Password field not entirely visible when password is expired and should be changed

[schorschii]

 * slick-greeter version: slick-greeter 1.5.2
 * Distribution: Mint 20.1
 * Graphics hardware: Intel onboard graphics
 * 64 bit

Issue I'm testing Mint with the Cinnamon desktop for use in our company and encountered the following problem.

If a domain account password is expired, you will be prompted to choose a new password. You have to enter the new password twice to eliminate typos. Unfortunately, the second text box for password confirmation is not visible. You can only use the tab key to focus it, enter your new password and press enter to finish the login process.

After tab pressed, the second password box is focused:

Steps to reproduce Configure domain logon via sssd and try to login in with a domain account with an expired password.

Expected behaviour Second password text box should be visible for the user.

[schorschii]

For fast reproducing, here are my configs (using Samba for domain join and SSSD for authentication). We're using an Active Directory server.

apt install krb5-user libpam-krb5 samba sssd libnss-db nss-updatedb libpam-ccreds

/usr/share/lightdm/lightdm.conf.d/50-domainlogin.conf

``` [SeatDefaults] allow-guest=false greeter-show-remote-login=false greeter-show-manual-login=true greeter-hide-users=true ```

/usr/share/pam-configs/ad

``` Name: AD user home management Default: yes Priority: 127 Session-Type: Additional Session-Interactive-Only: yes Session: required pam_mkhomedir.so skel=/etc/skel umask=0077 ```

/usr/share/pam-configs/ad-groups

``` Name: activate /etc/security/group.conf Default: yes Priority: 900 Auth-Type: Primary Auth: required pam_group.so ```

/etc/samba/smb.conf

``` [global] lock directory = /var/cache/samba security = ads workgroup = YOURDOMAIN realm = YOUR-DOMAIN.COM kerberos method = secrets and keytab idmap config * : backend = tdb idmap config * : range = 2000-3000 idmap config YOURDOMAIN:backend = ad idmap config YOURDOMAIN:default = yes idmap config YOURDOMAIN:schema mode = rfc2307 idmap config YOURDOMAIN:range = 10000-20000 idmap config YOURDOMAIN:unix_nss_info = yes client use spnego = yes client ntlmv2 auth = yes load printers = no domain master = no local master = no preferred master = no os level = 0 # server string is the equivalent of the NT Description field server string = %h server (Samba, Ubuntu) ```

/etc/sssd/sssd.conf

``` [sssd] config_file_version = 2 services = nss, pam domains = YOUR-DOMAIN.COM [pam] offline_credentials_expiration = 365 [domain/YOUR-DOMAIN.COM] id_provider = ad access_provider = simple sudo_provider = none cache_credentials = true entry_cache_timeout = 5400 ldap_id_mapping = true fallback_homedir = /home/%u default_shell = /bin/bash skel_dir = /etc/skel ```

/etc/sudoers.d/domainadmins (only for giving sudo privileges to domain admins)

``` %Domain-Admins ALL=(ALL:ALL) ALL ```

/etc/krb5.conf

``` [libdefaults] default_realm = YOUR-DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] YOUR-DOMAIN.COM = { kdc = server1.your-domain.com #kdc = server2.your-domain.com #kdc = server3.your-domain.com admin_server = server3.your-domain.com default_domain = your-domain.com } [domain_realm] .your-domain.com = YOUR-DOMAIN.COM your-domain.com = YOUR-DOMAIN.COM ```

# join the domain using an domain admin account
net ads join -U <admin-username>

# Enable the PAM configs
pam-auth-update --package

# Reload the SSSD config
systemctl daemon-reload
systemctl enable sssd
systemctl start sssd

After everything is set up, you can set the checkbox "User must change password at next login" on the AD server to reproduce the issue (sorry, I only have a German screenshot).

[schorschii]

In Ubuntu 20.04 with GDM, the password fields are displayed successively, which is a fine solution. After logging in with the old password, one password box is shown which says "Choose a new Password":

After pressing enter, the confirmation password box is shown:

[schorschii]

Got new insights. The package libpam-krb5 was the issue. If it is installed, it handles the login and the "Repeat New Password" field is displayed below "New Password" (and therefore not entirely visible). It turns out that this package is not necessary for this setup, since we want SSSD to do the authentication and obtaining Kerberos tickets. So I simply uninstalled it and now SSSD handles the login. And SSSD displays the "New Password" and "Repeat New Password" fields successively, as seen on Ubuntu.

I'm now closing the issue since SSSD is probably the better solution for authenticating against AD and the problem is gone, at least for my setup. But the issue is still present: the greeter should handle such situations with two text fields at the same time correctly in case somebody really wants to use libpam-krb5 for authentication.

---

Side note for users who may use my instructions for joining their Linux machines into their domains: meanwhile, I recommend using adcli for the domain join (instead of Samba as described before). This is the more modern and lightweight solution.

apt install krb5-user adcli sssd-ad libnss-sss libpam-sss
adcli join -U <admin-username> your-domain.com

[schorschii]

I think I should reopen this. Forget about the domain join things, you can break the greeter layout even with standard Linux tools: use chage to expire your local account password. Then log in on LightDM and you will be asked to change your password, but the text field is again not entirely visible since there are now 2 text lines above the password field: