Issue #4069: pam_sss should reset PAM_USER based on use_fully_qualified_names option in sssd.conf - sssd

SSSD / sssd

#4069 pam_sss should reset PAM_USER based on use_fully_qualified_names option in sssd.conf

Closed: Fixed 4 years ago by sbose. Opened 4 years ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1718156

Description of problem:
Logging in with smartcard, there is no file for my user in
/var/lib/AccountsService/users/ after login.

pam_sss get my username from my smart card and puts it on the pam stack in
fully qualified format:
a001329@ad.example.com

GDM debug log:
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: Enabling debugging
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
connecting to address: unix:abstract=/tmp/dbus-aSrXobDV
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: system OS is 'rhel'
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: system OS version is '8.0'
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
Failed to identify the current session: No data available
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: seat unloaded, so trying to set loaded property
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Seat wouldn't load, so giving up on it and setting loaded
property
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: already loaded, so not setting loaded property
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to SETUP_COMPLETE
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
initializing PAM; service=gdm-smartcard username=(null) seat=seat0
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'XDG_SEAT=seat0'
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state SETUP_COMPLETE
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to AUTHENTICATED
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
authenticating user (null)
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
1 new messages received from PAM
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
username is 'a001329@ad.example.com'
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
old-username='<unset>' new-username='a001329@ad.example.com'
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
setting username to 'a001329@ad.example.com'
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to load user settings
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: trying to track new user with username a001329@ad.example.com
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 1
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 2
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Looking for user 'a001329@ad.example.com' in accounts service
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
received pam message of type 1 with payload 'PIN for Instant EID IP9'
Jun 05 14:06:23 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
trying to get updated username
Jun 05 14:06:23 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
PAM conversation returning 0: Success
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]:
pam_sss(gdm-smartcard:auth): authentication success; logname= uid=0 euid=0
tty=/dev/tty1 ruser= rhost= user=a001329@ad.example.com
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state AUTHENTICATED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
trying to get updated username
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
username is 'a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
old-username='a001329@ad.example.com' new-username='a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Found object path of user 'a001329@ad.example.com':
/org/freedesktop/Accounts/User60483
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 3
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user 'a001329@ad.example.com' fetched
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 is now loaded
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 was not yet known, adding it
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: tracking user 'a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: not yet loaded, so not emitting user-added signal
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: no pending users, trying to set loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: already loaded, so not setting loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finished handling request for user 'a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: unrefing manager owned by fetch user request
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to AUTHORIZED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
determining if authenticated user (password required:0) is authorized to
session
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state AUTHORIZED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to ACCREDITED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'LOGNAME=a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'USER=a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'USERNAME=a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'HOME=/home/a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'PWD=/home/a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'SHELL=/bin/bash'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable:
'PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state ACCREDITED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
session display mode set to new-vt
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'XDG_SESSION_TYPE=x11'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'GDK_BACKEND=x11'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to ACCOUNT_DETAILS_SAVED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
saving account details for user a001329@ad.example.com
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: trying to track new user with username a001329@ad.example.com
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 1
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 2
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Looking for user 'a001329@ad.example.com' in accounts service
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: could not save
session and language settings
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to SESSION_OPENED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'XDG_VTNR=7'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]:
pam_unix(gdm-smartcard:session): session opened for user a001329@ad.example.com
by (uid=0)
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
1 new messages received from PAM
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
username is 'a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
old-username='a001329@ad.example.com' new-username='a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
received pam message of type 4 with payload 'Last login: Wed Jun  5 13:59:23
CEST 2019 on tty7'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
PAM conversation returning 0: Success
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state SESSION_OPENED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Found object path of user 'a001329@ad.example.com':
/org/freedesktop/Accounts/User60483
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 3
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user 'a001329@ad.example.com' fetched
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 is now loaded
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sessions changed (user a001329) num=0
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: no pending users, trying to set loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: already loaded, so not setting loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finished handling request for user 'a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GLib-GObject:
invalid uninstantiatable type '(null)' in cast to 'GObject'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GLib-GObject:
g_object_set_data: assertion 'G_IS_OBJECT (object)' failed
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: unrefing manager owned by fetch user request
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'LANG=en_GB.UTF-8'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'GDMSESSION=gnome'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'XDG_SESSION_DESKTOP=gnome'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'DESKTOP_SESSION=gnome'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'XDG_CURRENT_DESKTOP=GNOME'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'GDM_LANG=en_GB.UTF-8'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
start program: /usr/libexec/gdm-x-session  "gnome-session"
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to SESSION_STARTED
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
opening user session with program '/usr/libexec/gdm-x-session'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
jumping to VT 7
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
first setting graphics mode to prevent flicker
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
VT mode did not need to be fixed
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Trying script
/etc/gdm/PostLogin
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: script
/etc/gdm/PostLogin not found; skipping
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Trying script
/etc/gdm/PostLogin/Default
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: script
/etc/gdm/PostLogin/Default not found; skipping
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: no script found
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Trying script
/etc/gdm/PreSession
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: script
/etc/gdm/PreSession not found; skipping
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Trying script
/etc/gdm/PreSession/Default
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Running process:
/etc/gdm/PreSession/Default
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: HOME=/home/a001329
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: GROUP=id
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: RUNNING_UNDER_GDM=true
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: LOGNAME=a001329@ad.example.com
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: USERNAME=a001329@ad.example.com
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: PWD=/home/a001329
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: USER=a001329@ad.example.com
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: SHELL=/bin/bash
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Process exit
status: 0
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
session opened creating reply...
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state SESSION_STARTED
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSession worker:
watching pid 30414
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30414]: Loading env vars
from /usr/share/gdm/env.d/flatpak.env
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30414]: GdmSessionWorker:
Set PAM environment variable: 'XDG_DATA_DIRS=/home/a001329/.local/share/flatpak
/exports/share/:/var/lib/flatpak/exports/share/:/usr/local/share/:/usr/share/'
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sending user-changed signal for user a001329
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sent user-changed signal for user a001329
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: updating user a001329
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sending user-changed signal for user a001329
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sent user-changed signal for user a001329
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: updating user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sending user-changed signal for user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sent user-changed signal for user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: updating user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sending user-changed signal for user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sent user-changed signal for user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: updating user a001329


