Performing verification for gnome-shell in Bionic. During this verification I will explain how VMware Horizon SSO works, and will prove that the gnome-shell in -proposed is equivalent to the custom gnome-shell package distributed by VMware.
I will begin by walking through the SSO workflow, based around the custom gnome-shell package distributed by VMware. Firstly, start with a fresh Focal Desktop VM, all up to date. Visit the VMware website, specifically this link: https://my.vmware.com/en/web/vmware/evalcenter?p=horizon-eval-8 Sign up for a VMware account and reach the VMware Horizon 8 evaluation download page. The next step is to locate the "Linux Agent x86_64". The file is named VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz If you have difficulty in obtaining this file and want to reproduce, please message me. Download and copy to the Focal VM. $ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/ $ ssh ubuntu@target $ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz $ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770 Next, install the VMware Horizon Linux Agent by following the instructions at: https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops- setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html $ sudo apt install libpam-pkcs11 $ sudo apt install libnss3-tools $ sudo apt install open-vm-tools $ sudo apt install python python-dbus python-gobject $ sudo ./install_viewagent.sh -T yes Now, this will install a custom patched gnome-shell library, which contains the following patches: https://paste.ubuntu.com/p/q4fkNrqHQT/ You can find this, and more in the VMware-horizonagent-linux- x86_64-2012-8.1.0-17336770/sso directory. Reboot the VM. When it comes back up, run "ps aux". You will see: root 1406 0.0 0.0 4904 2020 ? S 15:53 0:00 /bin/sh /usr/lib/vmware/viewagent/bin/GetMachineId.sh root 1447 0.0 0.2 404328 10968 ? Sl 15:53 0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon root 1449 2.2 0.2 102060 9060 ? Sl 15:53 0:02 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer root 1479 0.0 0.1 139968 6528 ? Sl 15:53 0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13 root 1488 0.2 1.4 611572 56464 ? Sl 15:53 0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resource root 1532 0.0 0.2 258560 8088 ? Sl 15:53 0:00 gdm-session-worker [pam/gdm-launch-environment] gdm 1535 0.0 0.0 25464 1528 ? Ss 15:53 0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart gdm 1536 0.0 0.1 50244 4528 ? S 15:53 0:00 dbus-daemon --nofork --print-address 4 --session gdm 1537 0.0 0.3 551880 13892 ? Sl 15:53 0:00 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart Now, the SSO desktop for the VDI is on xorg display :100, and all of this is launched by /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon. The dbus-run-session runs a bunch of autostart scripts in /usr/share/gdm/greeter/autostart, one of which starts up SsoDBusNotify.py. Now, when /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py runs, it reads in a SSO token generated by desktopDaemon from stdin, and then makes sure the display matches what xorg is running on, and then sends a UserAuthenticated signal to DBUS on '/org/vmware/viewagent/Credentials' and 'org.vmware.viewagent.Credentials'. Lets do this manually, since we are in KVM and not on an actual VMware Horizon cluster. Execute: $ sudo /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py -t sso -d :100 When asked, input the token: "12345DISPLAY:100". The custom gnome-shell distributed by VMware listens on org.vmware.viewagent.Credentials.D100 (yes, that is a per-display dbus address) which then checks to see if the token is any good, and passes it to PAM for processing. PAM then calls the module gdm-vmwcred, which then talks to the SSSD and krb5 PAM modules to authenticate against an AD server. But in our repro environment, this won't work. But the main thing is, if you check: /var/log/auth.log: Mar 22 15:55:51 ubuntu gdm-vmwcred]: pam_vmw_cred(gdm-vmwcred:auth): Failed to acquire user's credentials and /var/log/vmware/pam_vmw_log: 2021:03:22 15:55:51 : Authentication begins 2021:03:22 15:55:51 : SSOChannel_AcquireUserCredentials called. 2021:03:22 15:55:51 : VMWARE Token is invaild. 2021:03:22 15:55:51 : Failed to acquire user's credentials 2021:03:22 15:55:51 : Authentication ends We see gnome-shell does infact call PAM. On vanilla installs of gnome-shell, i.e. gnome-shell 3.28.4-0ubuntu18.04.3 and earlier, if you attempted to do this, gnome- shell would not talk to PAM as it does not understand the per-display dbus logic. Now, on the customer environment, SSO works fine with the custom gnome- shell library, as they are correctly configured for SSSD / krb5 to their AD server. Now, let's repeat the process, but this time, we are going to use the new gnome-shell package in -proposed. Start with a clean Focal Desktop VM. Copy the VMware Horizon Linux agent over. $ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/ $ ssh ubuntu@target $ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz $ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770 Next, install the VMware Horizon Linux Agent by following the instructions at: https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops- setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html $ sudo apt install libpam-pkcs11 $ sudo apt install libnss3-tools $ sudo apt install open-vm-tools $ sudo apt install python python-dbus python-gobject Now, this step is VERY VERY VERY important. Install the viewagent with the additional flag "-G yes": $ sudo ./install_viewagent.sh -G yes -T yes The "-G yes" flag tells the installer to not overwrite gnome-shell, and to instead switch to upstream SSO patch support mode. Then enable -proposed, and install gnome-shell version $ cat << EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list # Enable Ubuntu proposed archive deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed main universe EOF $ sudo apt update $ sudo apt install gnome-shell gnome-shell-common $ sudo apt-cache policy gnome-shell | grep Installed Installed: 3.28.4-0ubuntu18.04.7 Reboot. $ sudo reboot Now, when the system comes up, again verify the following processes: root 1412 0.0 0.0 4904 2004 ? S 16:06 0:00 /bin/sh /usr/lib/vmware/viewagent/bin/GetMachineId.sh root 1448 0.0 0.2 404380 10792 ? Sl 16:06 0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon root 1449 2.1 0.2 102060 8556 ? Sl 16:06 0:00 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer root 1473 0.0 0.1 139968 6628 ? Sl 16:06 0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13 root 1488 0.8 1.4 611808 57228 ? Sl 16:06 0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resource root 1534 0.0 0.2 258560 8212 ? Sl 16:06 0:00 gdm-session-worker [pam/gdm-launch-environment] gdm 1537 0.0 0.0 25464 1528 ? Ss 16:06 0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart gdm 1538 0.2 0.1 50212 4364 ? S 16:06 0:00 dbus-daemon --nofork --print-address 4 --session gdm 1539 0.2 0.3 625616 13916 ? Sl 16:06 0:00 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart This time, since we used the special "-G yes" flag when installing the Horizon Agent, we get an additional process, SsoDispatcher.py: gdm 1712 0.1 0.3 72856 12992 ? S 16:06 0:00 /usr/bin/python /usr/lib/vmware/viewagent/sso/SsoDispatcher.py This is executed from /usr/share/gdm/greeter/autostart/vmware-sso- dispatcher.desktop file called by dbus-run-session. Now, what SsoDispatcher.py does is listen on the per-display dbus credientals interface org.vmware.viewagent.Credentials.D100, if it sees a UserAuthenticated signal, it forwards it to the new dbus interface that the upstream gnome-shell patches listen on, which is org.vmware.viewagent.Credentials. So SsoDispatcher.py acts as a bridge between old VMware implementation, and what is implemented in the gnome-shell packages in -proposed. Now, if we issue the call to SsoDBusNotify.py: $ sudo /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py -t sso -d :100 When asked, input the token: "12345DISPLAY:100". SsoDbusNotify.py sends the token to SsoDispatcher.py which sends the token to gnome-shell, which then forwards the token to PAM for processing. Again, if we check the logs: /var/log/auth.log Mar 22 16:07:07 ubuntu gdm-vmwcred]: pam_vmw_cred(gdm-vmwcred:auth): Failed to acquire user's credentials and also in /var/log/vmware/pam_vmw_log 2021:03:22 16:07:07 : Authentication begins 2021:03:22 16:07:07 : SSOChannel_AcquireUserCredentials called. 2021:03:22 16:07:07 : VMWARE Token is invaild. 2021:03:22 16:07:07 : Failed to acquire user's credentials 2021:03:22 16:07:07 : Authentication ends Thus, gnome-shell correctly received the token and passed it to PAM for processing. We have tested this pretty in depth on the customers actual VMware Horizon environment, and it took us a lot of time, but we can see that the gnome-shell package in -proposed works, and properly authenticates with PAM and SSO functions as intended. I can't share any logs from the customer's environment showing PAM working, sorry. But it does. We have tested against the following VMware Horizon Linux Agents: VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz VMware-horizonagent-linux-x86_64-7.13.0-17123958.tar.gz VMware-horizonagent-linux-x86_64-7.13.0-16944161.tar.gz All work. The customer is finally ready and happy to sign off on the packages in -proposed. I am happy to sign off and mark the gnome-shell version 3.28.4-0ubuntu18.04.7 as verified. If you have any questions on the above verification, please contact me, or Marco. ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1886592 Title: Add support for VMware Horizon SSO to gnome-shell To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-shell/+bug/1886592/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
