PAM: smartcard owner isn't associated to user by default

Just as a reminder, I create a PPA with the proposed fix here:

https://launchpad.net/~sergiodj/+archive/ubuntu/sssd-bug1917362/+packages

Let me know when you can test it, and how the testing goes. Thanks!

Sergio, so thanks for this...

From a further check I've seen that the main case (card with single certificate) can be handled also without such commits, and I can't test the multiple-certificates case locally.

So we can avoid picking this of if needed SRU it, there's a unit test covering the case, so we can rely on it.

Thanks for the reply, Marco. Does this mean that we can close this bug for SSSD, then?

This bug will need to be SRUified if we want to fix it in hirsute. Otherwise, I could reject the pending upload and we leave hirsute as is and fix for II onwards?

Hi Iain,

AFAIK there is no pending upload to fix this bug on Hirsute -- is there? The only work I've done was to backport the patches mentioned in the Description and upload the package to a PPA. Unless Marco has made an upload, of course.

> Does this mean that we can close this bug for SSSD, then?

I think no, as still the problem stands with multi-certificates cards.
But I think we can fix it in II.

> Does this mean that we can close this bug for SSSD, then?

Yeah, I'm doing it now, I prefer to have at least the GDM side to be in Hirsute.

What work is being done to fix this in the development release of Ubuntu?

As expained in IRC:

23:42 <Trevinho> bdmurray: on https://bugs.launchpad.net/bugs/1917362 I did upload ages ago in hirsute (at the time, as impish wasn't open yet). But it has never been copied to impish (I feel)
23:42 <ubot3> Launchpad bug 1917362 in sssd (Ubuntu) "PAM: smartcard owner isn't associated to user by default" [Medium, Triaged]
23:43 <Trevinho> bdmurray: so ideally it should be copied the one that is in hirsute queue... I've no such powers on that pkg though

Ok, fix has been reuploaded to impish, with https://launchpad.net/ubuntu/+source/gdm3/3.38.2.1-3ubuntu2

Hello Marco, or anyone else affected,

Accepted gdm3 into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gdm3/3.38.2.1-3ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted gdm3 (3.38.2.1-3ubuntu1) for hirsute have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/247.3-3ubuntu3 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/hirsute/update_excuses.html#gdm3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

This bug was fixed in the package gdm3 - 3.38.2.1-3ubuntu2

---------------
gdm3 (3.38.2.1-3ubuntu2) impish; urgency=medium

  * Merge with debian
  * debian/gdm3.gdm-smartcard-*: Keep using user_readenv=1 in pam_env.so
  * Remaining changes with debian:
    + readme.debian: update for correct paths in ubuntu
    + control.in:
      - don't recommend desktop-base
      - build depend on libgudev-1.0-dev
      - depend on bash for config_error_dialog.patch
      - update vcs field
    + rules:
      - don't override default user/group
      - -dgdm-xsession=true to install upstream xsession script
      - override dh_installinit with --no-start to avoid session being killed
    + rules, readme.debian, gdm3.8.pod:
      use upstream custom.conf instead of daemon.conf
    + gdm3.{postinst,postrm}: rename user and group back to gdm
    + gdm3.*.pam: make pam_env read ~/.pam_environment, as we use in g-c-c
      settings
    + gdm3.install:
      - stop installing default.desktop. it adds unnecessary clutter
        ("system default") to the session chooser.
      - don't install debian/xsession
    + add run_xsession.d.patch
    + add xresources_is_a_dir.patch
      - fix loading from /etc/x11/xresources/*
    + add nvidia_prime.patch:
      - add hook to run prime-offload (as root) and prime-switch if
        nvidia-prime is installed
    + add revert_override_lang_with_accountservices.patch:
      - on ubuntu accountservices only stores the language and not the
        full locale as needed by lang.
    + add dont_set_language_env.patch:
      - don't run the set_up_session_language() function, since it
        overrides variable values set by ~/.pam_environment
    + add config_error_dialog.patch:
      - show warning dialog in case of error in ~/.profile etc. and
        don't let a syntax error make the login fail
    + add debian/patches/revert_nvidia_wayland_blacklist.patch:
      - don't blacklist nvidia for wayland
    + add gdm3.service-wait-for-drm-device-before-trying-to-start-i.patch:
      - wait for the first valid gdm device on pre-start
    + add debian/default.pa
      - disable bluetooth audio devices in pulseaudio from gdm3.
    + debian/gdm3.install
      - added details of the default.pa file
    + debian/gdm3.postinst
      - added installation of default.pa and creation of dir if it doesn't
        exist.
    + debian/greeter.dconf-defaults: don't set debian settings in the
      greeter's dconf db

 -- Marco Trevisan (Treviño) <email address hidden> Thu, 15 Apr 2021 18:14:18 +0100

The Hirsute Hippo has reached End of Life, so this bug will not be fixed for that release.