This is on RHEL8.0. Logging into gnome with smartcard results in username environment variables containing domain:
$ env .... [email protected] [email protected] [email protected] ... GDM debug log shows: Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state AUTHENTICATED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: trying to get updated username Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: username is '[email protected]' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: old-username='[email protected]' new-username='[email protected]' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: Found object path of user '[email protected]': /org/freedesktop/ Accounts/User60483 Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: finding user '[email protected]' state 3 Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user '[email protected]' fetched Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user a001329 is now loaded Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user a001329 was not yet known, adding it Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: tracking user 'a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: not yet loaded, so not emitting user-added signal Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: no pending users, trying to set loaded property Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: already loaded, so not setting loaded property Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: finished handling request for user '[email protected]' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: unrefing manager owned by fetch user request Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting to change state to AUTHORIZED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state AUTHORIZED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting to change state to ACCREDITED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: '[email protected]' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: '[email protected]' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: '[email protected]' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'HOME=/home/a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'PWD=/home/a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'SHELL=/bin/bash' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin' So it seems GDM gets the username with the domain part from the pam stack - i.e. pam_sss. So, I don't understand why sssd seems to pass username with domain part to the pam stack? Some bad config on my part or a bug? sssd_pam debug log: https://pastebin.com/raw/dQeLCNsF Adam Winberg ITpc SMHI Telefon 011-4958058 Fax 011-4958350 Epost [email protected]<mailto:[email protected]> 601 76 Norrköping Besöksadress Folkborgsvägen 1 www.smhi.se<http://www.smhi.se>
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
