This is on RHEL8.0.
Logging into gnome with smartcard results in username environment variables containing
domain:
$ env
....
USER=a001329(a)ad.example.com
USERNAME=a001329(a)ad.example.com
LOGNAME=a001329(a)ad.example.com
...
GDM debug log shows:
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state
AUTHENTICATED
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: trying to
get updated username
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: username is
'a001329(a)ad.example.com'
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
old-username='a001329(a)ad.example.com'
new-username='a001329(a)ad.example.com'
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Found object path of user 'a001329(a)ad.example.com':
/org/freedesktop/ Accounts/User60483
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329(a)ad.example.com' state 3
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user 'a001329(a)ad.example.com' fetched
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 is now loaded
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 was not yet known, adding it
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: tracking user 'a001329'
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: not yet loaded, so not emitting user-added signal
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: no pending users, trying to set loaded property
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: already loaded, so not setting loaded property
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finished handling request for user 'a001329(a)ad.example.com'
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: unrefing manager owned by fetch user request
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting
to change state to AUTHORIZED
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: determining
if authenticated user (password required:0) is authorized to session
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state
AUTHORIZED
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting
to change state to ACCREDITED
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'LOGNAME=a001329(a)ad.example.com'
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'USER=a001329(a)ad.example.com'
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'USERNAME=a001329(a)ad.example.com'
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'HOME=/home/a001329'
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'PWD=/home/a001329'
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'SHELL=/bin/bash'
Jun 05 14:06:27
c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin'
So it seems GDM gets the username with the domain part from the pam stack - i.e. pam_sss.
So, I don't understand why sssd seems to pass username with domain part to the pam
stack? Some bad config on my part or a bug?
sssd_pam debug log:
https://pastebin.com/raw/dQeLCNsF
Adam Winberg
ITpc
SMHI
Telefon 011-4958058 Fax 011-4958350
Epost Adam.Winberg@smhi.se<mailto:Adam.Winberg@smhi.se>
601 76 Norrköping Besöksadress Folkborgsvägen 1
www.smhi.se<http://www.smhi.se>