Public bug reported:
It is not possible to unlock the screen or gain elevated privileges from
the GUI using an Active Directory account through SSSD. Authentication
and sudo works as expected from console and Lightdm.
How to reproduce:
- Xenial clean install
- Join to AD using sssd (domain_join.sh)
===============================
#!/bin/bash
DOMAIN='INET'
REALM='INET.EXAMPLE.COM'
DOMAIN_ADMIN='administrator'
aptitude -y install krb5-user samba sssd ntp
cat > /etc/ntp.conf <<EOF
server ntp.inet.activarsas.com
server ntp_bak.inet.activarsas.com
EOF
sed -i "s&workgroup = WORKGROUP&\t workgroup = $DOMAIN \n\t client
signing = yes \n\t client use spnego = yes \n\t kerberos method =
secrets and keytab \n\t realm = $REALM \n\t security = ads&g"
/etc/samba/smb.conf
cat > /etc/sssd/sssd.conf <<EOF
[sssd]
services = nss, pam
config_file_version = 2
domains = $REALM
[nss]
default_shell = /bin/bash
[domain/$REALM]
id_provider = ad
access_provider = ad
override_homedir = /home/%u
cache_credentials = true
EOF
chmod 600 /etc/sssd/sssd.conf
fqdn=$(hostname).$REALM
echo "127.0.0.1 $fqdn $(hostname) localhost" > /etc/hosts
systemctl restart systemd-hostnamed
cat > /usr/share/pam-configs/mkhomedir <<EOF
Name: Create home directory on login
Default: no
Priority: 0
Session-Type: Additional
Session-Interactive-Only: yes
Session:
optional pam_mkhomedir.so umask=077
skel=/etc/skel
EOF
pam-auth-update
echo "[SeatDefaults]
greeter-hide-users=true
greeter-show-remote-login=false
greeter-show-manual-login=true" >
/usr/share/lightdm/lightdm.conf.d/50-domain.conf
systemctl restart ntp.service
systemctl restart smbd.service nmbd.service
kinit $DOMAIN_ADMIN
klist
net ads join -k
systemctl start sssd.service
sed -i '26i%domain^admins ALL=(ALL) ALL' /etc/sudoers
reboot
===============================
- Login with an AD account
- Lock screen
- Try to unlock screen --> Authentication error
- Top right corner -> Switch user
- Login with the same account --> Screen unlocks as expected
sudo cat /var/log/auth.log
===============================
May 4 17:06:06 uatlantico sssd_be: GSSAPI client step 1
May 4 17:06:06 uatlantico sssd_be: GSSAPI client step 1
May 4 17:06:08 uatlantico sssd_be: GSSAPI client step 1
May 4 17:06:08 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client
step 1]
May 4 17:06:08 uatlantico sssd_be: GSSAPI client step 2
May 4 17:06:22 uatlantico sudo: cvargasc : problem with defaults entries ;
TTY=pts/2 ; PWD=/home/cvargasc ;
May 4 17:06:28 uatlantico sudo: pam_unix(sudo:auth): authentication failure;
logname= uid=643401116 euid=0 tty=/dev/pts/2 ruser=cvargasc rhost=
user=cvargasc
May 4 17:06:54 uatlantico sudo: pam_sss(sudo:auth): authentication success;
logname= uid=643401116 euid=0 tty=/dev/pts/2 ruser=cvargasc rhost= user=cvargasc
May 4 17:06:54 uatlantico sudo: cvargasc : TTY=pts/2 ; PWD=/home/cvargasc ;
USER=root ; COMMAND=/bin/cat /var/log/auth.log
May 4 17:06:54 uatlantico sudo: pam_unix(sudo:session): session opened for
user root by (uid=0)
May 4 17:06:54 uatlantico sudo: pam_unix(sudo:session): session closed for
user root
May 4 17:07:17 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:17 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client
step 1]
May 4 17:07:17 uatlantico sssd_be: GSSAPI client step 2
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:19 uatlantico sssd_be: message repeated 4 times: [ GSSAPI client
step 1]
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 2
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 2
May 4 17:07:42 uatlantico compiz: pam_unix(unity:auth): authentication
failure; logname= uid=643401116 euid=643401116 tty= ruser= rhost= user=cvargasc
May 4 17:07:43 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:43 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:14 uatlantico compiz: pam_sss(unity:auth): authentication success;
logname= uid=643401116 euid=643401116 tty= ruser= rhost= user=cvargasc
