Lockscreen access denied (AD auth via sssd)

Bug #1578415 reported by Camilo Vargas on 2016-05-04
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Medium
Unassigned
Xenial
Medium
Unassigned

Bug Description

It is not possible to unlock the screen or gain elevated privileges from the GUI using an Active Directory account through SSSD. Authentication and sudo works as expected from console and Lightdm.

How to reproduce:
- Xenial clean install
- Join to AD using sssd (domain_join.sh)

===============================
#!/bin/bash
DOMAIN='INET'
REALM='INET.EXAMPLE.COM'
DOMAIN_ADMIN='administrator'

aptitude -y install krb5-user samba sssd ntp

cat > /etc/ntp.conf <<EOF
server ntp.inet.activarsas.com
server ntp_bak.inet.activarsas.com
EOF

sed -i "s&workgroup = WORKGROUP&\t workgroup = $DOMAIN \n\t client signing = yes \n\t client use spnego = yes \n\t kerberos method = secrets and keytab \n\t realm = $REALM \n\t security = ads&g" /etc/samba/smb.conf

cat > /etc/sssd/sssd.conf <<EOF
[sssd]
services = nss, pam
config_file_version = 2
domains = $REALM

[nss]
default_shell = /bin/bash

[domain/$REALM]
id_provider = ad
access_provider = ad
override_homedir = /home/%u
cache_credentials = true
EOF
chmod 600 /etc/sssd/sssd.conf

fqdn=$(hostname).$REALM
echo "127.0.0.1 $fqdn $(hostname) localhost" > /etc/hosts
systemctl restart systemd-hostnamed

cat > /usr/share/pam-configs/mkhomedir <<EOF
Name: Create home directory on login
Default: no
Priority: 0
Session-Type: Additional
Session-Interactive-Only: yes
Session:
        optional pam_mkhomedir.so umask=077 skel=/etc/skel
EOF
pam-auth-update

echo "[SeatDefaults]
greeter-hide-users=true
greeter-show-remote-login=false
greeter-show-manual-login=true" > /usr/share/lightdm/lightdm.conf.d/50-domain.conf

systemctl restart ntp.service
systemctl restart smbd.service nmbd.service

kinit $DOMAIN_ADMIN
klist
net ads join -k

systemctl start sssd.service

sed -i '26i%domain^admins ALL=(ALL) ALL' /etc/sudoers

reboot
===============================

- Login with an AD account
- Lock screen
- Try to unlock screen --> Authentication error
- Top right corner -> Switch user
- Login with the same account --> Screen unlocks as expected

sudo cat /var/log/auth.log
===============================
May 4 17:06:06 uatlantico sssd_be: GSSAPI client step 1
May 4 17:06:06 uatlantico sssd_be: GSSAPI client step 1
May 4 17:06:08 uatlantico sssd_be: GSSAPI client step 1
May 4 17:06:08 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:06:08 uatlantico sssd_be: GSSAPI client step 2
May 4 17:06:22 uatlantico sudo: cvargasc : problem with defaults entries ; TTY=pts/2 ; PWD=/home/cvargasc ;
May 4 17:06:28 uatlantico sudo: pam_unix(sudo:auth): authentication failure; logname= uid=643401116 euid=0 tty=/dev/pts/2 ruser=cvargasc rhost= user=cvargasc
May 4 17:06:54 uatlantico sudo: pam_sss(sudo:auth): authentication success; logname= uid=643401116 euid=0 tty=/dev/pts/2 ruser=cvargasc rhost= user=cvargasc
May 4 17:06:54 uatlantico sudo: cvargasc : TTY=pts/2 ; PWD=/home/cvargasc ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
May 4 17:06:54 uatlantico sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
May 4 17:06:54 uatlantico sudo: pam_unix(sudo:session): session closed for user root
May 4 17:07:17 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:17 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:07:17 uatlantico sssd_be: GSSAPI client step 2
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:19 uatlantico sssd_be: message repeated 4 times: [ GSSAPI client step 1]
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 2
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 2
May 4 17:07:42 uatlantico compiz: pam_unix(unity:auth): authentication failure; logname= uid=643401116 euid=643401116 tty= ruser= rhost= user=cvargasc
May 4 17:07:43 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:43 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:14 uatlantico compiz: pam_sss(unity:auth): authentication success; logname= uid=643401116 euid=643401116 tty= ruser= rhost= user=cvargasc
May 4 17:08:14 uatlantico compiz: gkr-pam: unlocked login keyring
May 4 17:08:14 uatlantico compiz: pam_sss(unity:account): Access denied for user cvargasc: 6 (Permiso denegado)
May 4 17:08:31 uatlantico lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
May 4 17:08:31 uatlantico lightdm: PAM adding faulty module: pam_kwallet.so
May 4 17:08:31 uatlantico lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
May 4 17:08:31 uatlantico lightdm: PAM adding faulty module: pam_kwallet5.so
May 4 17:08:31 uatlantico lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
May 4 17:08:31 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:31 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:08:31 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:31 uatlantico systemd-logind[963]: New session c8 of user lightdm.
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:32 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:32 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:32 uatlantico lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
May 4 17:08:32 uatlantico lightdm: PAM adding faulty module: pam_kwallet.so
May 4 17:08:32 uatlantico lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
May 4 17:08:32 uatlantico lightdm: PAM adding faulty module: pam_kwallet5.so
May 4 17:08:33 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:33 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:08:33 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:35 uatlantico lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "cvargasc"
May 4 17:08:39 uatlantico lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=cvargasc
May 4 17:08:40 uatlantico lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=cvargasc
May 4 17:08:40 uatlantico lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
May 4 17:08:42 uatlantico sudo: cvargasc : problem with defaults entries ; TTY=pts/2 ; PWD=/home/cvargasc ;
May 4 17:08:42 uatlantico sudo: cvargasc : TTY=pts/2 ; PWD=/home/cvargasc ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
May 4 17:08:42 uatlantico sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
===============================

