Darren S.
2016-Mar-21 07:36 UTC
[LightDM] Configuration to support login restrictions with pam_time(8)
Greetings, Debian GNU/Linux 8.3 (jessie) lightdm 1.10.3-3 lightdm-gtk-greeter 1.8.5-2 I currently have a configuration in place using pam_time(8) to enforce user login times at the Linux console (i.e. against the PAM login(1) service). This entry works in this case: # /etc/pam.d/login account requisite pam_time.so I've fiddled with various ways of trying to get a similar configuration working with LightDM but either of these results occur: 1. Attempted configuration does nothing, users can still log in to desktop sessions via LightDM even though prohibited at text console 2. Attempted configuration breaks PAM stack (or something), causing errors such as the following when attempting to log in: Mar 17 18:56:34 finn lightdm: PAM unable to resolve symbol: pam_ms_open_session Mar 17 18:56:34 finn lightdm: PAM unable to resolve symbol: pam_sm_close_session Mar 17 19:02:40 finn lightdm: PAM unable to resolve symbol: pam_sm_authenticate Mar 17 19:02:40 finn lightdm: PAM unable to resolve symbol: pam_sm_setcred When a user successfully authenticates with LightDM, the following is logged: Mar 20 16:23:52 finn lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Mar 20 16:23:52 finn lightdm: pam_unix(lightdm:session): session opened for user testuser by (uid=0) Mar 20 16:23:52 finn systemd-logind[14701]: New session 3781 of user testuser. Does this indicate that the pam_time configuration for lightdm needs to use the 'session' management group rather than the 'account' group, as login did? Can anyone suggest the correct configuration for /etc/pam.d/lightdm (including ordering) to set this up? Thanks - -- Darren Spruell phatbuckett at gmail.com