XFCE screen locker fails to unlock for YP/NIS users on Ubuntu 24 despite correct password

Question

I'm running a NIS/YP setup for login credentials using a Debian 12 server. I have a few dozen clients running Ubuntu 24.04. Most users are using either the default GNOME although a few are running XFCE. Since a few days the XFCE users are having problems unlocking the screen after the screensaver (lock screen) switched on. When typing the password, it is consistently rejected as being the wrong password (but it's not). That is, users are locked out once the screen locker has been switched on. Choosing switch user and trying to login again as the same user also fails.

The problem is reproducible across multiple clients, multiple users (including a newly created account on the NIS server) and is not due to the wrong password. Indeed, when switching to another TTY, the user can still login. Similarly, logging in on the client using SSH works just fine. Additionally, when these users login using the default Ubuntu GNOME, unlocking the screen works like usual. It seems to be confined to xfce. The hosts are not running lightdm and not using light-locker. It's the default xfce4 screensaver.

To further probe this I tried the same thing using a newly created local account. In this case unlocking the screen works just fine. My conclusion therefore is that it is related to the combination of XFCE4, Ubuntu 24, and NIS/YP.

When running journalctl -f in a parallel SSH session while trying to unlock the screen I get the following

Sep 25 17:04:17 <hostname> unix_chkpwd[3564]: check pass; user unknown
Sep 25 17:04:17 <hostname> unix_chkpwd[3564]: password check failed for user (<username>)
Sep 25 17:04:17 <hostname> xfce4-screensaver-dialog[3454]: pam_unix(xfce4-screensaver:auth): authentication failure; logname=<username> uid=1071 euid=1071 tty=:1.0 ruser= rhost=  user=<username>

where I've replaced the host and user names by <hostname> and <username>, respectively. I've tried googling this but get fairly old results and nothing that seems relevant to my setup.

Any suggestions how to pursue?

Edit: I tried to trace this down further and checked automatic package upgrades. The Ubuntu machines are running unattended-upgrades and when I try to narrow it down the following updates seem to have occurred before this problem started occurring:

Start-Date: 2025-09-24  06:13:30
Commandline: /usr/bin/unattended-upgrade
Upgrade: linux-tools-common:amd64 (6.8.0-83.83, 6.8.0-84.84), linux-libc-dev:amd64 (6.8.0-83.83, 6.8.0-84.84)
End-Date: 2025-09-24  06:13:32

Start-Date: 2025-09-24  06:13:34
Commandline: /usr/bin/unattended-upgrade
Upgrade: libpam-runtime:amd64 (1.5.3-5ubuntu5.4, 1.5.3-5ubuntu5.5), libpam-modules:amd64 (1.5.3-5ubuntu5.4, 1.5.3-5ubuntu5.5), libpam-modules-bin:amd64 (1.5.3-5ubuntu5.4, 1.5.3-5ubuntu5.5), libpam0g:amd64 (1.5.3-5ubuntu5.4, 1.5.3-5ubuntu5.5)
End-Date: 2025-09-24  06:13:36
Start-Date: 2025-09-24  06:13:38
Commandline: /usr/bin/unattended-upgrade
Upgrade: libc6:amd64 (2.39-0ubuntu8.5, 2.39-0ubuntu8.6), locales:amd64 (2.39-0ubuntu8.5, 2.39-0ubuntu8.6), libc-dev-bin:amd64 (2.39-0ubuntu8.5, 2.39-0ubuntu8.6), libc-bin:amd64 (2.39-0ubuntu8.5, 2.39-0ubuntu8.6), libc-devtools:amd64 (2.39-0ubuntu8.5, 2.39-0ubuntu8.6), libc6-dbg:amd64 (2.39-0ubuntu8.5, 2.39-0ubuntu8.6), libc6-dev:amd64 (2.39-0ubuntu8.5, 2.39-0ubuntu8.6), nscd:amd64 (2.39-0ubuntu8.5, 2.39-0ubuntu8.6)
End-Date: 2025-09-24  06:13:54
Start-Date: 2025-09-24  06:13:56
Commandline: /usr/bin/unattended-upgrade
Upgrade: python3-pip-whl:amd64 (24.0+dfsg-1ubuntu1.2, 24.0+dfsg-1ubuntu1.3), python3-pip:amd64 (24.0+dfsg-1ubuntu1.2, 24.0+dfsg-1ubuntu1.3)
End-Date: 2025-09-24  06:13:58

My best guess is that it's related to the libpam-updates, but I still don't know how to proceed here. Any suggestions would be appreciated.

I don't have much to offer except to note that the jammy libpam-modules package lists libnsl2 as a dependency, whereas noble libpam-modules doesn't - possibly as a result of Factor out NIS support from pam_unix to a separate module. — steeldriver, Sep 26 '25 at 21:01
Thanks for the suggestion. I have libnsl2 installed as well, doesn't seem to make a difference. — deedcee, Sep 29 '25 at 15:20

score 0 · Answer 1 · answered Sep 29 '25 at 15:57

I came across this discussion on PAM authentication problems on the unix stackexchange:

https://unix.stackexchange.com/questions/422411/pam-authentication-failure-with-valid-password

The intricacies of PAM are beyond me, but adding a privilege bit to the user permission on /sbin/unix_chkpwd seems to solve it. That is, running the following (as root) fixed the problem:

chmod u+s /sbin/unix_chkpwd

I also checked on yet another Ubuntu workstation that got Ubuntu installed from scratch on Friday (2025-09-26) and here the privilege bit was set correctly and the problem does not occur. The previous workstations, where this problem has manifested, had Ubuntu 24.04 installed (from scratch) during July 2025. So, presumably, as a consequence of package upgrades, the privilege bit has changed on those workstations installed in July.

I'm still quite perplexed by what's going on so if anyone can contribute an explanation that would be appreciated. Some outstanding questions:

What's the role of the privilege bit?
Why is this problem only occurring for NIS users and not for local users?
Why is this problem not occurring when using GNOME and the GNOME screensaver?

XFCE screen locker fails to unlock for YP/NIS users on Ubuntu 24 despite correct password

1 Answers1