Using pam_group results in: pam_group(lightdm:setcred): unable to set the group membership for user: operation not permitted

I am using Oneiric (11.10). I am setting up desktop computers to use MIT Kerberos for authentication, and OpenLDAP to provide the system with user account information. Like the original poster, I have been experiencing group membership problems when logging in via LightDM, but not from the console. I tested the same against a local machine user account. In /etc/group.conf, I set up group membership for the local account's local group to another local group (I used irc -- GID 39). The pam_group module works properly when logging into a console (irc shows up as a group when executing groups and id), but it does not work when logging in via LightDM.

Just to make sure I had covered all of my bases, I installed GDM and tried to duplicate the problem with group membership. The problem did not exist in GDM like it does in LightDM. I even tried KDM, XDM, and WDM, with each working properly. It would appear that LightDM needs to be updated to work properly with pam_group. For now, I will use GDM.

I can commit the behavior posted by Julian Clark absolutly.
Working fine on Kubuntu, not working with LigthDM but on the same machine with console login.

I have exactly the same issue. LightDM does not add users to local groups based on the rules in /etc/security/group.conf. You only get groups from the LDAP directory. However if you login with ssh to the same workstation you get all the local groups from the group.conf file just fine.

I guess I'll just switch to KDM or GDM until this gets fixed. It works fine to use KDM for the login and still select Unity for the desktop. All my groups appear properly when I do that.

Marking confirmed. It is actually pretty trivial to reproduce, no need for a network directory (such as LDAP) for that.

Step to reproduce:

1. Create a dummy group to test:

$ sudo addgroup test

2. configure pam_group:

$ echo "*; *; *; Al0000-2400" | sudo tee -a /etc/security/group.con
$ echo "auth optional pam_group.so" | sudo tee -a /etc/pam.d/common-auth

3. Log in through LightDM, and run the "id" command from a terminal. Notice you are not member of group "test".

4. Switch to VT using Ctrl-Alt-F1 and log in (or, alternatively, log in throughssh). Run the "id" command, and notice you *are* member of group "test".

Tested on precise, amd64, lightdm 1.1.1-0ubuntu4.

Has any progress happened on this bug? It turns out it's even more important to us than we initially realized; we rely on it to add users to the "fuse" and "cdrom" groups; being absent those groups cases real inconvenience.

Could you please test this in lightdm 1.1.6 (precise)? There has been a change to the way PAM is handled that should resolve this issue.

We no longer see the error message, but pam_group is still not setting the groups we need it to set.

Just installed a 12.04 test VM and I still get the error message in /var/log/auth.log:
Mar 8 23:50:00 lightdm-test lightdm: pam_group(lightdm:setcred): unable to set the group membership for user: Operation not permitted

I also get an error message about ldap server not available:
Mar 8 23:50:01 lightdm-test dbus[736]: nss_ldap: could not search LDAP server - Server is unavailable
however I managed to connect ssh on the vm and I get all my additional groups...

I suspect a change in pam handling as "su - " does not get the group anymore... quite strange...
lightdm and su can't fetch my groups whereas ssh can...

I can post my pam files if needed.

Etienne, thanks for the great reproduction steps. One correction on them though:

$ echo "*; *; *; Al0000-2400" | sudo tee -a /etc/security/group.con

should be:

$ echo "*; *; *; Al0000-2400;test" | sudo tee -a /etc/security/group.conf

In my testing with those reproduction steps, PAM's debug output says the module is running and adding the test group to the list of groups. So I'm guessing something lightdm is doing resets the group list at some point past that.

The issue was lightdm was calling initgroups after pam_setcred had been called - thus any group changes in pam_setcred were not retained. This is fixed in lightdm 1.1.9.

This bug was fixed in the package lightdm - 1.1.9-0ubuntu1

---------------
lightdm (1.1.9-0ubuntu1) precise; urgency=low

  [ Gunnar Hjalmarsson ]
  * debian/guest-account: Add trailing '/' to the line
    "gs_skel=/etc/guest-session/skel" (LP: #956152).

  [ Robert Ancell ]
  * New upstream release:
    * Add --show-users/--hide-users to lightdm-set-defaults
    * Call initgroups before pam_setcred - this allows pam_setcred to change
      group membership correctly (LP: #880104)
 -- Robert Ancell <email address hidden> Thu, 22 Mar 2012 16:48:59 +1100

Fix works for us.