Performing verification for gnome-shell in Bionic. During this verification I will explain how VMware Horizon SSO works, and will prove that the gnome-shell in -proposed is equivalent to the custom gnome-shell package distributed by VMware.
I will begin by walking through the SSO workflow, based around the custom gnome-shell package distributed by VMware. Firstly, start with a fresh Focal Desktop VM, all up to date. Visit the VMware website, specifically this link: https://my.vmware.com/en/web/vmware/evalcenter?p=horizon-eval-8 Sign up for a VMware account and reach the VMware Horizon 8 evaluation download page. The next step is to locate the "Linux Agent x86_64". The file is named VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz If you have difficulty in obtaining this file and want to reproduce, please message me. Download and copy to the Focal VM. $ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/ $ ssh ubuntu@target $ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz $ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770 Next, install the VMware Horizon Linux Agent by following the instructions at: https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops- setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html $ sudo apt install libpam-pkcs11 $ sudo apt install libnss3-tools $ sudo apt install open-vm-tools $ sudo apt install python python-dbus python-gobject $ sudo ./install_viewagent.sh -T yes Now, this will install a custom patched gnome-shell library, which contains the following patches: https://paste.ubuntu.com/p/q4fkNrqHQT/ You can find this, and more in the VMware-horizonagent-linux- x86_64-2012-8.1.0-17336770/sso directory. Reboot the VM. When it comes back up, run "ps aux". You will see: root 1406 0.0 0.0 4904 2020 ? S 15:53 0:00 /bin/sh /usr/lib/vmware/viewagent/bin/GetMachineId.sh root 1447 0.0 0.2 404328 10968 ? Sl 15:53 0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon root 1449 2.2 0.2 102060 9060 ? Sl 15:53 0:02 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer root 1479 0.0 0.1 139968 6528 ? Sl 15:53 0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13 root 1488 0.2 1.4 611572 56464 ? Sl 15:53 0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resource root 1532 0.0 0.2 258560 8088 ? Sl 15:53 0:00 gdm-session-worker [pam/gdm-launch-environment] gdm 1535 0.0 0.0 25464 1528 ? Ss 15:53 0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart gdm 1536 0.0 0.1 50244 4528 ? S 15:53 0:00 dbus-daemon --nofork --print-address 4 --session gdm 1537 0.0 0.3 551880 13892 ? Sl 15:53 0:00 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart Now, the SSO desktop for the VDI is on xorg display :100, and all of this is launched by /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon. The dbus-run-session runs a bunch of autostart scripts in /usr/share/gdm/greeter/autostart, one of which starts up SsoDBusNotify.py. Now, when /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py runs, it reads in a SSO token generated by desktopDaemon from stdin, and then makes sure the display matches what xorg is running on, and then sends a UserAuthenticated signal to DBUS on '/org/vmware/viewagent/Credentials' and 'org.vmware.viewagent.Credentials'. Lets do this manually, since we are in KVM and not on an actual VMware Horizon cluster. Execute: $ sudo /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py -t sso -d :100 When asked, input the token: "12345DISPLAY:100". The custom gnome-shell distributed by VMware listens on org.vmware.viewagent.Credentials.D100 (yes, that is a per-display dbus address) which then checks to see if the token is any good, and passes it to PAM for processing. PAM then calls the module gdm-vmwcred, which then talks to the SSSD and krb5 PAM modules to authenticate against an AD server. But in our repro environment, this won't work. But the main thing is, if you check: /var/log/auth.log: Mar 22 15:55:51 ubuntu gdm-vmwcred]: pam_vmw_cred(gdm-vmwcred:auth): Failed to acquire user's credentials and /var/log/vmware/pam_vmw_log: 2021:03:22 15:55:51 : Authentication begins 2021:03:22 15:55:51 : SSOChannel_AcquireUserCredentials called. 2021:03:22 15:55:51 : VMWARE Token is invaild. 2021:03:22 15:55:51 : Failed to acquire user's credentials 2021:03:22 15:55:51 : Authentication ends We see gnome-shell does infact call PAM. On vanilla installs of gnome-shell, i.e. gnome-shell 3.28.4-0ubuntu18.04.3 and earlier, if you attempted to do this, gnome- shell would not talk to PAM as it does not understand the per-display dbus logic. Now, on the customer environment, SSO works fine with the custom gnome- shell library, as they are correctly configured for SSSD / krb5 to their AD server. Now, let's repeat the process, but this time, we are going to use the new gnome-shell package in -proposed. Start with a clean Focal Desktop VM. Copy the VMware Horizon Linux agent over. $ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/ $ ssh ubuntu@target $ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz $ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770 Next, install the VMware Horizon Linux Agent by following the instructions at: https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops- setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html $ sudo apt install libpam-pkcs11 $ sudo apt install libnss3-tools $ sudo apt install open-vm-tools $ sudo apt install python python-dbus python-gobject Now, this step is VERY VERY VERY important. Install the viewagent with the additional flag "-G yes": $ sudo ./install_viewagent.sh -G yes -T yes The "-G yes" flag tells the installer to not overwrite gnome-shell, and to instead switch to upstream SSO patch support mode. Then enable -proposed, and install gnome-shell version $ cat << EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list # Enable Ubuntu proposed archive deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed main universe EOF $ sudo apt update $ sudo apt install gnome-shell gnome-shell-common $ sudo apt-cache policy gnome-shell | grep Installed Installed: 3.28.4-0ubuntu18.04.7 Reboot. $ sudo reboot Now, when the system comes up, again verify the following processes: root 1412 0.0 0.0 4904 2004 ? S 16:06 0:00 /bin/sh /usr/lib/vmware/viewagent/bin/GetMachineId.sh root 1448 0.0 0.2 404380 10792 ? Sl 16:06 0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon root 1449 2.1 0.2 102060 8556 ? Sl 16:06 0:00 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer root 1473 0.0 0.1 139968 6628 ? Sl 16:06 0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13 root 1488 0.8 1.4 611808 57228 ? Sl 16:06 0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resource root 1534 0.0 0.2 258560 8212 ? Sl 16:06 0:00 gdm-session-worker [pam/gdm-launch-environment] gdm 1537 0.0 0.0 25464 1528 ? Ss 16:06 0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart gdm 1538 0.2 0.1 50212 4364 ? S 16:06 0:00 dbus-daemon --nofork --print-address 4 --session gdm 1539 0.2 0.3 625616 13916 ? Sl 16:06 0:00 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart This time, since we used the special "-G yes" flag when installing the Horizon Agent, we get an additional process, SsoDispatcher.py: gdm 1712 0.1 0.3 72856 12992 ? S 16:06 0:00 /usr/bin/python /usr/lib/vmware/viewagent/sso/SsoDispatcher.py This is executed from /usr/share/gdm/greeter/autostart/vmware-sso- dispatcher.desktop file called by dbus-run-session. Now, what SsoDispatcher.py does is listen on the per-display dbus credientals interface org.vmware.viewagent.Credentials.D100, if it sees a UserAuthenticated signal, it forwards it to the new dbus interface that the upstream gnome-shell patches listen on, which is org.vmware.viewagent.Credentials. So SsoDispatcher.py acts as a bridge between old VMware implementation, and what is implemented in the gnome-shell packages in -proposed. Now, if we issue the call to SsoDBusNotify.py: $ sudo /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py -t sso -d :100 When asked, input the token: "12345DISPLAY:100". SsoDbusNotify.py sends the token to SsoDispatcher.py which sends the token to gnome-shell, which then forwards the token to PAM for processing. Again, if we check the logs: /var/log/auth.log Mar 22 16:07:07 ubuntu gdm-vmwcred]: pam_vmw_cred(gdm-vmwcred:auth): Failed to acquire user's credentials and also in /var/log/vmware/pam_vmw_log 2021:03:22 16:07:07 : Authentication begins 2021:03:22 16:07:07 : SSOChannel_AcquireUserCredentials called. 2021:03:22 16:07:07 : VMWARE Token is invaild. 2021:03:22 16:07:07 : Failed to acquire user's credentials 2021:03:22 16:07:07 : Authentication ends Thus, gnome-shell correctly received the token and passed it to PAM for processing. We have tested this pretty in depth on the customers actual VMware Horizon environment, and it took us a lot of time, but we can see that the gnome-shell package in -proposed works, and properly authenticates with PAM and SSO functions as intended. I can't share any logs from the customer's environment showing PAM working, sorry. But it does. We have tested against the following VMware Horizon Linux Agents: VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz VMware-horizonagent-linux-x86_64-7.13.0-17123958.tar.gz VMware-horizonagent-linux-x86_64-7.13.0-16944161.tar.gz All work. The customer is finally ready and happy to sign off on the packages in -proposed. I am happy to sign off and mark the gnome-shell version 3.28.4-0ubuntu18.04.7 as verified. If you have any questions on the above verification, please contact me, or Marco. ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1886592 Title: Add support for VMware Horizon SSO to gnome-shell Status in GNOME Shell: Unknown Status in gnome-shell package in Ubuntu: Fix Released Status in gnome-shell source package in Bionic: Fix Committed Status in gnome-shell source package in Eoan: Won't Fix Status in gnome-shell source package in Focal: Fix Committed Status in gnome-shell source package in Groovy: Fix Released Bug description: [Impact] VMware Horizon is a VDI product that runs atop of VMware's normal virtualisation stack, and it supports SSO authentication for login. In the past, the VMware Horizon agent has been pretty buggy, and requires SSO patches to be present to function, otherwise it breaks and causes entire outages for anyone trying to use the VDI. To solve this, VMware had been custom compiling their own libgnome- shell.so libraries with their SSO patches, which are based on oVirt's SSO implementation. When you install VMware Horizon agent to the instance, it overwrites Ubuntu's libgnome-shell.so with their custom compiled one. VMware don't keep their custom compiled libgnome-shell.so library up to date, so bugs that have already been fixed still live on in their library. Also, when Ubuntu updates our gnome-shell packages, it overwrites the custom libgnome-shell.so library, which then causes the Horizon agent to break, and causes outages for anyone using the VDI, which have to be solved by manually copying the custom library back. This situation is untenable for VMware Horizon users, so I have asked VMware to upstream their SSO patches. After a long painful process, they have landed in gnome-shell master. This SRU will significantly improve the quality of life for VMware Horizon users, and will remove the need for VMware to distribute custom libraries. [Testcase] You need an instance that runs on VMware Horizon, and the Horizon agent needs to be installed and running. Ideally, SSO authentication should be enabled to test all features, but it is not necessary to partially test. Test packages are available in this ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf247978-test If you install the test package in a VMware Horizon VDI, the instance should come up cleanly after reboot and function properly, especially with SSO login. The instance should be able to function without custom libgnome- shell.so libraries provided by VMware. [Regression Potential] The code refactors the oVirt SSO implementation into a more generalised interface, which other virtualisation platforms can use. oVirt has been transitioned to this interface as part of the refactoring, which means that any if the new oVirt SSO implementation is broken, it could break users running in oVirt. VMware's patches also use the new generalised interface, which is much simpler than before, and it has been tested internally by VMware. There was a very long review process with upstream GNOME, which ironed out all of their concerns. I have been reviewing the code along the way, and I am confident that it will not cause any regressions. If a regression did occur, then it would break SSO functionality only. [Other Information] Upstream Issue: https://gitlab.gnome.org/GNOME/gnome-shell/issues/1983 Upstream merge-request: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/915 Commits: commit 809f820cd4a4eebb120ab5dde3f1985d35bcb540 Author: yun341 <[email protected]> Date: Sat, 4 Jan 2020 00:31:15 +0800 Subject: gdm: Refactor oVirt to a generic CredentialManager interface Link: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/809f820cd4a4eebb120ab5dde3f1985d35bcb540 commit 4ea0fca4fc09ffd6e0b6994ee1354f07f7d5d2b5 Author: yun341 <[email protected]> Date: Thu, 2 Jul 2020 06:54:55 +0800 Subject: gdm: Introduce vmware credential manager for pre-authenticated logins Link: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/4ea0fca4fc09ffd6e0b6994ee1354f07f7d5d2b5 commit 00437750ed9c7e0982854e20be8c36c6bda7b254 Author: Andre Moreira Magalhaes <[email protected]> Date: Mon Aug 17 18:41:04 2020 -0300 Subject: authPrompt: Properly get oVirt service name Link: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/00437750ed9c7e0982854e20be8c36c6bda7b254 commit 3fb321fd214469130539e1e31461257a749bff21 Author: yun341 <[email protected]> Date: Mon Sep 21 22:11:41 2020 +0800 Subject: authPrompt: set value of beginRequestType to 'DONT_PROVIDE_USERNAME' Link: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/3fb321fd214469130539e1e31461257a749bff21 To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-shell/+bug/1886592/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
