Enterprise user can't unlock any Chromebook |
||||||||||
Issue descriptionChromeOS version: 64.0.3282.167 Sample of ChromeOS device model: ThinkPad 11e Chromebook 3rd Gen Case#: 14983993 User account info: https://drive.google.com/open?id=1_faU_guX-uyzi09S91iBBBT1fSwAt-EOwRHhmscC0yI Description: A user cannot log into any Chromeobook after it falls asleep with the user account. -Steps to reproduce: 1.Log into a device without issue.(they are using SSO with Active Directory) 2.Log out and log in as many times as you want. 3.Wait for the device to go to sleep or close the lid to force it. 4.Try to log in again by the same user account and an error message comes up “Sorry, your password still could not be verified..” (Screenshot: https://drive.google.com/open?id=158n0w6ZOr6g4oytej25G3adTYvnFJXYn) 5.Restart the device and the issue goes away until the device falls asleep again. -Current Behavior / Reproduction: Can't log in after waking up the device. -Expected Behavior: To be able to log in after waking up the device -Timeframe when issue started: the customer is not sure about the exact date, but it started in December. - Does it affect all devices? : Yes, Any device the user tries. - Does it affect all users?: No, only this use. -Troubleshooting steps taken: *Reset password from AD. *Changed sign-in screen policy and to removed existing users from Chromebook. *The customer has own Chromebook at home and could reproduce the same login issue from the user’s home network. *Tried different OU . *Checked if proxy settings haven't changed. *Checked extensions and remove unnecessary ones. *Reset Chrome settings and Chrome sync. - Existing Workaround: Restart the device. -Drive link to logs 1: (-Sign-in screen policy changed to 'Show username and photos' ) -Time stamps: 20180306 around 1442 14:36 logged into device. (Device info: 14:37 restarted device 14:37 logged out of device 14:38 removed user 14:38 logged into device 14:39 put device to sleep 14:40 typed password to wake up x2 14:41 clicked "Add Person" in order to be able to log in. 14:42 ran report Captured debug log: https://drive.google.com/open?id=1KqkhMJwiudHNiLmzYtu7jphOnH8m1Awo Plicy: JSON:https://drive.google.com/open?id=1hpC5rF4N2hRb1j4KiaUyiFTmXN07xUkO PDF:https://drive.google.com/open?id=1GGKbEZGX-TBu4LZJaqPt0NlAGyhWcWBM —— Drive link to logs 2: -Time stamps: 20180221 around 12:53. 12:51 logged into device 12:53 tried to wake up device from sleep typed password twice restarted. Captured debug log: https://drive.google.com/open?id=1yN_2BTXigCxzhwNbxcPJeP0MG64egGFr similar errors: crbug.com/792800 debug-logs_20180306-144249 Messages 2018-03-06T14:33:29.782960-07:00 INFO kernel: [ 1.527507] device-mapper: init: dm-0 is ready 2018-03-06T14:33:29.782963-07:00 ERR kernel: [ 1.533641] EXT4-fs (dm-0): couldn't mount as ext3 due to feature incompatibilities 2018-03-06T14:33:29.782966-07:00 INFO kernel: [ 1.534115] EXT4-fs (dm-0): mounting ext2 file system using the ext4 subsystem 2018-03-06T14:33:29.782976-07:00 INFO kernel: [ 1.537262] EXT4-fs (dm-0): mounted filesystem without journal. Opts: (null) 2018-03-06T14:33:29.782982-07:00 INFO kernel: [ 1.537307] VFS: Mounted root (ext2 filesystem) readonly on device 253:0. --- chrome_20180306-143331 [1356:1356:0306/143358.886116:VERBOSE1:webui_login_display.cc(109)] Show error, error_id: 6127, attempts:1, help_topic_id: 188036 [1356:1356:0306/143358.886178:ERROR:core_oobe_handler.cc(195)] CoreOobeHandler::ShowSignInError: error_text=Sorry, your password could not be verified. Please try again. Hit Control-Shift-Space to switch keyboard layout. [1356:1356:0306/143358.901530:ERROR:base_screen_handler_utils.cc(71)] Failed to deserialize, parse as email, valid=1 Please let us know if you need additional info from the customer.
,
Mar 8 2018
,
Mar 8 2018
Is suspend/resume required to trigger the issue, or does it also occur if the user just locks the screen using Search+L?
,
Mar 8 2018
With adfs saml so at play, I suspect the offline password is not getting set properly and thus unlock is failing. Are they using two factor adfs authentication? Can we get a cider if the initial login and then unlock? Test credentials would of course be ideal.
,
Mar 8 2018
Actually if it's only the one user then the issue may be specific to that user's password. Do they have any special non-ASCII characters in their password?
,
Mar 8 2018
Roman is taking a look. To prevent confusion, this is not Chromad related; the Chromebook is not Active Directory managed. This is a regular cloud managed Chromebook with SAML logon and ADFS as IDP. If the offline password hadn't been set, I'd assume that online logon would ask for the cryptohome password. Is that the case? Can they try to reset their password to a simple ASCII password and see if that reproduces the issue? If not, can they provide a password that DOES reproduce their issue (of course not theirs, but with similar special characters)?
