Bug#867488: mate-screensaver: cant unlock screensaver with pam-kerberos-ldap setup
Matt Weatherford
mbw at uw.edu
Thu Jul 6 19:00:26 UTC 2017
Package: mate-screensaver
Version: 1.16.1-1
Severity: normal
Dear Maintainer,
I've configured Debian 9 to use LDAP and Kerberos for authentication. I used PAM
to do this and modified /etc/pam.d/ . Now I cannot unlock my mate-screensaver session when I am
logged in as a user from the ldap Directory.
Here is what my "common-auth" looks like:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/netid.allow
#new comment out 5-18-2017
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
#####
# already comment out
#auth sufficient pam_krb5.so use_first_pass
# and here are more per-package modules (the "Additional" block)
auth optional pam_ssh.so use_first_pass
# end of pam-auth-update config
-----------------------------
here is my /etc/pam/mate-screensaver file:
root at jaxi:/etc/pam.d# more mate-screensaver
@include common-auth
auth optional pam_gnome_keyring.so
root at jaxi:/etc/pam.d#root at jaxi:/homes/mbw#
here are the errors I see in /var/log/auth.log:
Jul 6 11:19:54 jaxi lightdm: pam_krb5(lightdm:auth): user mbw authenticated as mbw at NETID.WASHINGTON.EDU
Jul 6 11:19:54 jaxi lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Jul 6 11:19:54 jaxi lightdm[11362]: pam_unix(lightdm:session): session opened for user mbw by (uid=0)
Jul 6 11:19:54 jaxi systemd-logind[443]: Removed session c4.
Jul 6 11:19:54 jaxi systemd: pam_krb5(systemd-user:session): cannot create Kerberos context
Jul 6 11:19:54 jaxi lightdm[11362]: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :0
Jul 6 11:19:55 jaxi gnome-keyring-daemon[11380]: The Secret Service was already initialized
Jul 6 11:19:55 jaxi gnome-keyring-daemon[11380]: The PKCS#11 component was already initialized
Jul 6 11:19:55 jaxi gnome-keyring-daemon[11380]: The SSH agent was already initialized
Jul 6 11:20:05 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context
Jul 6 11:20:09 jaxi mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=153641 euid=153641 tty=:0.0 ruser= rhost= user=mbw
Jul 6 11:20:09 jaxi mate-screensaver-dialog: pam_ldap(mate-screensaver:auth): Authentication failure; user=mbw
Jul 6 11:20:11 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context
Jul 6 11:20:15 jaxi mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=153641 euid=153641 tty=:0.0 ruser= rhost= user=mbw
Jul 6 11:20:15 jaxi mate-screensaver-dialog: pam_ldap(mate-screensaver:auth): Authentication failure; user=mbw
Jul 6 11:20:17 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context
Jul 6 11:20:54 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context
Jul 6 11:21:49 jaxi su[11726]: Successful su for root by mbw
I dont intend for this to be a support request - Im happy to go read forums or other docs on how to resolve this if it is user error (mine)
or my configuration problem - please point me in the right direction. My googling so far has not helped.
My next thing to try is to log in as a user in /etc/passwd (local user, not krb not ldap) and see if I can unlock the screen. I'll update the ticket soon with that information.
thanks for supporting Debian!
Matt
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 9.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages mate-screensaver depends on:
ii dbus-x11 1.10.18-1
ii libatk1.0-0 2.22.0-1
ii libc6 2.24-11+deb9u1
ii libcairo-gobject2 1.14.8-1
ii libcairo2 1.14.8-1
ii libdbus-1-3 1.10.18-1
ii libdbus-glib-1-2 0.108-2
ii libgdk-pixbuf2.0-0 2.36.5-2
ii libgl1-mesa-glx [libgl1] 13.0.6-1+b2
ii libglib2.0-0 2.50.3-2
ii libgtk-3-0 3.22.11-1
ii libice6 2:1.0.9-2
ii libmate-desktop-2-17 1.16.2-2
ii libmate-menu2 1.16.0-2
ii libmatekbd4 1.16.0-2
ii libnotify4 0.7.7-2
ii libpam0g 1.1.8-3.6
ii libpango-1.0-0 1.40.5-1
ii libpangocairo-1.0-0 1.40.5-1
ii libsm6 2:1.2.2-1+b3
ii libstartup-notification0 0.12-4+b2
ii libsystemd0 232-25
ii libx11-6 2:1.6.4-3
ii libxext6 2:1.3.3-1+b2
ii libxklavier16 5.4-2
ii libxss1 1:1.2.2-1
ii libxxf86vm1 1:1.1.4-1+b2
ii mate-desktop-common 1.16.2-2
ii mate-screensaver-common 1.16.1-1
ii mate-session-manager 1.16.1-1
Versions of packages mate-screensaver recommends:
ii mate-power-manager 1.16.2-1
Versions of packages mate-screensaver suggests:
pn rss-glx <none>
pn xscreensaver-data <none>
-- Configuration Files:
/etc/pam.d/mate-screensaver changed [not included]
-- no debconf information
More information about the pkg-mate-team
mailing list