Public bug reported:
Starting with Gnome 49, Gnome is using dynamic `gdm-greeter-X` users see
[1][2]. These dynamic accounts are not supported by `pam_localuser.so`
[3] while arguably being local. There is a question about if this should
be fixed on the sssd side or pam side.
`/usr/share/pam-configs/sss`
```
Name: SSS authentication
Default: yes
Priority: 128
[...]
Account:
sufficient pam_localuser.so
[default=bad success=ok user_unknown=ignore] pam_sss.so
```
As far as I understand, the `pam_localuser` line should authorize the
`gdm-greeter` user and not continue to `pam_sss`. This issue is however
generally non-blocking since there is `user_unknown=ignore`.
Here is what I can see in the logs on 26.04 (sssd 2.12.0-1ubuntu5):
```
gdm-launch-environment][3324]: pam_sss(gdm-launch-environment:account): Access
denied for user gdm-greeter: 10 (User not known to the underlying
authentication module)
```
[1] https://gitlab.gnome.org/GNOME/gdm/-/merge_requests/289
[2] https://blogs.gnome.org/adrianvovk/2025/06/10/gnome-systemd-dependencies/
[3]
https://github.com/linux-pam/linux-pam/blob/032fea2c978dfd00cf8b5778ae5441950b16357c/modules/pam_localuser/pam_localuser.c#L93
** Affects: sssd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2151186
Title:
pam-configs/sss (pam_localuser.so) does not allow systemd dynamic
users like gdm-greeter
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2151186/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
