Open schorschii opened 3 years ago
For fast reproducing, here are my configs (using Samba for domain join and SSSD for authentication). We're using an Active Directory server.
apt install krb5-user libpam-krb5 samba sssd libnss-db nss-updatedb libpam-ccreds
# join the domain using an domain admin account
net ads join -U <admin-username>
# Enable the PAM configs
pam-auth-update --package
# Reload the SSSD config
systemctl daemon-reload
systemctl enable sssd
systemctl start sssd
After everything is set up, you can set the checkbox "User must change password at next login" on the AD server to reproduce the issue (sorry, I only have a German screenshot).
In Ubuntu 20.04 with GDM, the password fields are displayed successively, which is a fine solution. After logging in with the old password, one password box is shown which says "Choose a new Password":
After pressing enter, the confirmation password box is shown:
Got new insights. The package libpam-krb5
was the issue. If it is installed, it handles the login and the "Repeat New Password" field is displayed below "New Password" (and therefore not entirely visible). It turns out that this package is not necessary for this setup, since we want SSSD to do the authentication and obtaining Kerberos tickets. So I simply uninstalled it and now SSSD handles the login. And SSSD displays the "New Password" and "Repeat New Password" fields successively, as seen on Ubuntu.
I'm now closing the issue since SSSD is probably the better solution for authenticating against AD and the problem is gone, at least for my setup. But the issue is still present: the greeter should handle such situations with two text fields at the same time correctly in case somebody really wants to use libpam-krb5
for authentication.
Side note for users who may use my instructions for joining their Linux machines into their domains: meanwhile, I recommend using adcli
for the domain join (instead of Samba as described before). This is the more modern and lightweight solution.
apt install krb5-user adcli sssd-ad libnss-sss libpam-sss
adcli join -U <admin-username> your-domain.com
I think I should reopen this. Forget about the domain join things, you can break the greeter layout even with standard Linux tools: use chage
to expire your local account password. Then log in on LightDM and you will be asked to change your password, but the text field is again not entirely visible since there are now 2 text lines above the password field:
Issue I'm testing Mint with the Cinnamon desktop for use in our company and encountered the following problem.
If a domain account password is expired, you will be prompted to choose a new password. You have to enter the new password twice to eliminate typos. Unfortunately, the second text box for password confirmation is not visible. You can only use the tab key to focus it, enter your new password and press enter to finish the login process.
After tab pressed, the second password box is focused:
Steps to reproduce Configure domain logon via sssd and try to login in with a domain account with an expired password.
Expected behaviour Second password text box should be visible for the user.