[Freeipa-users] Screensaver unlock with expired password

Dmitri Pal dpal at redhat.com
Mon Apr 16 21:24:21 UTC 2012 

On 04/16/2012 05:17 PM, Sigbjorn Lie wrote:
> On 04/16/2012 03:33 PM, Dmitri Pal wrote:
>> On 04/14/2012 08:20 AM, Sigbjorn Lie wrote:
>>> Hi,
>>>
>>> I ran into a issue with unlocking the screensaver when an users
>>> password has expired. These results are from RHEL 5.
>>>
>>> When running KDE and unlocking a screensaver with an expired password,
>>> an error message is displayed advising that the password subsystem has
>>> failed with instructions to kill the PID of the screensaver manually.
>>>
>>> When running GNOME and unlocking the screensaver with an expired
>>> password, an unlock is allowed, but no message is displayed, and the
>>> kerberos ticket is not renewed.
>>>
>>> Neither of these situations are ideal.
>>>
>>> A workaround for KDE is to switch to a console login window with
>>> CTRL-ALT-F2,  and log in where you will be prompted for changing your
>>> password. Switch back to KDE, and unlock the screensaver with the new
>>> password. Not really user friendly.
>>>
>>> We did have the krb5-auth-dialog running, but it turned out that after
>>> being away over the weekend there many of these appearing on the
>>> screen on monday morning, and once you typed in your password a new
>>> kerberos ticket was aquired with start date of when the
>>> krb5-auth-dialog appeared!!
>>>
>>> So if I left the office on Friday, and the krb5-auth-dialog appeared
>>> on Saturday, I would get a ticket expiring on the Sunday that's
>>> already passed, even though I typed in the password on Monday,
>>> rendering the ticket useless for authenticating anywhere... so we
>>> removed this package from our workstations.
>>>
>>> Has anyone else run into these sort of issues? I would like to know
>>> how you chose to work around these issues.
>>>
>>> Thanks.
>>>
>> It can also be a client configuration or software problem. What do you
>> use on the client? SSSD? nss_ldap+pam_krb5?
>> I assume you use IPA as a server. You can check the logs on the server
>> to see whether the new password is requested.
>> The client logs would really show what is going on.
>>
> The clients use nss_ldap+pam_krb5, SSSD was crashing for us on RHEL 5.
>
> The server is the IPA server provided in RHEL 6.2.
>
> When I check the logs on the client it states that authentication
> succeeded, and that the password has expired.  And that's where the
> screensaver fails. It show an info message that the password has
> expired, and then an error message advising that "The password
> subsystem has failed..."
>
>> Best would be if you provide a clear reproduction steps and file a
>> ticket attaching logs and configuration to it.
>> If it is a bug in SSSD we would need to fix it ASAP though we have not
>> seen this behavior in SSSD ever.
>>
>
> This is not SSSD, I believe it either comes down to lack of support in
> the KDE screensaver or a requirement for change in the PAM
> configuration. The current PAM configuration is set by the
> system-config-auth script with the" --enable-ldap --enable-krb5" options.
>
> I was hoping for a change in the PAM configuration and that someone
> had an example that works to advise me about.
>

I do not think we know enough about KDE to be able help you here. Sorry.

>
>
> Regards,
> Siggi
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list