,
Mar 9 2018
We have recived the answers from the the customer. Q1:Is suspend/resume required to trigger the issue, or does it also occur if the user just locks the screen using Search+L? A1:I was still unable to wake the device up after using search+L to lock the screen. Q2:Do they have any special non-ASCII characters in their password? (If possible let us know without sharing the user's passwords how many letters numbers and special characters the password has) A2:No. The special characters in my password are !&. All other characters are letters or numbers. 4 numbers, 4 letters, 2 special characters. Q3:Are you using two factor adfs (Active Directory Federation Services) authentication? A3:I do not know. (the end user is not tech engineer so they do not know) Please let us know if you need addtinal infomaton from the csutomer.
,
Mar 9 2018
Thanks, sounds unrelated to power.
,
Jun 6 2018
Does login from the user pod work? I mean login/logout and then login back from the user pod.
,
Jun 6 2018
Hey, Andrey. I guess the cryptohomed messages mean that password is wrong? 2018-03-06T14:33:58.883492-07:00 ERR cryptohomed[1592]: TPM error 0x21 (Decryption error): Error calling Tspi_Data_Unbind 2018-03-06T14:33:58.883709-07:00 ERR cryptohomed[1592]: The TPM failed to unwrap the intermediate key with the supplied credentials 2018-03-06T14:33:58.883859-07:00 ERR cryptohomed[1592]: Failed to decrypt any keysets for 2c089bf5ed4b5523208a22e15543244506ace22a
,
Jun 7 2018
Yes, those lines are printed if the user password was wrong. Do you know if they are for unlock attempt? (I haven't looked at the logs yet.) There can be other reasons for those lines (like corrupted disk, failure to properly load cryptohome key after sleep etc), but given that it happens to a specific user on several devices, but not to other users on the same device, those other reasons don't seem to apply here. Note that screen unlock (after sleep) and sign-in may use different mechanisms for checking the user password. SSO with AD mentioned in description for sign-in, while unlock seems to rely on direct password. In fact, when a user signs in with a password, Chrome OS memorizes a secret derived from that password. So, when later a password is given to unlock, the OS first doesn't even attempt to use TPM and just checks if the provided password leads to the same secret. If that was the case, those lines from #10 wouldn't have appeared in the log for unlock. But if some alternative mechanism was used for sign-in, when a direct password is actually used for unlock, it needs to go the full sign-in route through the TPM. And it might be the first time the password is tried that way. So, can it be some unsync between the password in AD and the password set on the device, e.g. local passwords not updated from AD after being changed there?
,
Jun 12 2018
Hey Andrey, thanks for the answer! I looked closely at logs according to the 1st scenario (from original desc) // First login: [4223:4223:0306/143855.398166:ERROR:device_event_log_impl.cc(156)] [14:38:55.398] Login: homedir_methods.cc:274 HomedirMethods MountEx error (CryptohomeErrorCode): 1 [4223:4223:0306/143855.398283:ERROR:device_event_log_impl.cc(156)] [14:38:55.398] Login: cryptohome_authenticator.cc:932 Cryptohome failure: state(AuthState)=1, code(cryptohome::MountError)=32 2018-03-06T14:38:56.465003-07:00 INFO session_manager[4201]: [INFO:session_manager_impl.cc(632)] Starting user session 2018-03-06T14:38:56.500393-07:00 INFO chapsd[1272]: Importing opencryptoki objects. 2018-03-06T14:38:56.500508-07:00 WARNING chapsd[1272]: Did not find any opencryptoki objects to import. 2018-03-06T14:38:56.502348-07:00 INFO chapsd[1272]: Slot 1 ready for token at /home/root/2c089bf5ed4b5523208a22e15543244506ace22a/chaps 2018-03-06T14:38:56.504251-07:00 INFO cryptohomed[1635]: A Pkcs11_Init event got finished. 2018-03-06T14:38:56.504451-07:00 INFO cryptohomed[1635]: PKCS#11 initialization succeeded. 