Lockscreen access denied (AD auth via sssd)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned |
Bug Description
It is not possible to unlock the screen or gain elevated privileges from the GUI using an Active Directory account through SSSD. Authentication and sudo works as expected from console and Lightdm.
How to reproduce:
- Xenial clean install
- Join to AD using sssd (domain_join.sh)
=======
#!/bin/bash
DOMAIN='INET'
REALM='
DOMAIN_
aptitude -y install krb5-user samba sssd ntp
cat > /etc/ntp.conf <<EOF
server ntp.inet.
server ntp_bak.
EOF
sed -i "s&workgroup = WORKGROUP&\t workgroup = $DOMAIN \n\t client signing = yes \n\t client use spnego = yes \n\t kerberos method = secrets and keytab \n\t realm = $REALM \n\t security = ads&g" /etc/samba/smb.conf
cat > /etc/sssd/sssd.conf <<EOF
[sssd]
services = nss, pam
config_file_version = 2
domains = $REALM
[nss]
default_shell = /bin/bash
[domain/$REALM]
id_provider = ad
access_provider = ad
override_homedir = /home/%u
cache_credentials = true
EOF
chmod 600 /etc/sssd/sssd.conf
fqdn=$(
echo "127.0.0.1 $fqdn $(hostname) localhost" > /etc/hosts
systemctl restart systemd-hostnamed
cat > /usr/share/
Name: Create home directory on login
Default: no
Priority: 0
Session-Type: Additional
Session-
Session:
optional pam_mkhomedir.so umask=077 skel=/etc/skel
EOF
pam-auth-update
echo "[SeatDefaults]
greeter-
greeter-
greeter-
systemctl restart ntp.service
systemctl restart smbd.service nmbd.service
kinit $DOMAIN_ADMIN
klist
net ads join -k
systemctl start sssd.service
sed -i '26i%domain^admins ALL=(ALL) ALL' /etc/sudoers
reboot
=======
- Login with an AD account
- Lock screen
- Try to unlock screen --> Authentication error
- Top right corner -> Switch user
- Login with the same account --> Screen unlocks as expected
sudo cat /var/log/auth.log
=======
May 4 17:06:06 uatlantico sssd_be: GSSAPI client step 1
May 4 17:06:06 uatlantico sssd_be: GSSAPI client step 1
May 4 17:06:08 uatlantico sssd_be: GSSAPI client step 1
May 4 17:06:08 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:06:08 uatlantico sssd_be: GSSAPI client step 2
May 4 17:06:22 uatlantico sudo: cvargasc : problem with defaults entries ; TTY=pts/2 ; PWD=/home/cvargasc ;
May 4 17:06:28 uatlantico sudo: pam_unix(
May 4 17:06:54 uatlantico sudo: pam_sss(sudo:auth): authentication success; logname= uid=643401116 euid=0 tty=/dev/pts/2 ruser=cvargasc rhost= user=cvargasc
May 4 17:06:54 uatlantico sudo: cvargasc : TTY=pts/2 ; PWD=/home/cvargasc ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
May 4 17:06:54 uatlantico sudo: pam_unix(
May 4 17:06:54 uatlantico sudo: pam_unix(
May 4 17:07:17 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:17 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:07:17 uatlantico sssd_be: GSSAPI client step 2
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:19 uatlantico sssd_be: message repeated 4 times: [ GSSAPI client step 1]
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 2
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:19 uatlantico sssd_be: GSSAPI client step 2
May 4 17:07:42 uatlantico compiz: pam_unix(
May 4 17:07:43 uatlantico sssd_be: GSSAPI client step 1
May 4 17:07:43 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:14 uatlantico compiz: pam_sss(
May 4 17:08:14 uatlantico compiz: gkr-pam: unlocked login keyring
May 4 17:08:14 uatlantico compiz: pam_sss(
May 4 17:08:31 uatlantico lightdm: PAM unable to dlopen(
May 4 17:08:31 uatlantico lightdm: PAM adding faulty module: pam_kwallet.so
May 4 17:08:31 uatlantico lightdm: PAM unable to dlopen(
May 4 17:08:31 uatlantico lightdm: PAM adding faulty module: pam_kwallet5.so
May 4 17:08:31 uatlantico lightdm: pam_unix(
May 4 17:08:31 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:31 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:08:31 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:31 uatlantico systemd-
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:32 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:32 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:08:32 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:32 uatlantico lightdm: PAM unable to dlopen(
May 4 17:08:32 uatlantico lightdm: PAM adding faulty module: pam_kwallet.so
May 4 17:08:32 uatlantico lightdm: PAM unable to dlopen(
May 4 17:08:32 uatlantico lightdm: PAM adding faulty module: pam_kwallet5.so
May 4 17:08:33 uatlantico sssd_be: GSSAPI client step 1
May 4 17:08:33 uatlantico sssd_be: message repeated 2 times: [ GSSAPI client step 1]
May 4 17:08:33 uatlantico sssd_be: GSSAPI client step 2
May 4 17:08:35 uatlantico lightdm: pam_succeed_
May 4 17:08:39 uatlantico lightdm: pam_unix(
May 4 17:08:40 uatlantico lightdm: pam_sss(
May 4 17:08:40 uatlantico lightdm: pam_unix(
May 4 17:08:42 uatlantico sudo: cvargasc : problem with defaults entries ; TTY=pts/2 ; PWD=/home/cvargasc ;
May 4 17:08:42 uatlantico sudo: cvargasc : TTY=pts/2 ; PWD=/home/cvargasc ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
May 4 17:08:42 uatlantico sudo: pam_unix(
=======
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: sssd 1.13.4-1ubuntu1
ProcVersionSign
Uname: Linux 4.4.0-21-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 4 16:45:01 2016
InstallationDate: Installed on 2016-04-28 (6 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
JournalErrors:
Error: command ['journalctl', '-b', '--priority=
Users in the 'systemd-journal' group can see all messages. Pass -q to
turn off this notice.
No journal files were opened due to insufficient permissions.
ProcEnviron:
LANGUAGE=es_CO:es
PATH=(custom, no user)
XDG_RUNTIME_
LANG=es_CO.UTF-8
SHELL=/bin/bash
SourcePackage: sssd
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in sssd (Ubuntu): | |
importance: | Undecided → Medium |
Changed in sssd (Ubuntu Xenial): | |
importance: | Undecided → Medium |
tags: |
added: verification-done removed: verification-needed |
AskUbuntu thread:
http:// askubuntu. com/questions/ 767079/ lockscreen- access- denied- ad-auth- via-sssd