Bug 651868
Summary: | gnome-screensaver fails to unlock the screen when offline. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Gowrishankar Rajaiyan <grajaiya> |
Component: | gnome-screensaver | Assignee: | Ray Strode [halfline] <rstrode> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Desktop QE <desktop-qa-list> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 5.6 | CC: | aakkiang, bgollahe, ddumas, dpal, jdigilio, jgalipea, jwest, lmiksik, nicolas.monnet, pgervase, rstrode, sgallagh, tpelka, vbenes |
Target Milestone: | rc | Keywords: | Regression, ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | gnome-screensaver-2.16.1-10.el5 | Doc Type: | Bug Fix |
Doc Text: |
An attempt to unlock a locked screen using the smart card authentication failed. With this update, this error no longer occurs, and unlocking a screen with the smart card authentication no works as expected.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-23 11:12:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 640580, 656924 |
Description
Gowrishankar Rajaiyan
2010-11-10 14:23:57 UTC
From my preliminary investigation, it looks like this is related to the fix for BZ #606845. When SSSD performs an offline authentication (an auth check when the authoritative network server is unavailable) we send a PAM_TEXT_INFO message to the client informing them "Authenticated with cached credentials". After the upgrade to gnome-screensaver-2.16.1-8.el5_5.1, it appears that gnome-screensaver stops listening for the actual PAM_SUCCESS that follows and hangs indefinitely. I talked to sgallagh about this today and read through the code. From reading the code, it seems the fix for bug 606845 exposed a latent bug in the screensaver code. That bug has to do with our handling of pam messages that don't require user interaction. Parts of the code treat these messages in much the same way as the user clicking cancel. That is, in previous versions of gnome-screensaver, the code would return PAM_INCOMPLETE for these messages. Normally, returning PAM_INCOMPLETE would cause the conversation to get interrupted and authentication failure. This is obviously wrong. The only thing that saved us before is that pam_sss (and certain other pam modules) ignore failure codes for messages that are "output only" Since bug 606845 we handle cancel requests differently. We no longer return PAM_INCOMPLETE, but instead block and wait for the process to get killed. Since we're erroneously lumping these output only messages together with cancel requests, they're now causing the "wait for death" code to trigger as well. The fix is to not erroneously lump output only messages together with cancel requests, but instead treat them in the same way as we treat messages that have already got a response from the user. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. This issue breaks the SSSD on RHEL 5.6, which is a new feature. It is a regression and should be fixed before we can release 5.6. As noted above, it may also have a serious negative impact on other PAM modules beyond SSSD. as for comment #4 it seems to me quite serious so we should fix it asap -> qa_ack *** Bug 654896 has been marked as a duplicate of this bug. *** *** Bug 651435 has been marked as a duplicate of this bug. *** Verified by installing gnome-screensaver on RHEL5.6, works as expected. Version: gnome-screensaver-2.16.1-10.el5 /var/log/secure Nov 29 16:30:42 rhel5-6-server gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=1001 euid=1001 tty=:0.0 ruser= rhost= user=puser1 Nov 29 16:30:42 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): User info message: Authenticated with cached credentials. Nov 29 16:30:42 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): authentication success; logname= uid=1001 euid=1001 tty=:0.0 ruser= rhost= user=puser1 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: An attempt to unlock a locked screen using the smart card authentication failed. With this update, this error no longer occurs, and unlocking a screen with the smart card authentication no works as expected. |