/certs/SMP_Root_Certification_Authority.pem
TLS_REQCERT hard

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

------------------------------------------------------------------------

/etc/pam.d/common-auth :

auth	optional	pam_group.so
auth	sufficient	pam_unix.so		nullok_secure likeauth
auth	sufficient	pam_ldap.so		use_first_pass
# ignore_authinfo_unavail
auth	required	pam_deny.so

------------------------------------------------------------------------


/etc/pam.d/common-account  : 

account		sufficient	pam_unix.so
account		sufficient	pam_ldap.so
account		required	pam_deny.so

------------------------------------------------------------------------

/etc/pam.d/gnome-screensaver  :

#auth	sufficient	pam_permit.so
@include common-auth
auth optional pam_gnome_keyring.so

-- 
Witold Baryluk
MAIL: baryluk at smp.if.uj.edu.pl
JID: witold.baryluk at jabster.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20081008/f2ce7a0c/attachment.pgp