2022-12-16 11:59:46 |
Neil Webster |
bug |
|
|
added bug |
2022-12-16 14:02:06 |
Neil Webster |
attachment added |
|
krb5_child.log https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1999884/+attachment/5635943/+files/krb5_child.log |
|
2022-12-16 14:02:23 |
Neil Webster |
attachment added |
|
syslog https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1999884/+attachment/5635944/+files/syslog |
|
2023-01-26 18:54:50 |
Marco Trevisan (Treviño) |
bug |
|
|
added subscriber Marco Trevisan (Treviño) |
2023-01-26 18:56:11 |
Marco Trevisan (Treviño) |
bug task added |
|
sssd (Ubuntu) |
|
2023-01-26 18:56:19 |
Marco Trevisan (Treviño) |
gdm3 (Ubuntu): importance |
Undecided |
High |
|
2023-01-26 18:56:21 |
Marco Trevisan (Treviño) |
sssd (Ubuntu): importance |
Undecided |
High |
|
2023-01-26 18:56:27 |
Marco Trevisan (Treviño) |
sssd (Ubuntu): status |
New |
Triaged |
|
2023-01-26 18:56:29 |
Marco Trevisan (Treviño) |
gdm3 (Ubuntu): status |
New |
Triaged |
|
2023-01-28 03:50:41 |
Marco Trevisan (Treviño) |
sssd (Ubuntu): status |
Triaged |
Incomplete |
|
2023-01-28 03:50:47 |
Marco Trevisan (Treviño) |
gdm3 (Ubuntu): assignee |
|
Marco Trevisan (Treviño) (3v1n0) |
|
2023-01-28 03:50:50 |
Marco Trevisan (Treviño) |
gdm3 (Ubuntu): status |
Triaged |
In Progress |
|
2023-01-28 03:51:06 |
Marco Trevisan (Treviño) |
nominated for series |
|
Ubuntu Jammy |
|
2023-01-28 03:51:06 |
Marco Trevisan (Treviño) |
bug task added |
|
sssd (Ubuntu Jammy) |
|
2023-01-28 03:51:06 |
Marco Trevisan (Treviño) |
bug task added |
|
gdm3 (Ubuntu Jammy) |
|
2023-01-28 03:51:06 |
Marco Trevisan (Treviño) |
nominated for series |
|
Ubuntu Kinetic |
|
2023-01-28 03:51:06 |
Marco Trevisan (Treviño) |
bug task added |
|
sssd (Ubuntu Kinetic) |
|
2023-01-28 03:51:06 |
Marco Trevisan (Treviño) |
bug task added |
|
gdm3 (Ubuntu Kinetic) |
|
2023-01-28 03:51:51 |
Marco Trevisan (Treviño) |
bug task deleted |
sssd (Ubuntu Jammy) |
|
|
2023-01-28 03:51:57 |
Marco Trevisan (Treviño) |
bug task deleted |
sssd (Ubuntu Kinetic) |
|
|
2023-01-28 04:06:55 |
Marco Trevisan (Treviño) |
description |
For information I've repeated this entire process on RHEL8 and it works there, it also was working upon last test on Ubuntu 20.04
Releases: 22.04 LTS and 22.10
Package Version (for reporting purposes): 43.0-1ubuntu1
Background:
System has been configured with sssd, krb5 and pkinit. All of these packages confirm a successful connection to the Active Directory Domain Controller. I have a YubiKey which has a CA generated certificate on it (with all required uses/capabilities including sign) and this is working fine on other systems.
Expected Behavior:
Insert YubiKey before boot. At the logon window press enter on the Username field. Select the certificate, enter PIN when prompted. Authenticate to desktop.
What is happening:
Insert YubiKey before boot. At the logon window press enter on the Username field. Select the certificate, enter PIN when prompted. Returns to Username field and does not log in.
Other:
This is a clean install of 22.10 updated to 16 Dec 2022. I also tried the same thing with 22.04 LTS just in case.
I have enabled level 6 logging on SSSD and can confirm that side of the entire process is fine. I can also log on with a password and do a kinit <username> and get a valid kerberos ticket.
With some systematic tests, I managed to pinpoint the login is failing after gdm-smartcard reports a successful login:
Dec 16 10:25:43 ubu-vm-2022 gdm-smartcard]: gkr-pam: stashed password to try later in open session
Dec 16 10:26:22 ubu-vm-2022 gdm-smartcard]: pam_sss(gdm-smartcard:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=bob@authenticate.me.uk
I did not have this problem on 20.04.
ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: gdm3 43.0-1ubuntu1
ProcVersionSignature: Ubuntu 5.19.0-26.27-generic 5.19.7
Uname: Linux 5.19.0-26-generic x86_64
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Dec 16 11:43:25 2022
InstallationDate: Installed on 2022-12-16 (0 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install) |
[ Impact ]
gdm-smartcard returns a Permission denied when logging in with an user name:
+ pamtester -v gdm-smartcard ubuntu authenticate
pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...)
pamtester: performing operation - authenticate
PIN for Test Organization Root Tr Token:
pamtester: Permission denied
[ Test case ]
1. Use a smartcard to login in gdm
This can also be simulated via:
# Must be ran as user
sudo apt install pamtester
pamtester -v gdm-smartcard $USER authenticate
Expected output is
+ pamtester -v gdm-smartcard ubuntu authenticate
pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...)
pamtester: performing operation - authenticate
PIN for Test Organization Sub Int Token:
pamtester: successfully authenticated
---
Alternatively, if no smartcard or hardware is available, this can be tested and simulated using these scripts (they will reset the system setup at each run, but it's suggested to run them in a VM, lxd container or in a test installation):
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
- sudo apt install gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin && \
sudo apt-mark auto gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin
- wget https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-gdm-smartcard-pam-auth-tester.sh
- sudo sssd-gdm-smartcard-pam-auth-tester.sh
The script will generate some fake CA authority, issue some certificates, will install them in some software-based smartcards (using softhsm2) and test that they work properly to login with gdm-smartcard.
Using `WAIT` environment variable set (to any value) will make it to restart gdm at each iteration so that an user can try to access, using the username that launched the script and the pin of 123456.
[ Regression Potential ]
A root user could access to pam_sss, however it's the responsibility of such module to block such access.
---
For information I've repeated this entire process on RHEL8 and it works there, it also was working upon last test on Ubuntu 20.04
Releases: 22.04 LTS and 22.10
Package Version (for reporting purposes): 43.0-1ubuntu1
Background:
System has been configured with sssd, krb5 and pkinit. All of these packages confirm a successful connection to the Active Directory Domain Controller. I have a YubiKey which has a CA generated certificate on it (with all required uses/capabilities including sign) and this is working fine on other systems.
Expected Behavior:
Insert YubiKey before boot. At the logon window press enter on the Username field. Select the certificate, enter PIN when prompted. Authenticate to desktop.
What is happening:
Insert YubiKey before boot. At the logon window press enter on the Username field. Select the certificate, enter PIN when prompted. Returns to Username field and does not log in.
Other:
This is a clean install of 22.10 updated to 16 Dec 2022. I also tried the same thing with 22.04 LTS just in case.
I have enabled level 6 logging on SSSD and can confirm that side of the entire process is fine. I can also log on with a password and do a kinit <username> and get a valid kerberos ticket.
With some systematic tests, I managed to pinpoint the login is failing after gdm-smartcard reports a successful login:
Dec 16 10:25:43 ubu-vm-2022 gdm-smartcard]: gkr-pam: stashed password to try later in open session
Dec 16 10:26:22 ubu-vm-2022 gdm-smartcard]: pam_sss(gdm-smartcard:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=bob@authenticate.me.uk
I did not have this problem on 20.04.
ProblemType: BugDistroRelease: Ubuntu 22.10
Package: gdm3 43.0-1ubuntu1
ProcVersionSignature: Ubuntu 5.19.0-26.27-generic 5.19.7
Uname: Linux 5.19.0-26-generic x86_64
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Dec 16 11:43:25 2022
InstallationDate: Installed on 2022-12-16 (0 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2023-01-28 04:07:06 |
Marco Trevisan (Treviño) |
gdm3 (Ubuntu Jammy): assignee |
|
Marco Trevisan (Treviño) (3v1n0) |
|
2023-01-28 04:07:08 |
Marco Trevisan (Treviño) |
gdm3 (Ubuntu Kinetic): assignee |
|
Marco Trevisan (Treviño) (3v1n0) |
|
2023-01-28 04:07:12 |
Marco Trevisan (Treviño) |
gdm3 (Ubuntu Kinetic): status |
New |
In Progress |
|
2023-01-28 04:07:17 |
Marco Trevisan (Treviño) |
gdm3 (Ubuntu Jammy): status |
New |
In Progress |
|
2023-01-28 04:07:45 |
Marco Trevisan (Treviño) |
description |
[ Impact ]
gdm-smartcard returns a Permission denied when logging in with an user name:
+ pamtester -v gdm-smartcard ubuntu authenticate
pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...)
pamtester: performing operation - authenticate
PIN for Test Organization Root Tr Token:
pamtester: Permission denied
[ Test case ]
1. Use a smartcard to login in gdm
This can also be simulated via:
# Must be ran as user
sudo apt install pamtester
pamtester -v gdm-smartcard $USER authenticate
Expected output is
+ pamtester -v gdm-smartcard ubuntu authenticate
pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...)
pamtester: performing operation - authenticate
PIN for Test Organization Sub Int Token:
pamtester: successfully authenticated
---
Alternatively, if no smartcard or hardware is available, this can be tested and simulated using these scripts (they will reset the system setup at each run, but it's suggested to run them in a VM, lxd container or in a test installation):
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
- sudo apt install gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin && \
sudo apt-mark auto gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin
- wget https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-gdm-smartcard-pam-auth-tester.sh
- sudo sssd-gdm-smartcard-pam-auth-tester.sh
The script will generate some fake CA authority, issue some certificates, will install them in some software-based smartcards (using softhsm2) and test that they work properly to login with gdm-smartcard.
Using `WAIT` environment variable set (to any value) will make it to restart gdm at each iteration so that an user can try to access, using the username that launched the script and the pin of 123456.
[ Regression Potential ]
A root user could access to pam_sss, however it's the responsibility of such module to block such access.
---
For information I've repeated this entire process on RHEL8 and it works there, it also was working upon last test on Ubuntu 20.04
Releases: 22.04 LTS and 22.10
Package Version (for reporting purposes): 43.0-1ubuntu1
Background:
System has been configured with sssd, krb5 and pkinit. All of these packages confirm a successful connection to the Active Directory Domain Controller. I have a YubiKey which has a CA generated certificate on it (with all required uses/capabilities including sign) and this is working fine on other systems.
Expected Behavior:
Insert YubiKey before boot. At the logon window press enter on the Username field. Select the certificate, enter PIN when prompted. Authenticate to desktop.
What is happening:
Insert YubiKey before boot. At the logon window press enter on the Username field. Select the certificate, enter PIN when prompted. Returns to Username field and does not log in.
Other:
This is a clean install of 22.10 updated to 16 Dec 2022. I also tried the same thing with 22.04 LTS just in case.
I have enabled level 6 logging on SSSD and can confirm that side of the entire process is fine. I can also log on with a password and do a kinit <username> and get a valid kerberos ticket.
With some systematic tests, I managed to pinpoint the login is failing after gdm-smartcard reports a successful login:
Dec 16 10:25:43 ubu-vm-2022 gdm-smartcard]: gkr-pam: stashed password to try later in open session
Dec 16 10:26:22 ubu-vm-2022 gdm-smartcard]: pam_sss(gdm-smartcard:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=bob@authenticate.me.uk
I did not have this problem on 20.04.
ProblemType: BugDistroRelease: Ubuntu 22.10
Package: gdm3 43.0-1ubuntu1
ProcVersionSignature: Ubuntu 5.19.0-26.27-generic 5.19.7
Uname: Linux 5.19.0-26-generic x86_64
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Dec 16 11:43:25 2022
InstallationDate: Installed on 2022-12-16 (0 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install) |
[ Impact ]
gdm-smartcard returns a Permission denied when logging in with an user name:
+ pamtester -v gdm-smartcard ubuntu authenticate
pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...)
pamtester: performing operation - authenticate
PIN for Test Organization Root Tr Token:
pamtester: Permission denied
Using an empty user name works instead.
[ Test case ]
1. Use a smartcard to login in gdm
This can also be simulated via:
# Must be ran as user
sudo apt install pamtester
pamtester -v gdm-smartcard $USER authenticate
Expected output is
+ pamtester -v gdm-smartcard ubuntu authenticate
pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...)
pamtester: performing operation - authenticate
PIN for Test Organization Sub Int Token:
pamtester: successfully authenticated
---
Alternatively, if no smartcard or hardware is available, this can be tested and simulated using these scripts (they will reset the system setup at each run, but it's suggested to run them in a VM, lxd container or in a test installation):
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
- sudo apt install gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin && \
sudo apt-mark auto gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin
- wget https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-gdm-smartcard-pam-auth-tester.sh
- sudo sssd-gdm-smartcard-pam-auth-tester.sh
The script will generate some fake CA authority, issue some certificates, will install them in some software-based smartcards (using softhsm2) and test that they work properly to login with gdm-smartcard.
Using `WAIT` environment variable set (to any value) will make it to restart gdm at each iteration so that an user can try to access, using the username that launched the script and the pin of 123456.
