Bug 651868

Summary: gnome-screensaver fails to unlock the screen when offline.
Product: Red Hat Enterprise Linux 5 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: gnome-screensaverAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED CURRENTRELEASE QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 5.6CC: aakkiang, bgollahe, ddumas, dpal, jdigilio, jgalipea, jwest, lmiksik, nicolas.monnet, pgervase, rstrode, sgallagh, tpelka, vbenes
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnome-screensaver-2.16.1-10.el5 Doc Type: Bug Fix
Doc Text:
An attempt to unlock a locked screen using the smart card authentication failed. With this update, this error no longer occurs, and unlocking a screen with the smart card authentication no works as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-23 11:12:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 640580, 656924    

Description Gowrishankar Rajaiyan 2010-11-10 14:23:57 UTC 
Description of problem:
gnome-screensaver authenticates with cached credentials, however fails to unlock the screen.

Version-Release number of selected component (if applicable):
gnome-screensaver-2.16.1-8.el5_5.1

How reproducible:
Always

Steps to Reproduce:

1. Configure SSSD for native LDAP domain.
2. Login to the system with the LDAP user to cache credentials.
3. Turn down the network.
4. Logout and re-login. Authenticated with cached credentials as expected.
5. System | Lock screen.
6. Enter the correct password to unlock the locked screen.
  
Actual results:
1. Authentication with cached credentials succeeds, however fails to unlock screen.
2. /var/log/secure
Nov 10 16:24:06 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): User info message: Authenticated with cached credentials.

Expected results:
1. Authentication with cached credentials succeeds and screen unlocks successfully.
2. /var/log/secure
Nov 10 19:48:57 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): User info message: Authenticated with cached credentials.
Nov 10 19:48:57 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): authentication success; logname= uid=1001 euid=1001 tty=:0.0 ruser= rhost= user=puser1


Additional info:
This works as expected on gnome-screensaver-2.16.1-8.el5.

Relevant sssd.conf:
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://sssdldap.idm.lab.bos.redhat.com:636
ldap_search_base = dc=example,dc=com
cache_credentials = true
enumerate = true
debug_level = 9
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
Comment 1 Stephen Gallagher 2010-11-10 14:29:06 UTC 
From my preliminary investigation, it looks like this is related to the fix for BZ #606845.

When SSSD performs an offline authentication (an auth check when the authoritative network server is unavailable) we send a PAM_TEXT_INFO message to the client informing them "Authenticated with cached credentials".

After the upgrade to gnome-screensaver-2.16.1-8.el5_5.1, it appears that gnome-screensaver stops listening for the actual PAM_SUCCESS that follows and hangs indefinitely.
Comment 2 Ray Strode [halfline] 2010-11-10 18:31:22 UTC 
I talked to sgallagh about this today and read through the code.

From reading the code, it seems the fix for bug 606845 exposed a latent bug in the screensaver code.  That bug has to do with our handling of pam messages that don't require user interaction.

Parts of the code treat these messages in much the same way as the user clicking cancel.  That is, in previous versions of gnome-screensaver, the code would return PAM_INCOMPLETE for these messages. Normally, returning PAM_INCOMPLETE would cause the conversation to get interrupted and authentication failure.  This is obviously wrong.  The only thing that saved us before is that pam_sss (and certain other pam modules) ignore failure codes for messages that are "output only"

Since bug 606845 we handle cancel requests differently.  We no longer return PAM_INCOMPLETE, but instead block and wait for the process to get killed.  Since we're erroneously lumping these output only messages together with cancel requests, they're now causing the "wait for death" code to trigger as well.

The fix is to not erroneously lump output only messages together with cancel requests, but instead treat them in the same way as we treat messages that have already got a response from the user.
Comment 3 RHEL Program Management 2010-11-10 18:37:06 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 4 Stephen Gallagher 2010-11-10 18:44:53 UTC 
This issue breaks the SSSD on RHEL 5.6, which is a new feature. It is a regression and should be fixed before we can release 5.6.

As noted above, it may also have a serious negative impact on other PAM modules beyond SSSD.
Comment 6 Vladimir Benes 2010-11-11 09:45:48 UTC 
as for comment #4 it seems to me quite serious so we should fix it asap
-> qa_ack
Comment 7 Ray Strode [halfline] 2010-11-22 21:14:22 UTC 
*** Bug 654896 has been marked as a duplicate of this bug. ***
Comment 13 Ray Strode [halfline] 2010-11-27 04:52:39 UTC 
*** Bug 651435 has been marked as a duplicate of this bug. ***
Comment 14 Gowrishankar Rajaiyan 2010-11-29 11:02:21 UTC 
Verified by installing gnome-screensaver on RHEL5.6, works as expected.
Version: gnome-screensaver-2.16.1-10.el5

/var/log/secure
Nov 29 16:30:42 rhel5-6-server gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=1001 euid=1001 tty=:0.0 ruser= rhost=  user=puser1
Nov 29 16:30:42 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): User info message: Authenticated with cached credentials.
Nov 29 16:30:42 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): authentication success; logname= uid=1001 euid=1001 tty=:0.0 ruser= rhost= user=puser1
Comment 15 Jaromir Hradilek 2010-12-02 15:21:25 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
An attempt to unlock a locked screen using the smart card authentication failed. With this update, this error no longer occurs, and unlocking a screen with the smart card authentication no works as expected.