2018-03-06T14:38:56.504511-07:00 INFO chapsd[1272]: Initializing key hierarchy for token at /home/root/2c089bf5ed4b5523208a22e15543244506ace22a/chaps 2018-03-06T14:38:57.268690-07:00 INFO session_manager[4201]: [INFO:policy_service.cc(104)] Attempting to install new policy key. 2018-03-06T14:38:57.275873-07:00 INFO session_manager[4201]: [INFO:policy_service.cc(139)] Persisted policy key to disk. 2018-03-06T14:38:57.280354-07:00 INFO session_manager[4201]: [INFO:policy_store.cc(69)] Persisted policy to disk. // Problems with android container (probably not related) 2018-03-06T14:38:57.984814-07:00 ERR session_manager[4201]: [ERROR:libcontainer.cc(476)] Failed to unmount /run/containers/android_0OZciW/root/data: Device or resource busy 2018-03-06T14:38:57.985018-07:00 ERR session_manager[4201]: [ERROR:libcontainer.cc(476)] Failed to unmount /run/containers/android_0OZciW/root/data: Device or resource busy 2018-03-06T14:38:57.999609-07:00 ERR session_manager[4201]: [ERROR:container_manager_impl.cc(205)] Failed to clean up container android: No child processes 2018-03-06T14:38:58.699720-07:00 WARNING cryptohomed[1635]: RemoveKeyset: key to remove not found // Lock screen shown 2018-03-06T14:39:48.667439-07:00 INFO session_manager[4201]: [INFO:session_manager_impl.cc(861)] LockScreen() method called. 2018-03-06T14:39:48.748518-07:00 INFO session_manager[4201]: [INFO:session_manager_impl.cc(866)] HandleLockScreenShown() method called. // First attempt to unlock [4223:4223:0306/144010.148914:ERROR:views_screen_locker.cc(112)] Not implemented reached in virtual void chromeos::ViewsScreenLocker::SetPasswordInputEnabled(bool) 2018-03-06T14:40:10.155495-07:00 ERR cryptohomed[1635]: DecryptFinal Error: 101077092: digital envelope routines, EVP_DecryptFinal_ex, bad decrypt 2018-03-06T14:40:10.867109-07:00 ERR cryptohomed[1635]: TPM error 0x21 (Decryption error): Error calling Tspi_Data_Unbind 2018-03-06T14:40:10.867241-07:00 ERR cryptohomed[1635]: The TPM failed to unwrap the intermediate key with the supplied credentials [4223:4223:0306/144010.868402:ERROR:extended_authenticator_impl.cc(317)] Supervised user cryptohome error, code: 2 [4223:4223:0306/144010.868683:ERROR:views_screen_locker.cc(112)] Not implemented reached in virtual void chromeos::ViewsScreenLocker::SetPasswordInputEnabled(bool) [4223:4223:0306/144010.868901:ERROR:login_screen_controller.cc(69)] Not implemented reached in virtual void ash::LoginScreenController::ShowErrorMessage(int32_t, const std::string &, const std::string &, int32_t) // Second attempt to unlock [4223:4223:0306/144015.086708:ERROR:views_screen_locker.cc(112)] Not implemented reached in virtual void chromeos::ViewsScreenLocker::SetPasswordInputEnabled(bool) 2018-03-06T14:40:15.090266-07:00 ERR cryptohomed[1635]: DecryptFinal Error: 101077092: digital envelope routines, EVP_DecryptFinal_ex, bad decrypt 2018-03-06T14:40:15.796101-07:00 ERR cryptohomed[1635]: TPM error 0x21 (Decryption error): Error calling Tspi_Data_Unbind 2018-03-06T14:40:15.796224-07:00 ERR cryptohomed[1635]: The TPM failed to unwrap the intermediate key with the supplied credentials [4223:4223:0306/144015.796957:ERROR:extended_authenticator_impl.cc(317)] Supervised user cryptohome error, code: 2 [4223:4223:0306/144015.797153:ERROR:views_screen_locker.cc(112)] Not implemented reached in virtual void chromeos::ViewsScreenLocker::SetPasswordInputEnabled(bool) [4223:4223:0306/144015.797328:ERROR:login_screen_controller.cc(69)] Not implemented reached in virtual void ash::LoginScreenController::ShowErrorMessage(int32_t, const std::string &, const std::string &, int32_t)
,
Jun 12 2018
2018-03-06T14:40:15.090266-07:00 ERR cryptohomed[1635]: DecryptFinal Error: 101077092: digital envelope routines, EVP_DecryptFinal_ex, bad decrypt I wonder if this was fixed by https://chromium-review.googlesource.com/c/chromium/src/+/1052381
,
Jun 12 2018
Yes, given comment #10 the CL in #13 may indeed fix this issue - it'd be good to have a local repo to verify, but that CL changes the way we submit the password to cryptohome to be more compatible with what we did in the past.
,
Aug 3
This bug has an owner, thus, it's been triaged. Changing status to "assigned".
,
Sep 10
Hi Team, Do we have an update on this? I have a customer that seems to be affected by this issue: Debug logs: https://drive.google.com/open?id=1jyI7wRR0TXv9rq28XkeKylaxBFzvbtDG Time reproduced: approx. 8:40am Central on 9/10/18 Issue continues to happen after updating to version 68
,
Sep 11
Is this affecting both pods screen and lock screen? I see the same errors in logs as it was before. apronin@, jdufault@, anything user could do to help us debug? Maybe verbose logs?
,
Sep 13
This happens when the device goes to sleep or when user manually locks the device. Please let me know if more information is needed.
,
Oct 12
,
Dec 12
Are user still having problems with this? |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by ka...@chromium.org
, Mar 8 2018Components: -Internals>Logging Services>SignIn OS>Kernel>Power Enterprise