Looks like AccountsService is converting the fq name to short name in some
places and in some places does not. The line:

could not save session and language settings

indicates to me that AccountsService failed to create the user session file,
but there is no information about why.

Version-Release number of selected component (if applicable):
gdm-3.28.3-20.el8.x86_64
accountsservice-0.6.50-6.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Log in with smartcard using pam_sss
2.
3.

Actual results:
No user session file in /var/lib/AccountsService/users/

Expected results:


Additional info:
Also, GDM uses the fully qualified name format when setting the environment
variables '$USER', '$USERNAME' and '$LOGNAME'. For me this seems wrong, it
should be the short version of the name.

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1718156

4 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

4 years ago

sbose commented 4 years ago

PR: https://github.com/SSSD/sssd/pull/871

Metadata Update from @sbose:
- Custom field patch adjusted to on

4 years ago

sbose commented 4 years ago

Commit 5dccf76 relates to this ticket

sbose commented 4 years ago

Master:

5dccf76

Metadata Update from @sbose:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5037

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

sbose

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

type

None

component

None

version

None

selected

None

testsupdated

None

patch

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1718156

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#4069 pam_sss should reset PAM_USER based on use_fully_qualified_names option in sssd.conf Closed: Fixed 4 years ago by sbose. Opened 4 years ago by sbose.

Metadata

#4069 pam_sss should reset PAM_USER based on use_fully_qualified_names option in sssd.conf

Closed: Fixed 4 years ago by sbose. Opened 4 years ago by sbose.