Configuration to support login restrictions in LightDM with pam_time(8)
Greetings,
Debian GNU/Linux 8.3 (jessie)
lightdm 1.10.3-3
lightdm-gtk-greeter 1.8.5-2
I currently have a configuration in place using pam_time(8) to enforce
user login times at the Linux console (i.e. against the PAM login(1)
service). This entry works in this case:
# /etc/pam.d/login
account requisite pam_time.so
I've fiddled with various ways of trying to get a similar
configuration working with LightDM but either of these results occur:
1. Attempted configuration does nothing, users can still log in to
desktop sessions via LightDM even though prohibited at text console
2. Attempted configuration breaks PAM stack (or something), causing
errors such as the following when attempting to log in:
Mar 17 18:56:34 finn lightdm: PAM unable to resolve symbol: pam_ms_open_session
Mar 17 18:56:34 finn lightdm: PAM unable to resolve symbol: pam_sm_close_session
Mar 17 19:02:40 finn lightdm: PAM unable to resolve symbol: pam_sm_authenticate
Mar 17 19:02:40 finn lightdm: PAM unable to resolve symbol: pam_sm_setcred
When a user successfully authenticates with LightDM, the following is logged:
Mar 20 16:23:52 finn lightdm: pam_unix(lightdm-greeter:session):
session closed for user lightdm
Mar 20 16:23:52 finn lightdm: pam_unix(lightdm:session): session
opened for user testuser by (uid=0)
Mar 20 16:23:52 finn systemd-logind[14701]: New session 3781 of user testuser.
Does this indicate that the pam_time configuration for lightdm needs
to use the 'session' management group rather than the 'account' group,
as login did?
Can anyone suggest the correct configuration for /etc/pam.d/lightdm
(including ordering) to set this up?
Thanks -
--
Darren Spruell
phatbuckett@gmail.com
Reply to: