[Desktop-packages] [Bug 1917362] Re: PAM: smartcard owner isn't associated to user by default
** Also affects: sssd (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: gdm3 (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: gdm3 (Ubuntu Focal) Status: New => In Progress ** Changed in: sssd (Ubuntu Focal) Status: New => In Progress ** Changed in: sssd (Ubuntu Focal) Assignee: (unassigned) => Marco Trevisan (Treviño) (3v1n0) ** Changed in: sssd (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: gdm3 (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: gdm3 (Ubuntu Focal) Assignee: (unassigned) => Marco Trevisan (Treviño) (3v1n0) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1917362 Title: PAM: smartcard owner isn't associated to user by default Status in sssd: Fix Released Status in gdm3 package in Ubuntu: Fix Released Status in sssd package in Ubuntu: Fix Released Status in gdm3 source package in Focal: In Progress Status in sssd source package in Focal: In Progress Status in gdm3 source package in Hirsute: Won't Fix Status in sssd source package in Hirsute: Won't Fix Bug description: [ Impact ] Smartcard user is not selected automatically when inserting a smartcard [ Test case ] Insert a smartcard that has an user associated to it: -> gdm is expected to select the user associated to it and start the authentication requesting the card PIN, without having to explicitly write the username. [ Regression potential ] PAM configuration for smartcard changed the order [1] we check the services, so: - if a /var/run/nologin the user will be denied for accessing the system only after that the PIN has been inserted. - root may be an allowed user, if associated to a smartcard (even though we trust SSSD PAM module and configuration explicitly disallows it). [1] https://salsa.debian.org/gnome- team/gdm/-/compare/90e71bd4...d32be2e5 --- There's a SSSD side of this fix (for the carts with multiple certificates) that is part of 2.4.1 and should be handled by https://github.com/SSSD/sssd/pull/5401/ (+ commit https://github.com/SSSD/sssd/commit/4ea1739d09b) GDM should instead handle empty users properly both in the PAM config and sending the info back to gnome-shell. To manage notifications about this bug go to: https://bugs.launchpad.net/sssd/+bug/1917362/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1917362] Re: PAM: smartcard owner isn't associated to user by default
The Hirsute Hippo has reached End of Life, so this bug will not be fixed for that release. ** Changed in: gdm3 (Ubuntu Hirsute) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1917362 Title: PAM: smartcard owner isn't associated to user by default Status in sssd: Fix Released Status in gdm3 package in Ubuntu: Fix Released Status in sssd package in Ubuntu: Fix Released Status in gdm3 source package in Hirsute: Won't Fix Status in sssd source package in Hirsute: Won't Fix Bug description: [ Impact ] Smartcard user is not selected automatically when inserting a smartcard [ Test case ] Insert a smartcard that has an user associated to it: -> gdm is expected to select the user associated to it and start the authentication requesting the card PIN, without having to explicitly write the username. [ Regression potential ] PAM configuration for smartcard changed the order [1] we check the services, so: - if a /var/run/nologin the user will be denied for accessing the system only after that the PIN has been inserted. - root may be an allowed user, if associated to a smartcard (even though we trust SSSD PAM module and configuration explicitly disallows it). [1] https://salsa.debian.org/gnome- team/gdm/-/compare/90e71bd4...d32be2e5 --- There's a SSSD side of this fix (for the carts with multiple certificates) that is part of 2.4.1 and should be handled by https://github.com/SSSD/sssd/pull/5401/ (+ commit https://github.com/SSSD/sssd/commit/4ea1739d09b) GDM should instead handle empty users properly both in the PAM config and sending the info back to gnome-shell. To manage notifications about this bug go to: https://bugs.launchpad.net/sssd/+bug/1917362/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1917362] Re: PAM: smartcard owner isn't associated to user by default
The Hirsute Hippo has reached End of Life, so this bug will not be fixed for that release. ** Changed in: sssd (Ubuntu Hirsute) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1917362 Title: PAM: smartcard owner isn't associated to user by default Status in sssd: Fix Released Status in gdm3 package in Ubuntu: Fix Released Status in sssd package in Ubuntu: Fix Released Status in gdm3 source package in Hirsute: Won't Fix Status in sssd source package in Hirsute: Won't Fix Bug description: [ Impact ] Smartcard user is not selected automatically when inserting a smartcard [ Test case ] Insert a smartcard that has an user associated to it: -> gdm is expected to select the user associated to it and start the authentication requesting the card PIN, without having to explicitly write the username. [ Regression potential ] PAM configuration for smartcard changed the order [1] we check the services, so: - if a /var/run/nologin the user will be denied for accessing the system only after that the PIN has been inserted. - root may be an allowed user, if associated to a smartcard (even though we trust SSSD PAM module and configuration explicitly disallows it). [1] https://salsa.debian.org/gnome- team/gdm/-/compare/90e71bd4...d32be2e5 --- There's a SSSD side of this fix (for the carts with multiple certificates) that is part of 2.4.1 and should be handled by https://github.com/SSSD/sssd/pull/5401/ (+ commit https://github.com/SSSD/sssd/commit/4ea1739d09b) GDM should instead handle empty users properly both in the PAM config and sending the info back to gnome-shell. To manage notifications about this bug go to: https://bugs.launchpad.net/sssd/+bug/1917362/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1917362] Re: PAM: smartcard owner isn't associated to user by default
** Changed in: sssd (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1917362 Title: PAM: smartcard owner isn't associated to user by default Status in sssd: Fix Released Status in gdm3 package in Ubuntu: Fix Released Status in sssd package in Ubuntu: Fix Released Status in gdm3 source package in Hirsute: Fix Committed Status in sssd source package in Hirsute: Triaged Bug description: [ Impact ] Smartcard user is not selected automatically when inserting a smartcard [ Test case ] Insert a smartcard that has an user associated to it: -> gdm is expected to select the user associated to it and start the authentication requesting the card PIN, without having to explicitly write the username. [ Regression potential ] PAM configuration for smartcard changed the order [1] we check the services, so: - if a /var/run/nologin the user will be denied for accessing the system only after that the PIN has been inserted. - root may be an allowed user, if associated to a smartcard (even though we trust SSSD PAM module and configuration explicitly disallows it). [1] https://salsa.debian.org/gnome- team/gdm/-/compare/90e71bd4...d32be2e5 --- There's a SSSD side of this fix (for the carts with multiple certificates) that is part of 2.4.1 and should be handled by https://github.com/SSSD/sssd/pull/5401/ (+ commit https://github.com/SSSD/sssd/commit/4ea1739d09b) GDM should instead handle empty users properly both in the PAM config and sending the info back to gnome-shell. To manage notifications about this bug go to: https://bugs.launchpad.net/sssd/+bug/1917362/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1917362] Re: PAM: smartcard owner isn't associated to user by default
This bug was fixed in the package gdm3 - 3.38.2.1-3ubuntu2
---
gdm3 (3.38.2.1-3ubuntu2) impish; urgency=medium
* Merge with debian
* debian/gdm3.gdm-smartcard-*: Keep using user_readenv=1 in pam_env.so
* Remaining changes with debian:
+ readme.debian: update for correct paths in ubuntu
+ control.in:
- don't recommend desktop-base
- build depend on libgudev-1.0-dev
- depend on bash for config_error_dialog.patch
- update vcs field
+ rules:
- don't override default user/group
- -dgdm-xsession=true to install upstream xsession script
- override dh_installinit with --no-start to avoid session being killed
+ rules, readme.debian, gdm3.8.pod:
use upstream custom.conf instead of daemon.conf
+ gdm3.{postinst,postrm}: rename user and group back to gdm
+ gdm3.*.pam: make pam_env read ~/.pam_environment, as we use in g-c-c
settings
+ gdm3.install:
- stop installing default.desktop. it adds unnecessary clutter
("system default") to the session chooser.
- don't install debian/xsession
+ add run_xsession.d.patch
+ add xresources_is_a_dir.patch
- fix loading from /etc/x11/xresources/*
+ add nvidia_prime.patch:
- add hook to run prime-offload (as root) and prime-switch if
nvidia-prime is installed
+ add revert_override_lang_with_accountservices.patch:
- on ubuntu accountservices only stores the language and not the
full locale as needed by lang.
+ add dont_set_language_env.patch:
- don't run the set_up_session_language() function, since it
overrides variable values set by ~/.pam_environment
+ add config_error_dialog.patch:
- show warning dialog in case of error in ~/.profile etc. and
don't let a syntax error make the login fail
+ add debian/patches/revert_nvidia_wayland_blacklist.patch:
- don't blacklist nvidia for wayland
+ add gdm3.service-wait-for-drm-device-before-trying-to-start-i.patch:
- wait for the first valid gdm device on pre-start
+ add debian/default.pa
- disable bluetooth audio devices in pulseaudio from gdm3.
