** Also affects: sssd (Ubuntu Xenial) Importance: Undecided Status: New
-- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1578415 Title: Lockscreen access denied (AD auth via sssd) Status in sssd package in Ubuntu: Fix Released Status in sssd source package in Xenial: New Bug description: It is not possible to unlock the screen or gain elevated privileges from the GUI using an Active Directory account through SSSD. Authentication and sudo works as expected from console and Lightdm. How to reproduce: - Xenial clean install - Join to AD using sssd (domain_join.sh) =============================== #!/bin/bash DOMAIN='INET' REALM='INET.EXAMPLE.COM' DOMAIN_ADMIN='administrator' aptitude -y install krb5-user samba sssd ntp cat > /etc/ntp.conf <<EOF server ntp.inet.activarsas.com server ntp_bak.inet.activarsas.com EOF sed -i "s&workgroup = WORKGROUP&\t workgroup = $DOMAIN \n\t client signing = yes \n\t client use spnego = yes \n\t kerberos method = secrets and keytab \n\t realm = $REALM \n\t security = ads&g" /etc/samba/smb.conf cat > /etc/sssd/sssd.conf <<EOF [sssd] services = nss, pam config_file_version = 2 domains = $REALM [nss] default_shell = /bin/bash [domain/$REALM] id_provider = ad access_provider = ad override_homedir = /home/%u cache_credentials = true EOF chmod 600 /etc/sssd/sssd.conf fqdn=$(hostname).$REALM echo "127.0.0.1 $fqdn $(hostname) localhost" > /etc/hosts systemctl restart systemd-hostnamed cat > /usr/share/pam-configs/mkhomedir <<EOF Name: Create home directory on login Default: no Priority: 0 Session-Type: Additional Session-Interactive-Only: yes Session: optional pam_mkhomedir.so umask=077 skel=/etc/skel EOF pam-auth-update echo "[SeatDefaults] greeter-hide-users=true greeter-show-remote-login=false greeter-show-manual-login=true" > /usr/share/lightdm/lightdm.conf.d/50-domain.conf systemctl restart ntp.service systemctl restart smbd.service nmbd.service kinit $DOMAIN_ADMIN klist net ads join -k systemctl start sssd.service sed -i '26i%domain^admins ALL=(ALL) ALL' /etc/sudoers reboot =============================== - Login with an AD account - Lock screen - Try to unlock screen --> Authentication error - Top right corner -> Switch user - Login with the same account --> Screen unlocks as expected sudo cat /var/log/auth.log =============================== May 4 17:06:06 uatlantico sssd_be: GSSAPI client step 1 May 4 17:06:06 uatlantico sssd_be: GSSAPI client step 1 May 4 17:06:08 uatlantico sssd_be: GSSAPI client step 1 May 4 17:06:08 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1] May 4 17:06:08 uatlantico sssd_be: GSSAPI client step 2 May 4 17:06:22 uatlantico sudo: cvargasc : problem with defaults entries ; TTY=pts/2 ; PWD=/home/cvargasc ; May 4 17:06:28 uatlantico sudo: pam_unix(sudo:auth): authentication failure; logname= uid=643401116 euid=0 tty=/dev/pts/2 ruser=cvargasc rhost= user=cvargasc May 4 17:06:54 uatlantico sudo: pam_sss(sudo:auth): authentication success; logname= uid=643401116 euid=0 tty=/dev/pts/2 ruser=cvargasc rhost= user=cvargasc May 4 17:06:54 uatlantico sudo: cvargasc : TTY=pts/2 ; PWD=/home/cvargasc ; USER=root ; COMMAND=/bin/cat /var/log/auth.log May 4 17:06:54 uatlantico sudo: pam_unix(sudo:session): session opened for user root by (uid=0) May 4 17:06:54 uatlantico sudo: pam_unix(sudo:session): session closed for user root May 4 17:07:17 uatlantico sssd_be: GSSAPI client step 1 May 4 17:07:17 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1] May 4 17:07:17 uatlantico sssd_be: GSSAPI client step 2 May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 1 May 4 17:07:19 uatlantico sssd_be: message repeated 4 times: [ GSSAPI client step 1] May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 2 May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 1 May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 2 May 4 17:07:42 uatlantico compiz: pam_unix(unity:auth): authentication failure; logname= uid=643401116 euid=643401116 tty= ruser= rhost= user=cvargasc May 4 17:07:43 uatlantico sssd_be: GSSAPI client step 1 May 4 17:07:43 uatlantico sssd_be: GSSAPI client step 1 May 4 17:08:14 uatlantico compiz: pam_sss(unity:auth): authentication success; logname= uid=643401116 euid=643401116 tty= ruser= rhost= user=cvargasc May 4 17:08:14 uatlantico compiz: gkr-pam: unlocked login keyring May 4 17:08:14 uatlantico compiz: pam_sss(unity:account): Access denied for user cvargasc: 6 (Permiso denegado) May 4 17:08:31 uatlantico lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory May 4 17:08:31 uatlantico lightdm: PAM adding faulty module: pam_kwallet.so May 4 17:08:31 uatlantico lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory May 4 17:08:31 uatlantico lightdm: PAM adding faulty module: pam_kwallet5.so May 4 17:08:31 uatlantico lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) May 4 17:08:31 uatlantico sssd_be: GSSAPI client step 1 May 4 17:08:31 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1] May 4 17:08:31 uatlantico sssd_be: GSSAPI client step 2 May 4 17:08:31 uatlantico systemd-logind[963]: New session c8 of user lightdm. May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 1 May 4 17:08:32 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1] May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 2 May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 1 May 4 17:08:32 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1] May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 2 May 4 17:08:32 uatlantico lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory May 4 17:08:32 uatlantico lightdm: PAM adding faulty module: pam_kwallet.so May 4 17:08:32 uatlantico lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory May 4 17:08:32 uatlantico lightdm: PAM adding faulty module: pam_kwallet5.so May 4 17:08:33 uatlantico sssd_be: GSSAPI client step 1 May 4 17:08:33 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1] May 4 17:08:33 uatlantico sssd_be: GSSAPI client step 2 May 4 17:08:35 uatlantico lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "cvargasc" May 4 17:08:39 uatlantico lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=cvargasc May 4 17:08:40 uatlantico lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=cvargasc May 4 17:08:40 uatlantico lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm May 4 17:08:42 uatlantico sudo: cvargasc : problem with defaults entries ; TTY=pts/2 ; PWD=/home/cvargasc ; May 4 17:08:42 uatlantico sudo: cvargasc : TTY=pts/2 ; PWD=/home/cvargasc ; USER=root ; COMMAND=/bin/cat /var/log/auth.log May 4 17:08:42 uatlantico sudo: pam_unix(sudo:session): session opened for user root by (uid=0) =============================== ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: sssd 1.13.4-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6 Uname: Linux 4.4.0-21-generic x86_64 ApportVersion: 2.20.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Wed May 4 16:45:01 2016 InstallationDate: Installed on 2016-04-28 (6 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) JournalErrors: Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. Users in the 'systemd-journal' group can see all messages. Pass -q to turn off this notice. No journal files were opened due to insufficient permissions. ProcEnviron: LANGUAGE=es_CO:es PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=es_CO.UTF-8 SHELL=/bin/bash SourcePackage: sssd UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp