#4070 pam_sss should reset PAM_USER based on use_fully_qualified_names option in sssd.conf
Opened 6 months ago by sbose. Modified 6 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1718156

Description of problem:
Logging in with smartcard, there is no file for my user in
/var/lib/AccountsService/users/ after login.

pam_sss get my username from my smart card and puts it on the pam stack in
fully qualified format:
a001329@ad.example.com

GDM debug log:
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: Enabling debugging
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
connecting to address: unix:abstract=/tmp/dbus-aSrXobDV
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: system OS is 'rhel'
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: system OS version is '8.0'
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
Failed to identify the current session: No data available
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: seat unloaded, so trying to set loaded property
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Seat wouldn't load, so giving up on it and setting loaded
property
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: already loaded, so not setting loaded property
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to SETUP_COMPLETE
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
initializing PAM; service=gdm-smartcard username=(null) seat=seat0
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'XDG_SEAT=seat0'
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state SETUP_COMPLETE
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to AUTHENTICATED
Jun 05 14:06:21 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
authenticating user (null)
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
1 new messages received from PAM
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
username is 'a001329@ad.example.com'
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
old-username='<unset>' new-username='a001329@ad.example.com'
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
setting username to 'a001329@ad.example.com'
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to load user settings
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: trying to track new user with username a001329@ad.example.com
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 1
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 2
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Looking for user 'a001329@ad.example.com' in accounts service
Jun 05 14:06:22 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
received pam message of type 1 with payload 'PIN for Instant EID IP9'
Jun 05 14:06:23 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
trying to get updated username
Jun 05 14:06:23 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
PAM conversation returning 0: Success
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]:
pam_sss(gdm-smartcard:auth): authentication success; logname= uid=0 euid=0
tty=/dev/tty1 ruser= rhost= user=a001329@ad.example.com
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state AUTHENTICATED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
trying to get updated username
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
username is 'a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
old-username='a001329@ad.example.com' new-username='a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Found object path of user 'a001329@ad.example.com':
/org/freedesktop/Accounts/User60483
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 3
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user 'a001329@ad.example.com' fetched
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 is now loaded
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 was not yet known, adding it
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: tracking user 'a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: not yet loaded, so not emitting user-added signal
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: no pending users, trying to set loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: already loaded, so not setting loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finished handling request for user 'a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: unrefing manager owned by fetch user request
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to AUTHORIZED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
determining if authenticated user (password required:0) is authorized to
session
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state AUTHORIZED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to ACCREDITED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'LOGNAME=a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'USER=a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'USERNAME=a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'HOME=/home/a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'PWD=/home/a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'SHELL=/bin/bash'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable:
'PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state ACCREDITED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
session display mode set to new-vt
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'XDG_SESSION_TYPE=x11'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'GDK_BACKEND=x11'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to ACCOUNT_DETAILS_SAVED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
saving account details for user a001329@ad.example.com
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: trying to track new user with username a001329@ad.example.com
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 1
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 2
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Looking for user 'a001329@ad.example.com' in accounts service
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: could not save
session and language settings
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to SESSION_OPENED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'XDG_VTNR=7'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]:
pam_unix(gdm-smartcard:session): session opened for user a001329@ad.example.com
by (uid=0)
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
1 new messages received from PAM
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
username is 'a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
old-username='a001329@ad.example.com' new-username='a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
received pam message of type 4 with payload 'Last login: Wed Jun  5 13:59:23
CEST 2019 on tty7'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
PAM conversation returning 0: Success
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state SESSION_OPENED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Found object path of user 'a001329@ad.example.com':
/org/freedesktop/Accounts/User60483
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329@ad.example.com' state 3
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user 'a001329@ad.example.com' fetched
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 is now loaded
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sessions changed (user a001329) num=0
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: no pending users, trying to set loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: already loaded, so not setting loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finished handling request for user 'a001329@ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GLib-GObject:
invalid uninstantiatable type '(null)' in cast to 'GObject'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GLib-GObject:
g_object_set_data: assertion 'G_IS_OBJECT (object)' failed
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: unrefing manager owned by fetch user request
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'LANG=en_GB.UTF-8'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'GDMSESSION=gnome'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'XDG_SESSION_DESKTOP=gnome'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'DESKTOP_SESSION=gnome'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'XDG_CURRENT_DESKTOP=GNOME'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
Set PAM environment variable: 'GDM_LANG=en_GB.UTF-8'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
start program: /usr/libexec/gdm-x-session  "gnome-session"
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
attempting to change state to SESSION_STARTED
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
opening user session with program '/usr/libexec/gdm-x-session'
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
jumping to VT 7
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
first setting graphics mode to prevent flicker
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
VT mode did not need to be fixed
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Trying script
/etc/gdm/PostLogin
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: script
/etc/gdm/PostLogin not found; skipping
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Trying script
/etc/gdm/PostLogin/Default
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: script
/etc/gdm/PostLogin/Default not found; skipping
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: no script found
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Trying script
/etc/gdm/PreSession
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: script
/etc/gdm/PreSession not found; skipping
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Trying script
/etc/gdm/PreSession/Default
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Running process:
/etc/gdm/PreSession/Default
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: HOME=/home/a001329
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: GROUP=id
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: RUNNING_UNDER_GDM=true
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: LOGNAME=a001329@ad.example.com
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: USERNAME=a001329@ad.example.com
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: PWD=/home/a001329
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: USER=a001329@ad.example.com
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: SHELL=/bin/bash
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Gdm: script
environment: PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: Process exit
status: 0
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
session opened creating reply...
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
state SESSION_STARTED
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30108]: GdmSession worker:
watching pid 30414
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30414]: Loading env vars
from /usr/share/gdm/env.d/flatpak.env
Jun 05 14:06:29 c21637.ad.example.com gdm-smartcard][30414]: GdmSessionWorker:
Set PAM environment variable: 'XDG_DATA_DIRS=/home/a001329/.local/share/flatpak
/exports/share/:/var/lib/flatpak/exports/share/:/usr/local/share/:/usr/share/'
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sending user-changed signal for user a001329
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sent user-changed signal for user a001329
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: updating user a001329
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sending user-changed signal for user a001329
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sent user-changed signal for user a001329
Jun 05 14:07:28 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: updating user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sending user-changed signal for user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sent user-changed signal for user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: updating user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sending user-changed signal for user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: sent user-changed signal for user a001329
Jun 05 14:07:51 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: updating user a001329


Looks like AccountsService is converting the fq name to short name in some
places and in some places does not. The line:

could not save session and language settings

indicates to me that AccountsService failed to create the user session file,
but there is no information about why.

Version-Release number of selected component (if applicable):
gdm-3.28.3-20.el8.x86_64
accountsservice-0.6.50-6.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Log in with smartcard using pam_sss
2.
3.

Actual results:
No user session file in /var/lib/AccountsService/users/

Expected results:


Additional info:
Also, GDM uses the fully qualified name format when setting the environment
variables '$USER', '$USERNAME' and '$LOGNAME'. For me this seems wrong, it
should be the short version of the name.

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1718156

6 months ago

Login to comment on this ticket.

Metadata