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: sssd 1.13.4-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 4 16:45:01 2016
InstallationDate: Installed on 2016-04-28 (6 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
JournalErrors:
 Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
       Users in the 'systemd-journal' group can see all messages. Pass -q to
       turn off this notice.
 No journal files were opened due to insufficient permissions.
ProcEnviron:
 LANGUAGE=es_CO:es
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=es_CO.UTF-8
 SHELL=/bin/bash
SourcePackage: sssd
UpgradeStatus: No upgrade log present (probably fresh install)

Camilo Vargas (vargax) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu):
status: New → Confirmed
Michael Wilson (mrwboilers-6) wrote :

/var/log/auth.log seems to indicate that AD users are properly authenticated, they just aren't authorized:

  May 4 09:27:10 myhostname compiz: pam_sss(unity:auth): authentication success; logname= uid=12345 euid=12345 tty= r
  user= rhost= user=myuser
  May 4 09:27:10 myhostname compiz: gkr-pam: unlocked login keyring
  May 4 09:27:10 myhostname compiz: pam_sss(unity:account): Access denied for user myuser: 6 (Permission denied)

Looks to me like it's because the PAM service "unity" (which runs the screensaver) isn't listed in the `ad_gpo_map_interactive` option in sssd.conf. This list should have distro-specific defaults (since different distributions use different PAM service names)

The fix should be to add unity to the default set (and the manpage), but anyone experiencing this issue right now should be able to add the following to their [domain/DOMAINNAME] section of sssd.conf to work around it:

```
ad_gpo_map_interactive = +unity
```

I suppose this might not be an unreasonable default to add upstream as well, so I just sent a patch there. I'd recommend that the maintainers of this package in Ubuntu and Debian should carefully examine which PAM services are available (including in variants like Kubuntu and Xubuntu) and add them to the defaults downstream.

Patch proposed upstream at:

https://<email address hidden>/thread/F5IRGD4DONMTRCR3EAATVTHVMZMYVSRA/

Camilo Vargas (vargax) wrote :

I can confirm that adding

ad_gpo_map_interactive = +unity

to the [domain/DOMAINNAME] section of sssd.conf solves the lock screen issue.

The "elevated privileges" issue still there:

May 5 11:55:50 uatlantico polkitd(authority=local): Operator of unix-session:c2 FAILED to authenticate to gain authorization for action com.ubuntu.pkexec.synaptic for unix-process:16804:21803174 [/bin/sh /usr/bin/synaptic-pkexec] (owned by unix-user:cvargasc)
May 5 11:55:50 uatlantico pkexec[16805]: cvargasc: Error executing command as another user: Request dismissed [USER=root] [TTY=unknown] [CWD=/home/cvargasc] [COMMAND=/usr/sbin/synaptic]

===============================

May 5 11:54:22 uatlantico compiz: pam_unix(unity:auth): authentication failure; logname= uid=643401116 euid=643401116 tty= ruser= rhost= user=cvargasc
May 5 11:54:23 uatlantico compiz: pam_sss(unity:auth): authentication success; logname= uid=643401116 euid=643401116 tty= ruser= rhost= user=cvargasc
May 5 11:54:23 uatlantico compiz: gkr-pam: unlocked login keyring
May 5 11:55:19 uatlantico polkit-agent-helper-1[16813]: pam_unix(polkit-1:auth): authentication failure; logname= uid=643401116 euid=0 tty= ruser=cvargasc rhost= user=cvargasc
May 5 11:55:20 uatlantico polkit-agent-helper-1[16813]: pam_sss(polkit-1:auth): authentication failure; logname= uid=643401116 euid=0 tty= ruser=cvargasc rhost= user=cvargasc
May 5 11:55:20 uatlantico polkit-agent-helper-1[16813]: pam_sss(polkit-1:auth): received for user cvargasc: 17 (Failure setting user credentials)
May 5 11:55:50 uatlantico polkitd(authority=local): Operator of unix-session:c2 FAILED to authenticate to gain authorization for action com.ubuntu.pkexec.synaptic for unix-process:16804:21803174 [/bin/sh /usr/bin/synaptic-pkexec] (owned by unix-user:cvargasc)
May 5 11:55:50 uatlantico pkexec[16805]: cvargasc: Error executing command as another user: Request dismissed [USER=root] [TTY=unknown] [CWD=/home/cvargasc] [COMMAND=/usr/sbin/synaptic]

===============================

Michael Wilson (mrwboilers-6) wrote :

I can also confirm that adding

ad_gpo_map_interactive = +unity

has fixed the lock screen issue. As vargax mentions above, elevated privileges in the gui is still an issue.

Those are two separate bugs. The lock-screen one was SSSD legitimately denying access because its configuration said it should (the PAM service wasn't on the list, so it defaults to denial).

However, the error you're seeing with polkit is different:
May 5 11:55:20 uatlantico polkit-agent-helper-1[16813]: pam_sss(polkit-1:auth): received for user cvargasc: 17 (Failure setting user credentials)

That is a different bug and should be split off elsewhere. Also, please provide SSSD debug logs following the guidelines at https://fedorahosted.org/sssd/wiki/Troubleshooting

Camilo Vargas (vargax) wrote :

Attached are the sssd logs using debug_level=6

I will open another bug report for polkit.

Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-3

---------------
sssd (1.13.4-3) unstable; urgency=medium

  * common: Add /var/lib/sss/gpo_cache. (LP: #1579092)
  * gpo-add-unity-to-ad-gpo-map-interactive.diff: Allow logging in from
    unity lockscreen. (LP: #1578415)

 -- Timo Aaltonen <email address hidden> Tue, 10 May 2016 10:39:46 +0300

Changed in sssd (Ubuntu):
status: Confirmed → Fix Released

Hello Camilo, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed
Timo Aaltonen (tjaalton) wrote :

camilo, mind testing this so that the update can be released to xenial-updates

Camilo Vargas (vargax) wrote :

Hi Timo,

Sorry for the delay... I just made a clean install of Xenial in a virtual machine and this bug is already fixed in the 16.04.1 release.

sssd version is 1.13.4-1ubuntu1

However you still need to manually install adcli to fix the delay in AD authentication (see https://bugs.launchpad.net/bugs/1590472) and add +polkit-1 to gain elevated privileges from the GUI.

Should we mark this bug as fix-released?

Timo Aaltonen (tjaalton) wrote :

Huh, so the patch that got added in -1ubuntu1.1 is not needed?

Camilo Vargas (vargax) wrote :

Looks like it is not needed anymore.

Brian Murray (brian-murray) wrote :

The upload of sssd in xenial-proposed still contains a patch for this bug (and another) though, so it would be good to find out if the patch causes any regressions. Could someone please test the version of sssd from -proposed? Thanks in advance.

Changed in sssd (Ubuntu):
importance: Undecided → Medium
Changed in sssd (Ubuntu Xenial):
importance: Undecided → Medium
Camilo Vargas (vargax) wrote :

Hi Brian / Timo,

I just check the package in xenial-proposed (sssd 1.13.4-1ubuntu1.1) and I don't find any regressions in my environment. AD authentication works as expected.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-1ubuntu1.1

---------------
sssd (1.13.4-1ubuntu1.1) xenial; urgency=medium

  * Sync 1.13.4-3 changes from debian/yakkety.

sssd (1.13.4-3) unstable; urgency=medium

  * common: Add /var/lib/sss/gpo_cache. (LP: #1579092)
  * gpo-add-unity-to-ad-gpo-map-interactive.diff: Allow logging in from
    unity lockscreen. (LP: #1578415)

 -- Timo Aaltonen <email address hidden> Mon, 18 Jul 2016 05:55:56 +0300

Changed in sssd (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for sssd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers