Bug#867488: mate-screensaver: cant unlock screensaver with pam-kerberos-ldap setup

Matt Weatherford mbw at uw.edu
Thu Jul 6 19:00:26 UTC 2017 

Package: mate-screensaver
Version: 1.16.1-1
Severity: normal

Dear Maintainer,


I've configured Debian 9 to use LDAP and Kerberos for authentication.  I used PAM
to do this and modified /etc/pam.d/ .  Now I cannot unlock my mate-screensaver session when I am
logged in as a user from the ldap Directory. 

Here is what my "common-auth" looks like:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)

auth        required      pam_listfile.so onerr=fail  item=group sense=allow file=/etc/netid.allow

#new comment out 5-18-2017
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000


auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so

#####
# already comment out
#auth sufficient                         pam_krb5.so use_first_pass


# and here are more per-package modules (the "Additional" block)
auth    optional        pam_ssh.so use_first_pass

# end of pam-auth-update config



-----------------------------

here is my /etc/pam/mate-screensaver file:

root at jaxi:/etc/pam.d# more mate-screensaver 
@include common-auth
auth optional pam_gnome_keyring.so

root at jaxi:/etc/pam.d#root at jaxi:/homes/mbw# 

here are the errors I see in /var/log/auth.log:

Jul  6 11:19:54 jaxi lightdm: pam_krb5(lightdm:auth): user mbw authenticated as mbw at NETID.WASHINGTON.EDU
Jul  6 11:19:54 jaxi lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Jul  6 11:19:54 jaxi lightdm[11362]: pam_unix(lightdm:session): session opened for user mbw by (uid=0)
Jul  6 11:19:54 jaxi systemd-logind[443]: Removed session c4.
Jul  6 11:19:54 jaxi systemd: pam_krb5(systemd-user:session): cannot create Kerberos context
Jul  6 11:19:54 jaxi lightdm[11362]: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :0
Jul  6 11:19:55 jaxi gnome-keyring-daemon[11380]: The Secret Service was already initialized
Jul  6 11:19:55 jaxi gnome-keyring-daemon[11380]: The PKCS#11 component was already initialized
Jul  6 11:19:55 jaxi gnome-keyring-daemon[11380]: The SSH agent was already initialized
Jul  6 11:20:05 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context
Jul  6 11:20:09 jaxi mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=153641 euid=153641 tty=:0.0 ruser= rhost=  user=mbw
Jul  6 11:20:09 jaxi mate-screensaver-dialog: pam_ldap(mate-screensaver:auth): Authentication failure; user=mbw
Jul  6 11:20:11 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context
Jul  6 11:20:15 jaxi mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=153641 euid=153641 tty=:0.0 ruser= rhost=  user=mbw
Jul  6 11:20:15 jaxi mate-screensaver-dialog: pam_ldap(mate-screensaver:auth): Authentication failure; user=mbw
Jul  6 11:20:17 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context
Jul  6 11:20:54 jaxi mate-screensaver-dialog: pam_krb5(mate-screensaver:auth): cannot create Kerberos context
Jul  6 11:21:49 jaxi su[11726]: Successful su for root by mbw



I dont intend for this to be a support request - Im happy to go read forums or other docs on how to resolve this if it is user error (mine)
or my configuration problem - please point me in the right direction. My googling so far has not helped.

My next thing to try is to log in as a user in /etc/passwd (local user, not krb not ldap) and see if I can unlock the screen. I'll update the ticket soon with that information.


thanks for supporting Debian!

Matt



*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages mate-screensaver depends on:
ii  dbus-x11                  1.10.18-1
ii  libatk1.0-0               2.22.0-1
ii  libc6                     2.24-11+deb9u1
ii  libcairo-gobject2         1.14.8-1
ii  libcairo2                 1.14.8-1
ii  libdbus-1-3               1.10.18-1
ii  libdbus-glib-1-2          0.108-2
ii  libgdk-pixbuf2.0-0        2.36.5-2
ii  libgl1-mesa-glx [libgl1]  13.0.6-1+b2
ii  libglib2.0-0              2.50.3-2
ii  libgtk-3-0                3.22.11-1
ii  libice6                   2:1.0.9-2
ii  libmate-desktop-2-17      1.16.2-2
ii  libmate-menu2             1.16.0-2
ii  libmatekbd4               1.16.0-2
ii  libnotify4                0.7.7-2
ii  libpam0g                  1.1.8-3.6
ii  libpango-1.0-0            1.40.5-1
ii  libpangocairo-1.0-0       1.40.5-1
ii  libsm6                    2:1.2.2-1+b3
ii  libstartup-notification0  0.12-4+b2
ii  libsystemd0               232-25
ii  libx11-6                  2:1.6.4-3
ii  libxext6                  2:1.3.3-1+b2
ii  libxklavier16             5.4-2
ii  libxss1                   1:1.2.2-1
ii  libxxf86vm1               1:1.1.4-1+b2
ii  mate-desktop-common       1.16.2-2
ii  mate-screensaver-common   1.16.1-1
ii  mate-session-manager      1.16.1-1

Versions of packages mate-screensaver recommends:
ii  mate-power-manager  1.16.2-1

Versions of packages mate-screensaver suggests:
pn  rss-glx            <none>
pn  xscreensaver-data  <none>

-- Configuration Files:
/etc/pam.d/mate-screensaver changed [not included]

-- no debconf information

More information about the pkg-mate-team mailing list