+ debian/gdm3.install
- added details of the default.pa file
+ debian/gdm3.postinst
- added installation of default.pa and creation of dir if it doesn't
exist.
+ debian/greeter.dconf-defaults: don't set debian settings in the
greeter's dconf db
-- Marco Trevisan (Treviño) Thu, 15 Apr 2021
18:14:18 +0100
** Changed in: gdm3 (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gdm3 in Ubuntu.
https://bugs.launchpad.net/bugs/1917362
Title:
PAM: smartcard owner isn't associated to user by default
Status in sssd:
Fix Released
Status in gdm3 package in Ubuntu:
Fix Released
Status in sssd package in Ubuntu:
Triaged
Status in gdm3 source package in Hirsute:
Fix Committed
Status in sssd source package in Hirsute:
Triaged
Bug description:
[ Impact ]
Smartcard user is not selected automatically when inserting a
smartcard
[ Test case ]
Insert a smartcard that has an user associated to it:
-> gdm is expected to select the user associated to it and start the
authentication
requesting the card PIN, without having to explicitly write the username.
[ Regression potential ]
PAM configuration for smartcard changed the order [1] we check the services,
so:
- if a /var/run/nologin the user will be denied for accessing the system only
after that the PIN has been inserted.
- root may be an allowed user, if associated to a smartcard (even though we
trust SSSD
PAM module and configuration explicitly disallows it).
[1] https://salsa.debian.org/gnome-
team/gdm/-/compare/90e71bd4...d32be2e5
---
There's a SSSD side of this fix (for the carts with multiple certificates)
that is part of 2.4.1 and should be handled by
https://github.com/SSSD/sssd/pull/5401/
(+ commit https://github.com/SSSD/sssd/commit/4ea1739d09b)
GDM should instead handle empty users properly both in the PAM config
and sending the info back to gnome-shell.
To manage notifications about this bug go to:
https://bugs.launchpad.net/sssd/+bug/1917362/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1917362] Re: PAM: smartcard owner isn't associated to user by default
Ok, fix has been reuploaded to impish, with https://launchpad.net/ubuntu/+source/gdm3/3.38.2.1-3ubuntu2 ** Changed in: gdm3 (Ubuntu) Status: Incomplete => Fix Committed ** Also affects: sssd (Ubuntu Hirsute) Importance: Undecided Status: New ** Also affects: gdm3 (Ubuntu Hirsute) Importance: Undecided Status: New ** Changed in: gdm3 (Ubuntu Hirsute) Importance: Undecided => Medium ** Changed in: gdm3 (Ubuntu Hirsute) Status: New => Fix Committed ** Changed in: gdm3 (Ubuntu Hirsute) Assignee: (unassigned) => Marco Trevisan (Treviño) (3v1n0) ** Changed in: sssd (Ubuntu Hirsute) Importance: Undecided => Medium ** Changed in: sssd (Ubuntu Hirsute) Status: New => Triaged ** Changed in: sssd (Ubuntu Hirsute) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1917362 Title: PAM: smartcard owner isn't associated to user by default Status in sssd: Fix Released Status in gdm3 package in Ubuntu: Fix Committed Status in sssd package in Ubuntu: Triaged Status in gdm3 source package in Hirsute: Fix Committed Status in sssd source package in Hirsute: Triaged Bug description: [ Impact ] Smartcard user is not selected automatically when inserting a smartcard [ Test case ] Insert a smartcard that has an user associated to it: -> gdm is expected to select the user associated to it and start the authentication requesting the card PIN, without having to explicitly write the username. [ Regression potential ] PAM configuration for smartcard changed the order [1] we check the services, so: - if a /var/run/nologin the user will be denied for accessing the system only after that the PIN has been inserted. - root may be an allowed user, if associated to a smartcard (even though we trust SSSD PAM module and configuration explicitly disallows it). [1] https://salsa.debian.org/gnome- team/gdm/-/compare/90e71bd4...d32be2e5 --- There's a SSSD side of this fix (for the carts with multiple certificates) that is part of 2.4.1 and should be handled by https://github.com/SSSD/sssd/pull/5401/ (+ commit https://github.com/SSSD/sssd/commit/4ea1739d09b) GDM should instead handle empty users properly both in the PAM config and sending the info back to gnome-shell. To manage notifications about this bug go to: https://bugs.launchpad.net/sssd/+bug/1917362/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
