[Freeipa-users] Screensaver unlock with expired password

Sigbjorn Lie sigbjorn at nixtra.com
Mon Apr 16 21:17:35 UTC 2012 

On 04/16/2012 03:33 PM, Dmitri Pal wrote:
> On 04/14/2012 08:20 AM, Sigbjorn Lie wrote:
>> Hi,
>>
>> I ran into a issue with unlocking the screensaver when an users
>> password has expired. These results are from RHEL 5.
>>
>> When running KDE and unlocking a screensaver with an expired password,
>> an error message is displayed advising that the password subsystem has
>> failed with instructions to kill the PID of the screensaver manually.
>>
>> When running GNOME and unlocking the screensaver with an expired
>> password, an unlock is allowed, but no message is displayed, and the
>> kerberos ticket is not renewed.
>>
>> Neither of these situations are ideal.
>>
>> A workaround for KDE is to switch to a console login window with
>> CTRL-ALT-F2,  and log in where you will be prompted for changing your
>> password. Switch back to KDE, and unlock the screensaver with the new
>> password. Not really user friendly.
>>
>> We did have the krb5-auth-dialog running, but it turned out that after
>> being away over the weekend there many of these appearing on the
>> screen on monday morning, and once you typed in your password a new
>> kerberos ticket was aquired with start date of when the
>> krb5-auth-dialog appeared!!
>>
>> So if I left the office on Friday, and the krb5-auth-dialog appeared
>> on Saturday, I would get a ticket expiring on the Sunday that's
>> already passed, even though I typed in the password on Monday,
>> rendering the ticket useless for authenticating anywhere... so we
>> removed this package from our workstations.
>>
>> Has anyone else run into these sort of issues? I would like to know
>> how you chose to work around these issues.
>>
>> Thanks.
>>
> It can also be a client configuration or software problem. What do you
> use on the client? SSSD? nss_ldap+pam_krb5?
> I assume you use IPA as a server. You can check the logs on the server
> to see whether the new password is requested.
> The client logs would really show what is going on.
>
The clients use nss_ldap+pam_krb5, SSSD was crashing for us on RHEL 5.

The server is the IPA server provided in RHEL 6.2.

When I check the logs on the client it states that authentication 
succeeded, and that the password has expired.  And that's where the 
screensaver fails. It show an info message that the password has 
expired, and then an error message advising that "The password subsystem 
has failed..."

> Best would be if you provide a clear reproduction steps and file a
> ticket attaching logs and configuration to it.
> If it is a bug in SSSD we would need to fix it ASAP though we have not
> seen this behavior in SSSD ever.
>

This is not SSSD, I believe it either comes down to lack of support in 
the KDE screensaver or a requirement for change in the PAM 
configuration. The current PAM configuration is set by the 
system-config-auth script with the" --enable-ldap --enable-krb5" options.

I was hoping for a change in the PAM configuration and that someone had 
an example that works to advise me about.



Regards,
Siggi

More information about the Freeipa-users mailing list