group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1578415] Re: Lockscreen access denied (AD auth via sssd)

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Timo Aaltonen <tjaalton@xxxxxxxxxx>
Date: Mon, 18 Jul 2016 02:33:57 -0000
Reply-to: Bug 1578415 <1578415@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Also affects: sssd (Ubuntu Xenial)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1578415

Title:
  Lockscreen access denied (AD auth via sssd)

Status in sssd package in Ubuntu:
  Fix Released
Status in sssd source package in Xenial:
  New

Bug description:
  It is not possible to unlock the screen or gain elevated privileges
  from the GUI using an Active Directory account through SSSD.
  Authentication and sudo works as expected from console and Lightdm.

  How to reproduce:
  - Xenial clean install
  - Join to AD using sssd (domain_join.sh)

  ===============================
  #!/bin/bash
  DOMAIN='INET'
  REALM='INET.EXAMPLE.COM'
  DOMAIN_ADMIN='administrator'

  aptitude -y install krb5-user samba sssd ntp

  cat > /etc/ntp.conf <<EOF
  server ntp.inet.activarsas.com
  server ntp_bak.inet.activarsas.com
  EOF

  sed -i "s&workgroup = WORKGROUP&\t workgroup = $DOMAIN \n\t client
  signing = yes \n\t client use spnego = yes \n\t kerberos method =
  secrets and keytab \n\t realm = $REALM \n\t security = ads&g"
  /etc/samba/smb.conf

  cat > /etc/sssd/sssd.conf <<EOF
  [sssd]
  services = nss, pam
  config_file_version = 2
  domains = $REALM

  [nss]
  default_shell = /bin/bash

  [domain/$REALM]
  id_provider = ad
  access_provider = ad
  override_homedir = /home/%u
  cache_credentials = true
  EOF
  chmod 600 /etc/sssd/sssd.conf

  fqdn=$(hostname).$REALM
  echo "127.0.0.1 $fqdn $(hostname) localhost" > /etc/hosts
  systemctl restart systemd-hostnamed

  cat > /usr/share/pam-configs/mkhomedir <<EOF
  Name: Create home directory on login
  Default: no
  Priority: 0
  Session-Type: Additional
  Session-Interactive-Only: yes
  Session:
          optional                        pam_mkhomedir.so umask=077 skel=/etc/skel
  EOF
  pam-auth-update

  echo "[SeatDefaults]
  greeter-hide-users=true
  greeter-show-remote-login=false
  greeter-show-manual-login=true" > /usr/share/lightdm/lightdm.conf.d/50-domain.conf

  systemctl restart ntp.service
  systemctl restart smbd.service nmbd.service 

  kinit $DOMAIN_ADMIN
  klist
  net ads join -k

  systemctl start sssd.service

  sed -i '26i%domain^admins ALL=(ALL) ALL' /etc/sudoers

  reboot
  ===============================

  - Login with an AD account
  - Lock screen
  - Try to unlock screen --> Authentication error
  - Top right corner -> Switch user
  - Login with the same account --> Screen unlocks as expected

  sudo cat /var/log/auth.log
  ===============================
  May  4 17:06:06 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:06:06 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:06:08 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:06:08 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
  May  4 17:06:08 uatlantico sssd_be: GSSAPI client step 2
  May  4 17:06:22 uatlantico sudo: cvargasc : problem with defaults entries ; TTY=pts/2 ; PWD=/home/cvargasc ;
  May  4 17:06:28 uatlantico sudo: pam_unix(sudo:auth): authentication failure; logname= uid=643401116 euid=0 tty=/dev/pts/2 ruser=cvargasc rhost=  user=cvargasc
  May  4 17:06:54 uatlantico sudo: pam_sss(sudo:auth): authentication success; logname= uid=643401116 euid=0 tty=/dev/pts/2 ruser=cvargasc rhost= user=cvargasc
  May  4 17:06:54 uatlantico sudo: cvargasc : TTY=pts/2 ; PWD=/home/cvargasc ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
  May  4 17:06:54 uatlantico sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
  May  4 17:06:54 uatlantico sudo: pam_unix(sudo:session): session closed for user root
  May  4 17:07:17 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:07:17 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
  May  4 17:07:17 uatlantico sssd_be: GSSAPI client step 2
  May  4 17:07:19 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:07:19 uatlantico sssd_be: message repeated 4 times: [ GSSAPI client step 1]
  May  4 17:07:19 uatlantico sssd_be: GSSAPI client step 2
  May  4 17:07:19 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:07:19 uatlantico sssd_be: GSSAPI client step 2
  May  4 17:07:42 uatlantico compiz: pam_unix(unity:auth): authentication failure; logname= uid=643401116 euid=643401116 tty= ruser= rhost=  user=cvargasc
  May  4 17:07:43 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:07:43 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:08:14 uatlantico compiz: pam_sss(unity:auth): authentication success; logname= uid=643401116 euid=643401116 tty= ruser= rhost= user=cvargasc
  May  4 17:08:14 uatlantico compiz: gkr-pam: unlocked login keyring
  May  4 17:08:14 uatlantico compiz: pam_sss(unity:account): Access denied for user cvargasc: 6 (Permiso denegado)
  May  4 17:08:31 uatlantico lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
  May  4 17:08:31 uatlantico lightdm: PAM adding faulty module: pam_kwallet.so
  May  4 17:08:31 uatlantico lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
  May  4 17:08:31 uatlantico lightdm: PAM adding faulty module: pam_kwallet5.so
  May  4 17:08:31 uatlantico lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
  May  4 17:08:31 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:08:31 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
  May  4 17:08:31 uatlantico sssd_be: GSSAPI client step 2
  May  4 17:08:31 uatlantico systemd-logind[963]: New session c8 of user lightdm.
  May  4 17:08:32 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:08:32 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
  May  4 17:08:32 uatlantico sssd_be: GSSAPI client step 2
  May  4 17:08:32 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:08:32 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
  May  4 17:08:32 uatlantico sssd_be: GSSAPI client step 2
  May  4 17:08:32 uatlantico lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
  May  4 17:08:32 uatlantico lightdm: PAM adding faulty module: pam_kwallet.so
  May  4 17:08:32 uatlantico lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
  May  4 17:08:32 uatlantico lightdm: PAM adding faulty module: pam_kwallet5.so
  May  4 17:08:33 uatlantico sssd_be: GSSAPI client step 1
  May  4 17:08:33 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
  May  4 17:08:33 uatlantico sssd_be: GSSAPI client step 2
  May  4 17:08:35 uatlantico lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "cvargasc"
  May  4 17:08:39 uatlantico lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost=  user=cvargasc
  May  4 17:08:40 uatlantico lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=cvargasc
  May  4 17:08:40 uatlantico lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
  May  4 17:08:42 uatlantico sudo: cvargasc : problem with defaults entries ; TTY=pts/2 ; PWD=/home/cvargasc ;
  May  4 17:08:42 uatlantico sudo: cvargasc : TTY=pts/2 ; PWD=/home/cvargasc ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
  May  4 17:08:42 uatlantico sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
  ===============================

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: sssd 1.13.4-1ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
  Uname: Linux 4.4.0-21-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed May  4 16:45:01 2016
  InstallationDate: Installed on 2016-04-28 (6 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
  JournalErrors:
   Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
         Users in the 'systemd-journal' group can see all messages. Pass -q to
         turn off this notice.
   No journal files were opened due to insufficient permissions.
  ProcEnviron:
   LANGUAGE=es_CO:es
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=es_CO.UTF-8
   SHELL=/bin/bash
  SourcePackage: sssd
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415/+subscriptions