May 4 17:08:14 uatlantico compiz: gkr-pam: unlocked login keyring
May 4 17:08:14 uatlantico compiz: pam_sss(unity:account): Access denied for
user cvargasc: 6 (Permiso denegado)
May 4 17:08:31 uatlantico lightdm: PAM unable to dlopen(pam_kwallet.so):
/lib/security/pam_kwallet.so: cannot open shared object file: No such file or
directory
May 4 17:08:31 uatlantico lightdm: PAM adding faulty module: pam_kwallet.so
May 4 17:08:31 uatlantico lightdm: PAM unable to dlopen(pam_kwallet5.so):
/lib/security/pam_kwallet5.so: cannot open shared object file: No such file or
directory
May 4 17:08:31 uatlantico lightdm: PAM adding faulty module: pam_kwallet5.so
May 4 17:08:31 uatlantico lightdm: pam_unix(lightdm-greeter:session): session
opened for user lightdm by (uid=0)
May 4 17:08:31 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:31 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client
step 1]
May 4 17:08:31 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:31 uatlantico systemd-logind[963]: New session c8 of user lightdm.
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:32 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client
step 1]
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:32 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client
step 1]
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:32 uatlantico lightdm: PAM unable to dlopen(pam_kwallet.so):
/lib/security/pam_kwallet.so: cannot open shared object file: No such file or
directory
May 4 17:08:32 uatlantico lightdm: PAM adding faulty module: pam_kwallet.so
May 4 17:08:32 uatlantico lightdm: PAM unable to dlopen(pam_kwallet5.so):
/lib/security/pam_kwallet5.so: cannot open shared object file: No such file or
directory
May 4 17:08:32 uatlantico lightdm: PAM adding faulty module: pam_kwallet5.so
May 4 17:08:33 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:33 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client
step 1]
May 4 17:08:33 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:35 uatlantico lightdm: pam_succeed_if(lightdm:auth): requirement
"user ingroup nopasswdlogin" not met by user "cvargasc"
May 4 17:08:39 uatlantico lightdm: pam_unix(lightdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=cvargasc
May 4 17:08:40 uatlantico lightdm: pam_sss(lightdm:auth): authentication
success; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=cvargasc
May 4 17:08:40 uatlantico lightdm: pam_unix(lightdm-greeter:session): session
closed for user lightdm
May 4 17:08:42 uatlantico sudo: cvargasc : problem with defaults entries ;
TTY=pts/2 ; PWD=/home/cvargasc ;
May 4 17:08:42 uatlantico sudo: cvargasc : TTY=pts/2 ; PWD=/home/cvargasc ;
USER=root ; COMMAND=/bin/cat /var/log/auth.log
May 4 17:08:42 uatlantico sudo: pam_unix(sudo:session): session opened for
user root by (uid=0)
===============================
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: sssd 1.13.4-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 4 16:45:01 2016
InstallationDate: Installed on 2016-04-28 (6 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
JournalErrors:
Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000']
failed with exit code 1: Hint: You are currently not seeing messages from other
users and the system.
Users in the 'systemd-journal' group can see all messages. Pass -q to
turn off this notice.
No journal files were opened due to insufficient permissions.
ProcEnviron:
LANGUAGE=es_CO:es
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=es_CO.UTF-8
SHELL=/bin/bash
SourcePackage: sssd
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: sssd (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug xenial
** Attachment added: "domain_join.sh"
https://bugs.launchpad.net/bugs/1578415/+attachment/4655965/+files/domain_join.sh
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1578415
Title:
Lockscreen access denied (AD auth via sssd)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
