New lightdm releases for mga3 [1] and mga4 [2] in core/updates_testing fixes (according to upstream) "Correctly invoke PAM to change authentication token" issue. Mga3 version jumps directly from 1.4.4 to 1.4.6, but changes in 1.4.5 [3] is irrelevant to us and new files are removed during the build. Steps to reproduce fixed issues are descripbed in debian bug tracker: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=735670#27 [1] lightdm-1.4.6-1.mga3 [2] lightdm-1.8.7-1.mga4 [3] http://lists.freedesktop.org/archives/lightdm/2013-October/000460.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok
I'll test Mageia 4 i586 in a few hours, unless it's already been done until then.
CC: (none) => remi
Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok has_procedure
RPMs: * mga3 - lightdm-1.4.6-1.mga3 - liblightdm-gobject1_0-1.4.6-1.mga3 * mga4 - lightdm-1.8.7-1.mga4 - liblightdm-gobject1_0-1.8.7-1.mga4
Tested lightdm 1.8.7 Mageia 4 i586. I could reproduce the issue following the procedure linked in comment 0. The update candidate fixes this issue, but the behaviour is so counter-intuitive that I'm not sure it's not a regression. When one should change his password, here are the following paths that a user might try in comparison to what he is supposed to do: 1. Type in your actual password, validate. 2. Lightdm displays: "Change password for $user." 2.1 Type in a new (strong) password, validate. Lightdm answers: "Incorrect password, please try again" 2.2 Start again with 1., then guesse (!) that you have to type in your former password a second time! (though the message is "Change password for $user.") Validate. 3. Lightdm shows nothing. Type in your new (strong) password, validate. 4. Lightdm still shows nothing. Type in your new (strong) password again, validate. You're now logging in. Jani, can you test wether this issue comes from your package/from the upstream release/was always there?
Whiteboard: MGA3TOO mga4-64-ok has_procedure => MGA3TOO mga4-64-ok has_procedure feedback
Same fix was pushed to 1.2, 1.4 and 1.8 series, so it's been there for some time.
Testing again on Mageia 4 x86_64/ Behaviour in lightdm-1.8.6-1.mga4: When the user has to change her password, the prompt in lightdm is as follows: 1. Type in your old password 2. Lightdm displays: "You are required to change your password immediately." 3. Type in your new password 4. It is changed without confirmation, and you can now type in the new password to log in Behaviour in lightdm-1.8.7-1.mga4: As reported in comment 3. I think the behaviour with lightdm-1.8.6-1.mga4 was better (though not optimal either), so I'm not sure we should go on with this update candidate. Better wait for upstream to *really* fix this.
IIUC the point is that without this new version user can change passwd to one which doesn't pass checks, like length and simplicity, because UNIX__IAMROOT pam flag is mistakenly set and being root by-passes checks. See also: https://bugs.launchpad.net/lightdm/+bug/869501
That's what I understood too, and the update candidate does fix it. But IMO it introduces a regression which isn't particularly better as the bug it fixes. Well security-wise, it might be better, but if you're not too astute, you can just end up not being able to log in again :) We can assume people having set up a password expiration time can find their way through a counter-intuitive DM. BTW I don't know much about lightdm's usptream, but is it normal that https://bugs.launchpad.net/lightdm/+bug/869501 is tagged as released for Debian but not for the whole project?
Whiteboard: MGA3TOO mga4-64-ok has_procedure feedback => MGA3TOO mga4-32-ok mga4-64-ok has_procedure feedback
(In reply to Rémi Verschelde from comment #7) > That's what I understood too, and the update candidate does fix it. But IMO > it introduces a regression which isn't particularly better as the bug it > fixes. > Then you should consider to reporting it directly to upstream.
https://bugs.launchpad.net/lightdm/+bug/869501/comments/9
According to comment #6, this seems to fix a security issue (admin sets password checks and users don't need to respect them), so while I agree that there's a regression regarding users, I think we could want to push it. But my real position is: let's wait for a few days if upstream answers Rémi's bug report with a comment and/or a fix. It would be even better to have a version that fixes both the PAM issue and user experience. Could be interesting to test with an english locale, too, maybe it's just a bad misleading translation.
CC: (none) => stormi
Let's proceed with this update, since upstream does not react to my comment. Testing needing on Mageia 3.
Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok has_procedure feedback => MGA3TOO mga4-32-ok mga4-64-ok has_procedure
CC: (none) => davidwhodginsWhiteboard: MGA3TOO mga4-32-ok mga4-64-ok has_procedure => MGA3TOO mga4-32-ok mga4-64-ok has_procedure mga3too
In VirtualBox, M3, KDE, 32-bit Package(s) under test: lightdm The test proceedure reads as follows: 1) install lightdm ( OK done ) 2) create a new test user (call it "giulio", set password "giulio") # adduser giulio ( OK done ) 3) login with giulio and try to change the account password giulio$ passwd ( and how do you "login with giulio" in lightdm) There is no choice for lighdm in the login menu and there is no choice for lightdm in MCC -> System -> Manage users on system How do you login to giulio using the lightdm GUI?
CC: (none) => wilcal.int
I've never used lightdm, but I would have expected that if you set lightdm as the DM in MCC/Boot/Set up display manager, then you should be able to login as any user.
(In reply to James Kerr from comment #13) > I've never used lightdm, but I would have expected that if you set lightdm > as the DM in MCC/Boot/Set up display manager, then you should be able to > login as any user. I agree and that does not appear to be the case. Or I do not understand something.
Just checked. While it seems to default to the last logged in user, the user selection button is a drop down menu (note the down arrow at the end of the user name), so if you click on that button, it does present the list of available users (including "other", where you can type in the user, such as root). Also note the icons at the top right, where you can select which desktop manager to use, etc.
I should also add, that to use lightdm, run mcc, select boot, then "Set up the display manager", and select lightdm. Note that lightdm must be installed before it will show up as a selectable option.
In VirtualBox, M3, KDE, 32-bit Package(s) under test: lightdm The test proceedure reads as follows: 1) install lightdm ( OK done ) 2) create a new test user (call it "giulio", set password "giulio") 3) reboot system Repeated trys there is no choice for lighdm in the login menu and there is no choice for lightdm in MCC -> System -> Manage users on system.
(In reply to William Kenney from comment #17) > Repeated trys there is no choice for lighdm in the login menu and there > is no choice for lightdm in MCC -> System -> Manage users on system. LightDM is a display manager, i.e. it _is_ the login menu. You are currently using another display manager, probably KDM since you installed the KDE version of Mageia. To change the display manager, you need to go to: MCC > Boot > Set up display manager. There you should be able to select LightDM.
(In reply to Rémi Verschelde from comment #18) > To change the display manager, you need to go to: MCC > Boot > Set up > display manager. There you should be able to select LightDM. I agree that is the way it should work but for me on Vbox M3 it does not.
In comment 17 you wrote about "MCC > System > Manage users on system", but the DM has to be configured in "MCC > Boot > Set up display manager". Are you sure you checked the latter? If so, could you give the output of "rpm -qa | grep lightdm"?
All is working for me. i586 with KDE. Should we first push the update to 4/core/updates instead of waiting tests for Mageia 3 ?
CC: (none) => filorin.mageia
Confirm bug fixed for Mga3 32-bit using real hw. Unable to test Mga3 64-bit. Carolyn
CC: (none) => cmrisoldeWhiteboard: MGA3TOO mga4-32-ok mga4-64-ok has_procedure mga3too => MGA3TOO mga4-32-ok mga4-64-ok has_procedure mga3too MGA3-32-OK
Well, I've now got Mga3 64-bit installed again, but on testing this update it doesn't appear to have fixed the bug for this arch, lightdm is still allowing me to choose a very short password for my test user such as "g" or "h". Carolyn
Thanks Carolyn, adding 'feedback' whiteboard marker
Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok has_procedure mga3too MGA3-32-OK => MGA3TOO has_procedure feedback MGA3-32-OK mga4-32-ok mga4-64-ok
Confirming comment 23, the issue is not fixed by the update candidate on mga3 64bit, unless I'm missing something. I could set a one-letter password without any issue.
For the record I did install both lightdm and lib64lightdm-gobject1_0 from core/updates_testing.
Assigning back to you for now Jani. Please reassign when you're ready. Thanks.
CC: (none) => qa-bugsAssignee: qa-bugs => jani.valimaaWhiteboard: MGA3TOO has_procedure feedback MGA3-32-OK mga4-32-ok mga4-64-ok => MGA3TOO has_procedure MGA3-32-OK mga4-32-ok mga4-64-ok
Closing as INVALID as lightdm pkgs were removed from mga4 core/updates_testing.
Status: NEW => RESOLVEDResolution: (none) => INVALID