Bug#1052480: bookworm-pu: package libpam-mklocaluser/0.18+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1052480: bookworm-pu: package libpam-mklocaluser/0.18+deb12u1
From: Mike Gabriel <sunweaver@debian.org>
Date: Fri, 22 Sep 2023 19:05:07 +0200
Message-id: <[🔎] 169540230728.373603.11910822641678428395.reportbug@sunobo.fritz.box>
Reply-to: Mike Gabriel <sunweaver@debian.org>, 1052480@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libpam-mklocaluser@packages.debian.org, debian-edu@lists.debian.org
Control: affects -1 + src:libpam-mklocaluser

[ Reason ]

In Debian Edu, we provide roaming workstations. The mechanism of
persistent user creation is handled by libpam-mklocaluser (Users in
LDAP get created as local users on such machines when logging in
on the school's network. From then on, the user exists locally on
that machine).

It was observed that with LightDM it would always take two logins
to complete this process. The first login would create the user
but bump back into the login manager.

With GDM3 this is not the case.

While investigating this deeper, it was discovered that it is
important to place libpam-mklocaluser at the very top of the
PAM session type stack. This is provided with the changeset of
this package. Furthermore, we cherry-picked a change that fixes
various (awful) grammar mistakes and typos in the README.

[ Impact ]
Users will continue to login twice on Debian Edu roaming workstations.

There will also be a fix to LightDM, that we plan to propose as a
bookworm-pu. If that finds its way into bookworm, having this change
is mandatory, otherwise the successful initial login will have
broken systemd user services.

[ Tests ]
Manual tests on Debian Edu 12 (preview installations).

[ Risks ]
Not much, libpam-mklocaluser seems to be used by Debian Edu, only,
it seems.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

+  [ Mihai Moldovan ]
+  * README: Typo and grammar fixes.

-> the mentioned language fixes...

+  [ Guido Berhoerster ]
+  * debian/pam-auth-update/mklocaluser:
+    + Ensure this PAM module is ordered before other session type modules.
+      Since this potentially changes the home directory, the module should be
+      ordered before others which require the correct location of the home
+      directory and/or start executables, particularly pam_systemd. (Closes:
+      #1052475).

-> the priority bump for pam-auth-update.

[ Other info ]
None.

diff -Nru libpam-mklocaluser-0.18/debian/changelog libpam-mklocaluser-0.18+deb12u1/debian/changelog
--- libpam-mklocaluser-0.18/debian/changelog	2020-05-22 18:01:47.000000000 +0200
+++ libpam-mklocaluser-0.18+deb12u1/debian/changelog	2023-09-22 18:50:27.000000000 +0200
@@ -1,3 +1,18 @@
+libpam-mklocaluser (0.18+deb12u1) bookworm; urgency=medium
+
+  [ Mihai Moldovan ]
+  * README: Typo and grammar fixes.
+
+  [ Guido Berhoerster ]
+  * debian/pam-auth-update/mklocaluser:
+    + Ensure this PAM module is ordered before other session type modules.
+      Since this potentially changes the home directory, the module should be
+      ordered before others which require the correct location of the home
+      directory and/or start executables, particularly pam_systemd. (Closes:
+      #1052475).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Fri, 22 Sep 2023 18:50:27 +0200
+
 libpam-mklocaluser (0.18) unstable; urgency=medium
 
   * Team upload.
diff -Nru libpam-mklocaluser-0.18/debian/control libpam-mklocaluser-0.18+deb12u1/debian/control
--- libpam-mklocaluser-0.18/debian/control	2020-05-22 17:58:46.000000000 +0200
+++ libpam-mklocaluser-0.18+deb12u1/debian/control	2023-09-22 18:49:18.000000000 +0200
@@ -18,13 +18,13 @@
          ${python3:Depends},
          libpam-python
 Suggests: libpam-ccreds | libpam-sss,
-Description: Configure PAM to create a local user if it do not exist already
+Description: Configure PAM to create a local user if it does not exist already
  When the user logs in for the first time, a local POSIX user account is
- created in /etc/passwd and primary group created in /etc/group, and a
+ created in /etc/passwd, a primary group is created in /etc/group, and a
  local home directory is created in /home.
  .
  This is useful on roaming computers when the password is set up to be
- cached by for example libpam-ccreds or sssd to allow login without
+ cached by, for example, libpam-ccreds or sssd to allow login without
  network connectivity using the password provided by a network
  authentication service like Kerberos or LDAP.
  .
diff -Nru libpam-mklocaluser-0.18/debian/pam-auth-update/mklocaluser libpam-mklocaluser-0.18+deb12u1/debian/pam-auth-update/mklocaluser
--- libpam-mklocaluser-0.18/debian/pam-auth-update/mklocaluser	2020-05-22 07:52:53.000000000 +0200
+++ libpam-mklocaluser-0.18+deb12u1/debian/pam-auth-update/mklocaluser	2023-09-22 18:47:33.000000000 +0200
@@ -1,6 +1,6 @@
 Name: Create local accounts and home directory on first time login
 Default: yes
-Priority: 0
+Priority: 1024
 Session-Interactive-Only: yes
 Session-Type: Additional
 Session-Final:
diff -Nru libpam-mklocaluser-0.18/debian/README libpam-mklocaluser-0.18+deb12u1/debian/README
--- libpam-mklocaluser-0.18/debian/README	2020-05-22 07:52:53.000000000 +0200
+++ libpam-mklocaluser-0.18+deb12u1/debian/README	2023-09-22 18:49:18.000000000 +0200
@@ -1,11 +1,12 @@
-libpam-mklocalusre
+libpam-mklocaluser
 ===================
 
-PAM configuration to enable add users able to log in, presumably using
-some network directory information like NIS or LDAP, and when they log
-in a local users with the uid and gid information from the networked
-directory is created, and their password is cached on the local disk
-to allow them to log in also when disconnected from the net.
+PAM configuration to enable locally unknown users to log in, presumably using
+some network directory information like NIS or LDAP. When they log
+in and the user name is locally unknown, a new local user with the UID and
+GID information from the networked directory is created, and their password
+is cached on the local disk to allow them to log in also when disconnected
+from the network.
 
 For sites using a path to home directories on the form
 /site/hostname/partition/username/, it would be confusing if the local
@@ -14,7 +15,7 @@
 with /home/username/ as the home directory, allowing the remote file system
 to be automounted on /site/hostname/partition/.
 
-This package depend on pam_python from
+This package depends on pam_python from
 http://www.stuart.id.au/russell/files/pam_python
 
 Submit patches to debian-edu@lists.debian.org.

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package libpam-mklocaluser/0.18+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1052480: libpam-mklocaluser 0.18+deb12u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: bookworm-pu: package libpam-mklocaluser/0.18+deb12u1
Next by Date: Bug#1052445: Request for permission to upload to sid
Previous by thread: Processed: lxc 5.0.2-1+deb12u1 flagged for acceptance
Next by thread: Processed: bookworm-pu: package libpam-mklocaluser/0.18+deb12u1
Index(es):
- Date
- Thread