[ Regression Potential ]
A root user could access to pam_sss, however it's the responsibility of such module to block such access.
---
For information I've repeated this entire process on RHEL8 and it works there, it also was working upon last test on Ubuntu 20.04
Releases: 22.04 LTS and 22.10
Package Version (for reporting purposes): 43.0-1ubuntu1
Background:
System has been configured with sssd, krb5 and pkinit. All of these packages confirm a successful connection to the Active Directory Domain Controller. I have a YubiKey which has a CA generated certificate on it (with all required uses/capabilities including sign) and this is working fine on other systems.
Expected Behavior:
Insert YubiKey before boot. At the logon window press enter on the Username field. Select the certificate, enter PIN when prompted. Authenticate to desktop.
What is happening:
Insert YubiKey before boot. At the logon window press enter on the Username field. Select the certificate, enter PIN when prompted. Returns to Username field and does not log in.
Other:
This is a clean install of 22.10 updated to 16 Dec 2022. I also tried the same thing with 22.04 LTS just in case.
I have enabled level 6 logging on SSSD and can confirm that side of the entire process is fine. I can also log on with a password and do a kinit <username> and get a valid kerberos ticket.
With some systematic tests, I managed to pinpoint the login is failing after gdm-smartcard reports a successful login:
Dec 16 10:25:43 ubu-vm-2022 gdm-smartcard]: gkr-pam: stashed password to try later in open session
Dec 16 10:26:22 ubu-vm-2022 gdm-smartcard]: pam_sss(gdm-smartcard:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=bob@authenticate.me.uk
I did not have this problem on 20.04.
ProblemType: BugDistroRelease: Ubuntu 22.10
Package: gdm3 43.0-1ubuntu1
ProcVersionSignature: Ubuntu 5.19.0-26.27-generic 5.19.7
Uname: Linux 5.19.0-26-generic x86_64
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Dec 16 11:43:25 2022
InstallationDate: Installed on 2022-12-16 (0 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2023-01-31 14:40:33 |
Jeremy Bícha |
bug |
|
|
added subscriber Jeremy Bicha |
2023-01-31 22:25:36 |
Neil Webster |
attachment added |
|
auth.log https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1999884/+attachment/5644165/+files/auth.log |
|
2023-01-31 22:26:34 |
Neil Webster |
attachment added |
|
pamtester_result https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1999884/+attachment/5644166/+files/pamtester_result |
|
2023-02-01 16:47:49 |
Jeremy Bícha |
gdm3 (Ubuntu): status |
In Progress |
Fix Committed |
|
2023-02-01 18:22:23 |
Launchpad Janitor |
gdm3 (Ubuntu): status |
Fix Committed |
Fix Released |
|
2023-02-11 13:45:52 |
Andreas Hasenack |
gdm3 (Ubuntu Kinetic): status |
In Progress |
Fix Committed |
|
2023-02-11 13:45:53 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-02-11 13:45:55 |
Andreas Hasenack |
bug |
|
|
added subscriber SRU Verification |
2023-02-11 13:46:00 |
Andreas Hasenack |
tags |
amd64 apport-bug kinetic wayland-session |
amd64 apport-bug kinetic verification-needed verification-needed-kinetic wayland-session |
|
2023-02-11 13:46:46 |
Andreas Hasenack |
gdm3 (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2023-02-11 13:46:52 |
Andreas Hasenack |
tags |
amd64 apport-bug kinetic verification-needed verification-needed-kinetic wayland-session |
amd64 apport-bug kinetic verification-needed verification-needed-jammy verification-needed-kinetic wayland-session |
|
2023-02-15 14:07:28 |
Jimmy Graham |
bug |
|
|
added subscriber Jimmy Graham |
2023-03-21 23:37:51 |
Marco Trevisan (Treviño) |
tags |
amd64 apport-bug kinetic verification-needed verification-needed-jammy verification-needed-kinetic wayland-session |
amd64 apport-bug kinetic verification-done-jammy verification-needed verification-needed-kinetic wayland-session |
|
2023-04-06 18:22:33 |
Andreas Hasenack |
tags |
amd64 apport-bug kinetic verification-done-jammy verification-needed verification-needed-kinetic wayland-session |
amd64 apport-bug kinetic verification-done-jammy verification-done-kinetic verification-needed wayland-session |
|
2023-04-06 18:34:31 |
Launchpad Janitor |
gdm3 (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
2023-04-06 18:34:34 |
Andreas Hasenack |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-04-06 18:35:13 |
Launchpad Janitor |
gdm3 (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|