On Wed, Jun 05, 2019 at 02:01:23PM +0000, Winberg Adam wrote: > This is on RHEL8.0. > > Logging into gnome with smartcard results in username environment variables > containing domain: > > $ env > .... > [email protected] > [email protected] > [email protected] > ... > > GDM debug log shows: > > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: state AUTHENTICATED > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: trying to get updated username > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: username is '[email protected]' > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: old-username='[email protected]' > new-username='[email protected]' > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: > ActUserManager: Found object path of user '[email protected]': > /org/freedesktop/ Accounts/User60483 > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: > ActUserManager: finding user '[email protected]' state 3 > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: > ActUserManager: user '[email protected]' fetched > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: > ActUserManager: user a001329 is now loaded > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: > ActUserManager: user a001329 was not yet known, adding it > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: > ActUserManager: tracking user 'a001329' > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: > ActUserManager: not yet loaded, so not emitting user-added signal > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: > ActUserManager: no pending users, trying to set loaded property > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: > ActUserManager: already loaded, so not setting loaded property > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: > ActUserManager: finished handling request for user '[email protected]' > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: > ActUserManager: unrefing manager owned by fetch user request > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: attempting to change state to AUTHORIZED > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: determining if authenticated user (password required:0) is > authorized to session > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: state AUTHORIZED > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: attempting to change state to ACCREDITED > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: Set PAM environment variable: > '[email protected]' > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: Set PAM environment variable: '[email protected]' > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: Set PAM environment variable: > '[email protected]' > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: Set PAM environment variable: 'HOME=/home/a001329' > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: Set PAM environment variable: 'PWD=/home/a001329' > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: Set PAM environment variable: 'SHELL=/bin/bash' > Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: > GdmSessionWorker: Set PAM environment variable: > 'PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin' > > So it seems GDM gets the username with the domain part from the pam stack - > i.e. pam_sss.
Yes, pam_sss currently uses fully-qualified user name to avoid confusion if the Smartcard contains certificates for users from different domains, think of e.g. Administrator users from different AD domains in a forest. After a successful authentication the name is currently not replaced and stays on the PAM stack. Please open a bugzilla or pagure ticket to use the name returned e.g. by 'getent passwd'. bye, Sumit > > So, I don't understand why sssd seems to pass username with domain part to > the pam stack? Some bad config on my part or a bug? > > sssd_pam debug log: > > https://pastebin.com/raw/dQeLCNsF > > Adam Winberg > ITpc > > SMHI > Telefon 011-4958058 Fax 011-4958350 > Epost [email protected]<mailto:[email protected]> > 601 76 Norrköping Besöksadress Folkborgsvägen 1 > www.smhi.se<http://www.smhi.se> > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
