This is on RHEL8.0.
Logging into gnome with smartcard results in username environment variables containing domain:
$ env .... USER=a001329@ad.example.com USERNAME=a001329@ad.example.com LOGNAME=a001329@ad.example.com ...
GDM debug log shows:
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state AUTHENTICATED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: trying to get updated username Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: username is 'a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: old-username='a001329@ad.example.com' new-username='a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: Found object path of user 'a001329@ad.example.com': /org/freedesktop/ Accounts/User60483 Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: finding user 'a001329@ad.example.com' state 3 Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user 'a001329@ad.example.com' fetched Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user a001329 is now loaded Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user a001329 was not yet known, adding it Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: tracking user 'a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: not yet loaded, so not emitting user-added signal Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: no pending users, trying to set loaded property Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: already loaded, so not setting loaded property Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: finished handling request for user 'a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: unrefing manager owned by fetch user request Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting to change state to AUTHORIZED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state AUTHORIZED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting to change state to ACCREDITED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'LOGNAME=a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'USER=a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'USERNAME=a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'HOME=/home/a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'PWD=/home/a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'SHELL=/bin/bash' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin'
So it seems GDM gets the username with the domain part from the pam stack - i.e. pam_sss.
So, I don't understand why sssd seems to pass username with domain part to the pam stack? Some bad config on my part or a bug?
sssd_pam debug log:
https://pastebin.com/raw/dQeLCNsF
Adam Winberg ITpc
SMHI Telefon 011-4958058 Fax 011-4958350 Epost Adam.Winberg@smhi.semailto:Adam.Winberg@smhi.se 601 76 Norrköping Besöksadress Folkborgsvägen 1 www.smhi.sehttp://www.smhi.se
On Wed, Jun 05, 2019 at 02:01:23PM +0000, Winberg Adam wrote:
This is on RHEL8.0.
Logging into gnome with smartcard results in username environment variables containing domain:
$ env .... USER=a001329@ad.example.com USERNAME=a001329@ad.example.com LOGNAME=a001329@ad.example.com ...
GDM debug log shows:
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state AUTHENTICATED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: trying to get updated username Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: username is 'a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: old-username='a001329@ad.example.com' new-username='a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: Found object path of user 'a001329@ad.example.com': /org/freedesktop/ Accounts/User60483 Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: finding user 'a001329@ad.example.com' state 3 Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user 'a001329@ad.example.com' fetched Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user a001329 is now loaded Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user a001329 was not yet known, adding it Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: tracking user 'a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: not yet loaded, so not emitting user-added signal Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: no pending users, trying to set loaded property Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: already loaded, so not setting loaded property Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: finished handling request for user 'a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: unrefing manager owned by fetch user request Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting to change state to AUTHORIZED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state AUTHORIZED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting to change state to ACCREDITED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'LOGNAME=a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'USER=a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'USERNAME=a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'HOME=/home/a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'PWD=/home/a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'SHELL=/bin/bash' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin'
So it seems GDM gets the username with the domain part from the pam stack - i.e. pam_sss.
Yes, pam_sss currently uses fully-qualified user name to avoid confusion if the Smartcard contains certificates for users from different domains, think of e.g. Administrator users from different AD domains in a forest.
After a successful authentication the name is currently not replaced and stays on the PAM stack.
Please open a bugzilla or pagure ticket to use the name returned e.g. by 'getent passwd'.
bye, Sumit
So, I don't understand why sssd seems to pass username with domain part to the pam stack? Some bad config on my part or a bug?
sssd_pam debug log:
https://pastebin.com/raw/dQeLCNsF
Adam Winberg ITpc
SMHI Telefon 011-4958058 Fax 011-4958350 Epost Adam.Winberg@smhi.semailto:Adam.Winberg@smhi.se 601 76 Norrköping Besöksadress Folkborgsvägen 1 www.smhi.sehttp://www.smhi.se
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Any workaround to just set the short name? Not sure what problems using fully qualified usernames might cause but one seems to be that gdm/accountservice does not accept that name format and therefore does not create a file for the user in /var/lib/AccountsService/users/.
On 5 Jun 2019 16:32, Sumit Bose sbose@redhat.com wrote: On Wed, Jun 05, 2019 at 02:01:23PM +0000, Winberg Adam wrote:
This is on RHEL8.0.
Logging into gnome with smartcard results in username environment variables containing domain:
$ env .... USER=a001329@ad.example.com USERNAME=a001329@ad.example.com LOGNAME=a001329@ad.example.com ...
GDM debug log shows:
Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state AUTHENTICATED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: trying to get updated username Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: username is 'a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: old-username='a001329@ad.example.com' new-username='a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: Found object path of user 'a001329@ad.example.com': /org/freedesktop/ Accounts/User60483 Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: finding user 'a001329@ad.example.com' state 3 Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user 'a001329@ad.example.com' fetched Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user a001329 is now loaded Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: user a001329 was not yet known, adding it Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: tracking user 'a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: not yet loaded, so not emitting user-added signal Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: no pending users, trying to set loaded property Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: already loaded, so not setting loaded property Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: finished handling request for user 'a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: AccountsService: ActUserManager: unrefing manager owned by fetch user request Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting to change state to AUTHORIZED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: state AUTHORIZED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: attempting to change state to ACCREDITED Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'LOGNAME=a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'USER=a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'USERNAME=a001329@ad.example.com' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'HOME=/home/a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'PWD=/home/a001329' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'SHELL=/bin/bash' Jun 05 14:06:27 c21637.ad.example.com gdm-smartcard][30108]: GdmSessionWorker: Set PAM environment variable: 'PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin'
So it seems GDM gets the username with the domain part from the pam stack - i.e. pam_sss.
Yes, pam_sss currently uses fully-qualified user name to avoid confusion if the Smartcard contains certificates for users from different domains, think of e.g. Administrator users from different AD domains in a forest.
After a successful authentication the name is currently not replaced and stays on the PAM stack.
Please open a bugzilla or pagure ticket to use the name returned e.g. by 'getent passwd'.
bye, Sumit
So, I don't understand why sssd seems to pass username with domain part to the pam stack? Some bad config on my part or a bug?
sssd_pam debug log:
https://pastebin.com/raw/dQeLCNsF
Adam Winberg ITpc
SMHI Telefon 011-4958058 Fax 011-4958350 Epost Adam.Winberg@smhi.semailto:Adam.Winberg@smhi.se 601 76 Norrköping Besöksadress Folkborgsvägen 1 www.smhi.sehttp://www.smhi.se
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org
-
Sumit Bose -
Winberg Adam