Red Hat Bugzilla – Bug 651868
gnome-screensaver fails to unlock the screen when offline.
Last modified: 2013-09-23 07:12:10 EDT
Description of problem:
gnome-screensaver authenticates with cached credentials, however fails to unlock the screen.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure SSSD for native LDAP domain.
2. Login to the system with the LDAP user to cache credentials.
3. Turn down the network.
4. Logout and re-login. Authenticated with cached credentials as expected.
5. System | Lock screen.
6. Enter the correct password to unlock the locked screen.
1. Authentication with cached credentials succeeds, however fails to unlock screen.
Nov 10 16:24:06 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): User info message: Authenticated with cached credentials.
1. Authentication with cached credentials succeeds and screen unlocks successfully.
Nov 10 19:48:57 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): User info message: Authenticated with cached credentials.
Nov 10 19:48:57 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): authentication success; logname= uid=1001 euid=1001 tty=:0.0 ruser= rhost= user=puser1
This works as expected on gnome-screensaver-2.16.1-8.el5.
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://sssdldap.idm.lab.bos.redhat.com:636
ldap_search_base = dc=example,dc=com
cache_credentials = true
enumerate = true
debug_level = 9
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
From my preliminary investigation, it looks like this is related to the fix for BZ #606845.
When SSSD performs an offline authentication (an auth check when the authoritative network server is unavailable) we send a PAM_TEXT_INFO message to the client informing them "Authenticated with cached credentials".
After the upgrade to gnome-screensaver-2.16.1-8.el5_5.1, it appears that gnome-screensaver stops listening for the actual PAM_SUCCESS that follows and hangs indefinitely.
I talked to sgallagh about this today and read through the code.
From reading the code, it seems the fix for bug 606845 exposed a latent bug in the screensaver code. That bug has to do with our handling of pam messages that don't require user interaction.
Parts of the code treat these messages in much the same way as the user clicking cancel. That is, in previous versions of gnome-screensaver, the code would return PAM_INCOMPLETE for these messages. Normally, returning PAM_INCOMPLETE would cause the conversation to get interrupted and authentication failure. This is obviously wrong. The only thing that saved us before is that pam_sss (and certain other pam modules) ignore failure codes for messages that are "output only"
Since bug 606845 we handle cancel requests differently. We no longer return PAM_INCOMPLETE, but instead block and wait for the process to get killed. Since we're erroneously lumping these output only messages together with cancel requests, they're now causing the "wait for death" code to trigger as well.
The fix is to not erroneously lump output only messages together with cancel requests, but instead treat them in the same way as we treat messages that have already got a response from the user.
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
This issue breaks the SSSD on RHEL 5.6, which is a new feature. It is a regression and should be fixed before we can release 5.6.
As noted above, it may also have a serious negative impact on other PAM modules beyond SSSD.
as for comment #4 it seems to me quite serious so we should fix it asap
*** Bug 654896 has been marked as a duplicate of this bug. ***
*** Bug 651435 has been marked as a duplicate of this bug. ***
Verified by installing gnome-screensaver on RHEL5.6, works as expected.
Nov 29 16:30:42 rhel5-6-server gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=1001 euid=1001 tty=:0.0 ruser= rhost= user=puser1
Nov 29 16:30:42 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): User info message: Authenticated with cached credentials.
Nov 29 16:30:42 rhel5-6-server gnome-screensaver-dialog: pam_sss(gnome-screensaver:auth): authentication success; logname= uid=1001 euid=1001 tty=:0.0 ruser= rhost= user=puser1
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
An attempt to unlock a locked screen using the smart card authentication failed. With this update, this error no longer occurs, and unlocking a screen with the smart card authentication no works as expected.