9:01 a.m.
This is on RHEL8.0.
Logging into gnome with smartcard results in username environment variables containing
domain:
$ env
....
USER=a001329(a)ad.example.com
USERNAME=a001329(a)ad.example.com
LOGNAME=a001329(a)ad.example.com
...
GDM debug log shows:
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state
AUTHENTICATED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: trying to
get updated username
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: username is
'a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
old-username='a001329(a)ad.example.com'
new-username='a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Found object path of user 'a001329(a)ad.example.com':
/org/freedesktop/ Accounts/User60483
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329(a)ad.example.com' state 3
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user 'a001329(a)ad.example.com' fetched
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 is now loaded
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 was not yet known, adding it
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: tracking user 'a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: not yet loaded, so not emitting user-added signal
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: no pending users, trying to set loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: already loaded, so not setting loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finished handling request for user 'a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: unrefing manager owned by fetch user request
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting
to change state to AUTHORIZED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: determining
if authenticated user (password required:0) is authorized to session
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state
AUTHORIZED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting
to change state to ACCREDITED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'LOGNAME=a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'USER=a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'USERNAME=a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'HOME=/home/a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'PWD=/home/a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'SHELL=/bin/bash'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin'
So it seems GDM gets the username with the domain part from the pam stack - i.e. pam_sss.
So, I don't understand why sssd seems to pass username with domain part to the pam
stack? Some bad config on my part or a bug?
sssd_pam debug log:
https://pastebin.com/raw/dQeLCNsF
Adam Winberg
ITpc
SMHI
Telefon 011-4958058 Fax 011-4958350
Epost Adam.Winberg@smhi.se<mailto:Adam.Winberg@smhi.se>
601 76 Norrköping Besöksadress Folkborgsvägen 1
www.smhi.se<http://www.smhi.se>
9:31 a.m.
New subject: gdm login with smartcard set wrong username environment variables on RHEL8.0
On Wed, Jun 05, 2019 at 02:01:23PM +0000, Winberg Adam wrote:
This is on RHEL8.0.
Logging into gnome with smartcard results in username environment variables containing
domain:
$ env
....
USER=a001329(a)ad.example.com
USERNAME=a001329(a)ad.example.com
LOGNAME=a001329(a)ad.example.com
...
GDM debug log shows:
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state
AUTHENTICATED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: trying to
get updated username
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: username
is 'a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
old-username='a001329(a)ad.example.com'
new-username='a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Found object path of user 'a001329(a)ad.example.com':
/org/freedesktop/ Accounts/User60483
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329(a)ad.example.com' state 3
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user 'a001329(a)ad.example.com' fetched
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 is now loaded
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 was not yet known, adding it
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: tracking user 'a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: not yet loaded, so not emitting user-added signal
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: no pending users, trying to set loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: already loaded, so not setting loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finished handling request for user 'a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: unrefing manager owned by fetch user request
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting
to change state to AUTHORIZED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
determining if authenticated user (password required:0) is authorized to session
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state
AUTHORIZED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting
to change state to ACCREDITED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'LOGNAME=a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'USER=a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'USERNAME=a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'HOME=/home/a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'PWD=/home/a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'SHELL=/bin/bash'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin'
So it seems GDM gets the username with the domain part from the pam stack - i.e. pam_sss.
Yes, pam_sss currently uses fully-qualified user name to avoid confusion
if the Smartcard contains certificates for users from different domains,
think of e.g. Administrator users from different AD domains in a forest.
After a successful authentication the name is currently not replaced and
stays on the PAM stack.
Please open a bugzilla or pagure ticket to use the name returned e.g. by
'getent passwd'.
bye,
Sumit
So, I don't understand why sssd seems to pass username with domain part to the pam
stack? Some bad config on my part or a bug?
sssd_pam debug log:
https://pastebin.com/raw/dQeLCNsF
Adam Winberg
ITpc
SMHI
Telefon 011-4958058 Fax 011-4958350
Epost Adam.Winberg@smhi.se<mailto:Adam.Winberg@smhi.se>
601 76 Norrköping Besöksadress Folkborgsvägen 1
www.smhi.se<http://www.smhi.se>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1:40 p.m.
New subject: gdm login with smartcard set wrong username environment variables on RHEL8.0
Any workaround to just set the short name? Not sure what problems using fully qualified
usernames might cause but one seems to be that gdm/accountservice does not accept that
name format and therefore does not create a file for the user in
/var/lib/AccountsService/users/.
On 5 Jun 2019 16:32, Sumit Bose <sbose(a)redhat.com> wrote:
On Wed, Jun 05, 2019 at 02:01:23PM +0000, Winberg Adam wrote:
This is on RHEL8.0.
Logging into gnome with smartcard results in username environment variables containing
domain:
$ env
....
USER=a001329(a)ad.example.com
USERNAME=a001329(a)ad.example.com
LOGNAME=a001329(a)ad.example.com
...
GDM debug log shows:
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state
AUTHENTICATED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: trying to
get updated username
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: username
is 'a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
old-username='a001329(a)ad.example.com'
new-username='a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: Found object path of user 'a001329(a)ad.example.com':
/org/freedesktop/ Accounts/User60483
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finding user 'a001329(a)ad.example.com' state 3
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user 'a001329(a)ad.example.com' fetched
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 is now loaded
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: user a001329 was not yet known, adding it
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: tracking user 'a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: not yet loaded, so not emitting user-added signal
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: no pending users, trying to set loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: already loaded, so not setting loaded property
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: finished handling request for user 'a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService:
ActUserManager: unrefing manager owned by fetch user request
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting
to change state to AUTHORIZED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker:
determining if authenticated user (password required:0) is authorized to session
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state
AUTHORIZED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting
to change state to ACCREDITED
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'LOGNAME=a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'USER=a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'USERNAME=a001329(a)ad.example.com'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'HOME=/home/a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'PWD=/home/a001329'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'SHELL=/bin/bash'
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM
environment variable: 'PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin'
So it seems GDM gets the username with the domain part from the pam stack - i.e. pam_sss.
Yes, pam_sss currently uses fully-qualified user name to avoid confusion
if the Smartcard contains certificates for users from different domains,
think of e.g. Administrator users from different AD domains in a forest.
After a successful authentication the name is currently not replaced and
stays on the PAM stack.
Please open a bugzilla or pagure ticket to use the name returned e.g. by
'getent passwd'.
bye,
Sumit
So, I don't understand why sssd seems to pass username with domain part to the pam
stack? Some bad config on my part or a bug?
sssd_pam debug log:
https://pastebin.com/raw/dQeLCNsF
Adam Winberg
ITpc
SMHI
Telefon 011-4958058 Fax 011-4958350
Epost Adam.Winberg@smhi.se<mailto:Adam.Winberg@smhi.se>
601 76 Norrköping Besöksadress Folkborgsvägen 1
www.smhi.se<http://www.smhi.se>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1787
days inactive
1787
days old
sssd-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Sumit Bose -
Winberg Adam