ubuntu / aad-auth Goto Github PK
View Code? Open in Web Editor NEWAzure AD authentication module for Ubuntu
License: GNU Lesser General Public License v3.0
aad-auth's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
specialized806 rs-credentive maartenor peat-psuwit la5942 iq-scm lmaotrigine noorahsmith pierregode kaminagiwawon mikelrad johne8 sassyn sanoxy jafferli l878waw akhildas-github stremovsky marcusmt jot85 ebarrereaad-auth's Issues
Scopes seem to be required by the AzureAD public client
Introdutory notes
Be careful with sensitive information and security vulnerabities
In order to report bugs that could contain sensitive information, use Launchpad instead.
On Ubuntu machines, you can useubuntu-bug libpam-aadto collect relevant information.
Thank you for helping improve aad-auth!
Please take a look at the template bellow and answer all relevant questions. Your additional work here
is greatly appreciated and will help us respond as soon as possible. For general support or usage questions, please refer to the Ubuntu Discourse instead.
Finally, to avoid duplicates, please search the existing issues (even the closed ones) before submitting another one.
By submitting an Issue to this repository, you agree to the terms within the Ubuntu Code of Conduct.
Template
Description
After installing the library and enabling the homedir pam module, I expected a first-time login using Azure AD credentials to succeed. Instead, I see the following lines in the journal after enabling debug info for PAM:
Connecting to "[https://login.microsoftonline.com/tenant-id"](https://login.microsoftonline.com/tenant-id), with clientID "client-id" for user "[email protected]"
:auth): acquiring token failed: token request had an empty authority.AuthParams.Scopes, which is invalid
Unfortunately my journal seems to be clear of that log now since I've incorporated a "fix" (see below), but I think that's the operative part of the log.
Reproduction
- Install
aad-auth, this installs all three debs. Set up the tenant and app ID for Azure AD - Login using Azure AD credentials for the first time
Login fails because PAM rejects the authentication attempt.
Environment
Please provide the following:
For Ubuntu users, please follow these steps:
- Run
ubuntu-bug libpam-aad --save=/tmp/report - Remember to redact any sensitive information contained in the file.
- Copy paste below
/tmp/reportcontent:
ProblemType: Bug
.etc.adduser.conf:
# /etc/adduser.conf: `adduser' configuration.
# See adduser(8) and adduser.conf(5) for full documentation.
# A commented out setting indicates that this is the default in the
# code. If you need to change those settings, remove the comment and
# make your intended change.
# The DSHELL variable specifies the default login shell on your
# system.
# Default: DSHELL=/bin/bash
#DSHELL=/bin/bash
# The DHOME variable specifies the directory containing users' home
# directories.
# Default: DHOME=/home
#DHOME=/home
# If GROUPHOMES is "yes", then the home directories will be created as
# /home/groupname/user.
# Default: GROUPHOMES=no
#GROUPHOMES=no
# If LETTERHOMES is "yes", then the created home directories will have
# an extra directory - the first letter of the user name. For example:
# /home/u/user.
# Default: LETTERHOMES=no
#LETTERHOMES=no
# The SKEL variable specifies the directory containing "skeletal" user
# files; in other words, files such as a sample .profile that will be
# copied to the new user's home directory when it is created.
# Default: SKEL=/etc/skel
#SKEL=/etc/skel
# FIRST_SYSTEM_[GU]ID to LAST_SYSTEM_[GU]ID inclusive is the range for UIDs
# for dynamically allocated administrative and system accounts/groups.
# Please note that system software, such as the users allocated by the
# base-passwd package, may assume that UIDs less than 100 are unallocated.
# Default: FIRST_SYSTEM_UID=100, LAST_SYSTEM_UID=999
#FIRST_SYSTEM_UID=100
#LAST_SYSTEM_UID=999
# Default: FIRST_SYSTEM_GID=100, LAST_SYSTEM_GID=999
#FIRST_SYSTEM_GID=100
#LAST_SYSTEM_GID=999
# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically
# allocated user accounts/groups.
# Default: FIRST_UID=1000, LAST_UID=59999
#FIRST_UID=1000
#LAST_UID=59999
# Default: FIRST_GID=1000, LAST_GID=59999
#FIRST_GID=1000
#LAST_GID=59999
# The USERGROUPS variable can be either "yes" or "no". If "yes" each
# created user will be given their own group to use as a default. If
# "no", each created user get the primary group defined below as
# USERS_GROUP or USERS_GID.
# Default: USERGROUPS=yes
#USERGROUPS=yes
# Newly created users get this group as primary group if USERGROUPS
# "no", and as a supplemental group if USERGROUPS is "yes".
# Set one of the variables to reference the group. Don't set both.
# Default: USERS_GID=undefined, USERS_GROUP=undefined
#USERS_GID=100
#USERS_GROUP=users
# If DIR_MODE is set, directories will be created with the specified
# mode. Otherwise the default mode 0750 will be used.
# Default: DIR_MODE=0750
#DIR_MODE=0750
# When creating system accounts: if SYS_DIR_MODE is set (and a home
# location is specified), the directories will be created with the
# specified mode. Otherwise the default mode 0750 will be used.
# Default: SYS_DIR_MODE=0750
#SYS_DIR_MODE=0750
# If SETGID_HOME is "yes" home directories for users with their own
# group the setgid bit will be set. This was the default for
# versions << 3.13 of adduser. Because it has some bad side effects we
# no longer do this per default. If you want it nevertheless you can
# still set it here. Note: this feature is DEPRECATED and will be
# removed in a future version of adduser; please use the DIR_MODE
# settings above instead.
# Default: SETGID_HOME=no
#SETGID_HOME=no
# If QUOTAUSER is set, a default quota will be set from that user with
# `edquota -p QUOTAUSER newuser'
# Default: QUOTAUSER=""
#QUOTAUSER=""
# If SKEL_IGNORE_REGEX is set, adduser will ignore files matching this
# regular expression when creating a new home directory
# Default: SKEL_IGNORE_REGEX="(dpkg|ucf)-(old|new|dist|save)"
#SKEL_IGNORE_REGEX="(dpkg|ucf)-(old|new|dist|save)"
# Set this if you want the --add-extra-groups option to adduser to add
# new users to other groups.
# This is the list of groups that new non-system users will be added to
# Default: EXTRA_GROUPS="users"
#EXTRA_GROUPS="users"
# If ADD_EXTRA_GROUPS is set to something non-zero, the EXTRA_GROUPS
# option above will be default behavior for adding new, non-system users
# Default: ADD_EXTRA_GROUPS=0
#ADD_EXTRA_GROUPS=0
# check user and group names also against this regular expression.
# Default: NAME_REGEX="^[a-z][-a-z0-9_]*\$?$"
#NAME_REGEX="^[a-z][-a-z0-9_]*\$?$"
# check system user and group names also against this regular expression.
# Default: SYS_NAME_REGEX="^[A-Za-z_][-A-Za-z0-9_]*\$?$"
#SYS_NAME_REGEX="^[A-Za-z_][-A-Za-z0-9_]*\$?$"
# use extrausers by default
#USE_EXTRAUSERS=1
.etc.pam.d.common-auth:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_aad.so
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
ApportVersion: 2.26.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
Date: Wed Jun 14 09:06:01 2023
Dependencies:
aad-common 0.4
apt 2.6.0
apt-utils 2.6.0
base-passwd 3.6.1
ca-certificates 20230311ubuntu0.23.04.1
debconf 1.5.82
debconf-i18n 1.5.82
dpkg 1.21.21ubuntu1
gcc-13-base 13-20230320-1ubuntu1
gpgv 2.2.40-1.1ubuntu1
krb5-locales 1.20.1-1build1
libacl1 2.3.1-3
libapt-pkg6.0 2.6.0
libaudit-common 1:3.0.9-1
libaudit1 1:3.0.9-1
libbz2-1.0 1.0.8-5build1
libc6 2.37-0ubuntu2
libcap-ng0 0.8.3-1build2
libcap2 1:2.66-3ubuntu2
libcom-err2 1.47.0-1ubuntu1
libcrypt1 1:4.4.33-2
libdb5.3 5.3.28+dfsg2-1
libdebconfclient0 0.267ubuntu1
libffi8 3.4.4-1
libgcc-s1 13-20230320-1ubuntu1
libgcrypt20 1.10.1-3ubuntu1
libgmp10 2:6.2.1+dfsg1-1.1ubuntu1
libgnutls30 3.7.8-5ubuntu1
libgpg-error-l10n 1.46-1
libgpg-error0 1.46-1
libgssapi-krb5-2 1.20.1-1build1
libhogweed6 3.8.1-2
libidn2-0 2.3.3-1build1
libk5crypto3 1.20.1-1build1
libkeyutils1 1.6.3-2
libkrb5-3 1.20.1-1build1
libkrb5support0 1.20.1-1build1
liblocale-gettext-perl 1.07-5
liblz4-1 1.9.4-1
liblzma5 5.4.1-0.2
libmd0 1.0.4-2
libnettle8 3.8.1-2
libnsl2 1.3.0-2build2
libnss-nis 3.1-0ubuntu6
libnss-nisplus 1.3-0ubuntu6
libp11-kit0 0.24.1-2ubuntu1
libpam0g 1.5.2-5ubuntu1
libpcre2-8-0 10.42-1
libseccomp2 2.5.4-1ubuntu3
libselinux1 3.4-1build4
libssl3 3.0.8-1ubuntu1.2
libstdc++6 13-20230320-1ubuntu1
libsystemd0 252.5-2ubuntu3
libtasn1-6 4.19.0-2
libtext-charwidth-perl 0.04-11
libtext-iconv-perl 1.7-8
libtext-wrapi18n-perl 0.06-10
libtirpc-common 1.3.3+ds-1
libtirpc3 1.3.3+ds-1
libudev1 252.5-2ubuntu3
libunistring2 1.0-2
libxxhash0 0.8.1-1
libzstd1 1.5.4+dfsg2-4
openssl 3.0.8-1ubuntu1.2
perl-base 5.36.0-7ubuntu0.23.04.1
tar 1.34+dfsg-1.2ubuntu0.1
ubuntu-keyring 2021.03.26
zlib1g 1:1.2.13.dfsg-1ubuntu4
DistroRelease: Ubuntu 23.04
InstallationDate: Installed on 2023-06-13 (0 days ago)
InstallationMedia: Ubuntu-Server 23.04 "Lunar Lobster" - Release amd64 (20230415)
Package: libpam-aad 0.4
PackageArchitecture: amd64
ProcCpuinfoMinimal:
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 142
model name : Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
stepping : 12
cpu MHz : 2112.004
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 1
cpu cores : 2
apicid : 1
initial apicid : 1
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt md_clear flush_l1d arch_capabilities
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds mmio_stale_data retbleed
bogomips : 4224.00
clflush size : 64
cache_alignment : 64
address sizes : 39 bits physical, 48 bits virtual
power management:
ProcEnviron:
LANG=en_GB.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
ProcVersionSignature: Ubuntu 6.2.0-20.20-generic 6.2.6
RelatedPackageVersions:
libpam-runtime 1.5.2-5ubuntu1
libpam0g 1.5.2-5ubuntu1
SourcePackage: aad-auth
Tags: lunar
Uname: Linux 6.2.0-20-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
_MarkForUpload: True
Relevant information
Logging is done through the standard journal facility of the system which can be monitored and queried with journalctl.
Debugging can be enabled:
- For PAM: by adding
debugto the line containing the modulepam_aadin/etc/pam.d/common-auth.
auth [success=1 default=ignore] pam_aad.so debug- For NSS: by adding the line
NSS_AAD_DEBUG=1to/etc/environment. Then reboot the machine to make it effective to the entire system.
Additional context
I needed the fix from #215 so I decided to build this package from scratch. The steps I followed were:
sudo apt update
sudo apt install build-essential jq git curl
sudo apt build-dep aad-auth
git clone https://github.com/ubuntu/aad-auth
cd aad-auth
dpkg-buildpackage -us -uc -B
sudo apt install ../*.debThe issue persisted even then.
I figured that this is likely a message from MSAL, so I incorporated this patch:
From 2e6c7a810025c70302beba4a799e6e262327e500 Mon Sep 17 00:00:00 2001
From: Isis Ebsen <[email protected]>
Date: Wed, 14 Jun 2023 12:05:06 +0000
Subject: [PATCH] make it work
---
internal/aad/aad.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/internal/aad/aad.go b/internal/aad/aad.go
index c1a2385..a9fe77c 100644
--- a/internal/aad/aad.go
+++ b/internal/aad/aad.go
@@ -61,7 +61,7 @@ func (auth AAD) Authenticate(ctx context.Context, cfg config.AAD, username, pass
}
// Authentify the user
- _, errAcquireToken = app.AcquireTokenByUsernamePassword(ctx, nil, username, password)
+ _, errAcquireToken = app.AcquireTokenByUsernamePassword(ctx, []string{"offline_access"}, username, password)
var callErr msalErrors.CallErr
if errors.As(errAcquireToken, &callErr) {
--
2.41.0Which fixed this issue for me finally.
However, I'm not sure if this is the correct fix, because I might be missing the root cause of the problem, and also I'm not sure if the scopes should now be a configuration parameter that it seems required.
Please advise if I'm on the right track here, and if this actually is a bug and my fix is correct, I will gladly open a PR.
I apologize in advance if I am off base, and will provide any additional information on request.
Dump cache DB to CSV
To generate golden files for PAM integration tests the cache DB must be dumped to a flat format like CSV.
SSH won't allow login or create a user if they haven't been logged in locally first
I have the PAM module mkhomedir enabled and it works if I login from console using 'sudo login' with a user who has not logged in before but it doesn't work from SSH.
journalctl just comes back with:
pam_aad(sshd:auth): Connecting to "https://login.microsoftonline.com/8c46abc7-960b>
pam_aad(sshd:auth): Got response: Invalid credentials
However if I login locally journalct shows:
pam_aad(login:auth): Connecting to "https://login.microsoftonline.com/8c46abc7-960b>
pam_aad(login:auth): Authentication successful with user/password
The Connecting to string in both logs is the exact same but the sshd one doesn't work. I have confirmed it's the same password and not a typo by copy/pasting it.
System info:
ubuntu 23.04
openssh 1:9.0p1-1ubuntu8
libpam-aad 0.4
libpam-runtime 1.5.2-5ubuntu1
libnss-aad 0.4
Ubuntu logon fails but Azure AD says successful
Hi,
Getting the error "Sorry, password authentication didn't work. Please try again." when I logon with valid Azure AD credentials.
Screenshot: https://imgur.com/DxNAHEA
The Enterprise App sign-in log says the user was successfully authenticated as per this screenshot: https://imgur.com/3DmRBmz
Are you able to deduce anything from the log below?
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_unix(gdm-password:auth): check pass; user unknown
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): aad auth debug enabled
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): PAM AAD DEBUG enabled
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): Loading configuration from /etc/aad.conf
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): Connecting to "https://login.microsoftonline.com/c33f12c3-[xxxx]-[xxxx]-[xxxxxxxxxxx]__;!!HUqgN_M!t1cV7xJo6StWoMrqM2v0Cxt7AakkGylgPpOjh4NQTDWCtAKhwiR14stt7glsaEdU8xzRTNd5KIIJWQOn9Fb3ovo174syK8Vrc2nnsL-E$ ", with clientID "4613665f-[xxxx]-[xxxx]-[xxxxxxxxxxx]" for user "adelev@[redacted].onmicrosoft.com"
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): Authentication successful with user/password
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): Cache initialization
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): Opening cache in /var/lib/aad/cache
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): check file permissions on /var/lib/aad/cache/passwd.db
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): check file permissions on /var/lib/aad/cache/shadow.db
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): Shadow db mode: 2
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): Cleaning up db. Removing entries that last authenticated online more than 180 days ago
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): getting user information from cache for "adelev@[redacted].onmicrosoft.com"
Apr 26 16:22:01 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): encrypt password for user "adelev@[redacted].onmicrosoft.com"
Apr 26 16:22:02 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): updating from last online login information for user "adelev@[redacted].onmicrosoft.com"
Apr 26 16:22:02 Ubuntu gdm-password][6306]: pam_aad(gdm-password:auth): Close database request
Apr 26 16:22:02 Ubuntu gdm-password][6306]: gkr-pam: error looking up user information
Apr 26 16:22:02 Ubuntu gdm-password][6306]: pam_unix(gdm-password:account): could not identify user (from getpwnam(adelev@[redacted].onmicrosoft.com))
Apr 26 16:22:02 Ubuntu gdm-password][6325]: accountsservice: ActUserManager: user (null) has no username (uid: -1)
Apr 26 16:22:05 Ubuntu geoclue[4387]: Service not used for 60 seconds. Shutting down..
Apr 26 16:22:05 Ubuntu systemd[1]: geoclue.service: Deactivated successfully.
no success logon in my Azure AD app
Hello,
After several tests:
- login sucess/failure on console
- login sucess/failure with ssh
I can see only failures from mysignins.microsoft.com or from sign-in logs. I can see all failure or interrupted processes but never a success. Maybe, the problem come from the MFA which is not requested.
Regards
group membership management
With this new feature, I can login on workstation with my O365 account , the user account is created automatically, but there is no group membership management.
Idealy, aad-auth should request group membership from Azure AD, and on /etc/aad.conf file we should manage groups mapping.
Ex: if my user is member of "ubuntu_root" group in Azure AD, an automatic process should add the user is sudo group in all ubuntu workstation when the user open a session.
The process should refresh all groups membership (add and remove) at each logon.
Group management (creating and removing group) should be managed by another process
Regards
Changed password in Azure AD does not work locally
After changing the password through the https://account.activedirectory.windowsazure.com/r/#/profile portal I am unable to login to the Ubuntu machine with the new password. The computer is on internet access via Ethernet cable 1Gbps.
aad-auth segfault when in debug mode
Description
We have a test server running Ubuntu 23.0.4, running CUPS (in Basic authentication mode) which uses aad-auth to authenticate users. During our testing of this setup, I was noticing that periodically the CUPS service would crash and restart itself.
It looks like this behavior is the result of the AAD PAM module segfaulting when in debug mode. Removing 'debug' from the /etc/pam.d/common-auth file for the AAD module appears to resolve the issue.
Reproduction
Set up CUPS on an Ubuntu machine, with DefaultAuthType set to Basic in cupsd.conf. Install aad-auth and set the module to 'debug' mode in /etc/pam.d/common-auth. Install print queues on a client machine that are hosted on the Ubuntu server. Send a number of print jobs. CUPS will crash with a core-dump.
This issue does seem to be somewhat intermittent - CUPS does not crash after every print job. But it does crash regularly enough that it should not be too difficult to reproduce.
Environment
Ubuntu 23.0.4
CUPS 2.4.2
Ubuntu-Bug Report output
ProblemType: Bug
.etc.adduser.conf:
# /etc/adduser.conf: `adduser' configuration.
# See adduser(8) and adduser.conf(5) for full documentation.
# A commented out setting indicates that this is the default in the
# code. If you need to change those settings, remove the comment and
# make your intended change.
# The DSHELL variable specifies the default login shell on your
# system.
# Default: DSHELL=/bin/bash
#DSHELL=/bin/bash
# The DHOME variable specifies the directory containing users' home
# directories.
# Default: DHOME=/home
#DHOME=/home
# If GROUPHOMES is "yes", then the home directories will be created as
# /home/groupname/user.
# Default: GROUPHOMES=no
#GROUPHOMES=no
# If LETTERHOMES is "yes", then the created home directories will have
# an extra directory - the first letter of the user name. For example:
# /home/u/user.
# Default: LETTERHOMES=no
#LETTERHOMES=no
# The SKEL variable specifies the directory containing "skeletal" user
# files; in other words, files such as a sample .profile that will be
# copied to the new user's home directory when it is created.
# Default: SKEL=/etc/skel
#SKEL=/etc/skel
# FIRST_SYSTEM_[GU]ID to LAST_SYSTEM_[GU]ID inclusive is the range for UIDs
# for dynamically allocated administrative and system accounts/groups.
# Please note that system software, such as the users allocated by the
# base-passwd package, may assume that UIDs less than 100 are unallocated.
# Default: FIRST_SYSTEM_UID=100, LAST_SYSTEM_UID=999
#FIRST_SYSTEM_UID=100
#LAST_SYSTEM_UID=999
# Default: FIRST_SYSTEM_GID=100, LAST_SYSTEM_GID=999
#FIRST_SYSTEM_GID=100
#LAST_SYSTEM_GID=999
# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically
# allocated user accounts/groups.
# Default: FIRST_UID=1000, LAST_UID=59999
#FIRST_UID=1000
#LAST_UID=59999
# Default: FIRST_GID=1000, LAST_GID=59999
#FIRST_GID=1000
#LAST_GID=59999
# The USERGROUPS variable can be either "yes" or "no". If "yes" each
# created user will be given their own group to use as a default. If
# "no", each created user get the primary group defined below as
# USERS_GROUP or USERS_GID.
# Default: USERGROUPS=yes
#USERGROUPS=yes
# Newly created users get this group as primary group if USERGROUPS
# "no", and as a supplemental group if USERGROUPS is "yes".
# Set one of the variables to reference the group. Don't set both.
# Default: USERS_GID=undefined, USERS_GROUP=undefined
#USERS_GID=100
#USERS_GROUP=users
# If DIR_MODE is set, directories will be created with the specified
# mode. Otherwise the default mode 0750 will be used.
# Default: DIR_MODE=0750
#DIR_MODE=0750
# When creating system accounts: if SYS_DIR_MODE is set (and a home
# location is specified), the directories will be created with the
# specified mode. Otherwise the default mode 0750 will be used.
# Default: SYS_DIR_MODE=0750
#SYS_DIR_MODE=0750
# If SETGID_HOME is "yes" home directories for users with their own
# group the setgid bit will be set. This was the default for
# versions << 3.13 of adduser. Because it has some bad side effects we
# no longer do this per default. If you want it nevertheless you can
# still set it here. Note: this feature is DEPRECATED and will be
# removed in a future version of adduser; please use the DIR_MODE
# settings above instead.
# Default: SETGID_HOME=no
#SETGID_HOME=no
# If QUOTAUSER is set, a default quota will be set from that user with
# `edquota -p QUOTAUSER newuser'
# Default: QUOTAUSER=""
#QUOTAUSER=""
# If SKEL_IGNORE_REGEX is set, adduser will ignore files matching this
# regular expression when creating a new home directory
# Default: SKEL_IGNORE_REGEX="(dpkg|ucf)-(old|new|dist|save)"
#SKEL_IGNORE_REGEX="(dpkg|ucf)-(old|new|dist|save)"
# Set this if you want the --add-extra-groups option to adduser to add
# new users to other groups.
# This is the list of groups that new non-system users will be added to
# Default: EXTRA_GROUPS="users"
#EXTRA_GROUPS="users"
# If ADD_EXTRA_GROUPS is set to something non-zero, the EXTRA_GROUPS
# option above will be default behavior for adding new, non-system users
# Default: ADD_EXTRA_GROUPS=0
#ADD_EXTRA_GROUPS=0
# check user and group names also against this regular expression.
# Default: NAME_REGEX="^[a-z][-a-z0-9_]*\$?$"
#NAME_REGEX="^[a-z][-a-z0-9_]*\$?$"
# check system user and group names also against this regular expression.
# Default: SYS_NAME_REGEX="^[A-Za-z_][-A-Za-z0-9_]*\$?$"
#SYS_NAME_REGEX="^[A-Za-z_][-A-Za-z0-9_]*\$?$"
# use extrausers by default
#USE_EXTRAUSERS=1
.etc.pam.d.common-auth:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_aad.so debug
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
ApportVersion: 2.26.1-0ubuntu2
Architecture: amd64
AzureImageoffer: 0001-com-ubuntu-server-jammy
AzureImagepublisher: canonical
AzureImagesku: 22_04-lts-gen2
AzureImageversion: 22.04.202306160
AzureVmsize: Standard_D2s_v3
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudBuildName: server
CloudID: azure
CloudName: azure
CloudPlatform: azure
CloudRegion: northcentralus
CloudSerial: 20230616
CloudSubPlatform: seed-dir (/var/lib/waagent)
Date: Tue Jun 27 12:19:15 2023
Dependencies:
aad-common 0.4
apt 2.6.0
apt-utils 2.6.0
base-passwd 3.6.1
ca-certificates 20230311ubuntu0.23.04.1
debconf 1.5.82
debconf-i18n 1.5.82
dpkg 1.21.21ubuntu1
gcc-13-base 13-20230320-1ubuntu1
gpgv 2.2.40-1.1ubuntu1
libacl1 2.3.1-3
libapt-pkg6.0 2.6.0
libaudit-common 1:3.0.9-1
libaudit1 1:3.0.9-1
libbz2-1.0 1.0.8-5build1
libc6 2.37-0ubuntu2
libcap-ng0 0.8.3-1build2
libcap2 1:2.66-3ubuntu2.1
libcrypt1 1:4.4.33-2
libdb5.3 5.3.28+dfsg2-1
libdebconfclient0 0.267ubuntu1
libffi8 3.4.4-1
libgcc-s1 13-20230320-1ubuntu1
libgcrypt20 1.10.1-3ubuntu1
libgmp10 2:6.2.1+dfsg1-1.1ubuntu1
libgnutls30 3.7.8-5ubuntu1
libgpg-error0 1.46-1
libhogweed6 3.8.1-2
libidn2-0 2.3.3-1build1
liblocale-gettext-perl 1.07-5
liblz4-1 1.9.4-1
liblzma5 5.4.1-0.2
libmd0 1.0.4-2
libnettle8 3.8.1-2
libp11-kit0 0.24.1-2ubuntu1
libpam0g 1.5.2-5ubuntu1
libpcre2-8-0 10.42-1
libseccomp2 2.5.4-1ubuntu3
libselinux1 3.4-1build4
libssl3 3.0.8-1ubuntu1.2
libstdc++6 13-20230320-1ubuntu1
libsystemd0 252.5-2ubuntu3
libtasn1-6 4.19.0-2
libtext-charwidth-perl 0.04-11
libtext-iconv-perl 1.7-8
libtext-wrapi18n-perl 0.06-10
libudev1 252.5-2ubuntu3
libunistring2 1.0-2
libxxhash0 0.8.1-1
libzstd1 1.5.4+dfsg2-4
openssl 3.0.8-1ubuntu1.2
perl-base 5.36.0-7ubuntu0.23.04.1
tar 1.34+dfsg-1.2ubuntu0.1
ubuntu-keyring 2021.03.26
zlib1g 1:1.2.13.dfsg-1ubuntu4
DistroRelease: Ubuntu 23.04
Package: libpam-aad 0.4
PackageArchitecture: amd64
ProcCpuinfoMinimal:
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 79
model name : Intel(R) Xeon(R) CPU E5-2673 v4 @ 2.30GHz
stepping : 1
microcode : 0xffffffff
cpu MHz : 2294.686
cache size : 51200 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 1
apicid : 1
initial apicid : 1
fpu : yes
fpu_exception : yes
cpuid level : 20
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti fsgsbase bmi1 hle avx2 smep bmi2 erms invpcid rtm rdseed adx smap xsaveopt arch_capabilities
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa mmio_stale_data
bogomips : 4589.37
clflush size : 64
cache_alignment : 64
address sizes : 46 bits physical, 48 bits virtual
power management:
ProcEnviron:
LANG=C.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
ProcVersionSignature: User Name 6.2.0-1003.3-azure 6.2.6
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions:
libpam-runtime 1.5.2-5ubuntu1
libpam0g 1.5.2-5ubuntu1
SourcePackage: aad-auth
Tags: cloud-image lunar
Uname: Linux 6.2.0-1003-azure x86_64
UpgradeStatus: Upgraded to lunar on 2023-06-20 (7 days ago)
_MarkForUpload: True
Relevant Information
Here is a snippet from journalctl showing a successful AAD authentication, followed by the segfault and crash. You'll note mentions of the debug logger in the runtime stack:
Jun 27 11:32:55 print-ipp-everywhere-test cupsd[42221]: pam_aad(cups:auth): PAM AAD DEBUG enabled
Jun 27 11:32:55 print-ipp-everywhere-test cupsd[42221]: pam_aad(cups:auth): Loading configuration from /etc/aad.conf
Jun 27 11:32:55 print-ipp-everywhere-test cupsd[42221]: pam_aad(cups:auth): Connecting to "https://login.microsoftonline.com/<TENET ID REMOVED>", with clientID "<CLIENT ID REMOVED>"
Jun 27 11:32:55 print-ipp-everywhere-test cupsd[42221]: pam_aad(cups:auth): Authentication successful with user/password
Jun 27 11:32:55 print-ipp-everywhere-test cupsd[42221]: pam_aad(cups:auth): Reusing existing opened cache
Jun 27 11:32:55 print-ipp-everywhere-test cupsd[42221]: pam_aad(cups:auth): getting user information from cache for "[email protected]"
Jun 27 11:32:55 print-ipp-everywhere-test cupsd[42221]: pam_aad(cups:auth): encrypt password for user "[email protected]"
Jun 27 11:32:55 print-ipp-everywhere-test cupsd[42221]: pam_aad(cups:auth): updating from last online login information for user "[email protected]"
Jun 27 11:32:55 print-ipp-everywhere-test cupsd[42221]: pam_aad(cups:auth): Close database request
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: fatal error: unexpected signal during runtime execution
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x5580b4ce5c0d pc=0x7f6e2797c5dd]
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime stack:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.throw({0x7f6e24fb2070?, 0x0?})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/panic.go:1047 +0x5f fp=0x7f6df37fd168 sp=0x7f6df37fd138 pc=0x7f6e24b13a1f
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.sigpanic()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/signal_unix.go:821 +0x3e9 fp=0x7f6df37fd1c8 sp=0x7f6df37fd168 pc=0x7f6e24b29ae9
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: goroutine 15 [syscall]:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.cgocall(0x7f6e24ec0f30, 0xc0000425f0)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/cgocall.go:157 +0x5c fp=0xc0000425c8 sp=0xc000042590 pc=0x7f6e24ae29dc
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: github.com/ubuntu/aad-auth/internal/pam._Cfunc_pam_syslog_no_variadic(0x5585ec9ad1e0, 0x7, 0x7f6de8000b70)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: _cgo_gotypes.go:114 +0x48 fp=0xc0000425f0 sp=0xc0000425c8 pc=0x7f6e24ebdfa8
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: github.com/ubuntu/aad-auth/internal/pam.pamSyslog.func2(0x5585ec9ad1e0, 0x28?, 0x0?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /build/aad-auth-9e7ezC/aad-auth-0.4/internal/pam/logger_c.go:110 +0x5a fp=0xc000042630 sp=0xc0000425f0 pc=0x7f6e24ebe75a
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: github.com/ubuntu/aad-auth/internal/pam.pamSyslog(0xc0000426c0?, 0x7, {0xc0004a8a20?, 0x7f6e250f71a0?}, {0x0?, 0x1?, 0xc000012018?})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /build/aad-auth-9e7ezC/aad-auth-0.4/internal/pam/logger_c.go:110 +0x85 fp=0xc000042688 sp=0xc000042630 pc=0x7f6e24ebe685
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: github.com/ubuntu/aad-auth/internal/pam.Logger.Debug(...)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /build/aad-auth-9e7ezC/aad-auth-0.4/internal/pam/logger_c.go:74
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: github.com/ubuntu/aad-auth/internal/pam.(*Logger).Debug(0xc00007e060?, {0xc0004a8a20?, 0xc000012018?}, {0x0?, 0x0?, 0xc000042720?})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: <autogenerated>:1 +0x63 fp=0xc0000426d0 sp=0xc000042688 pc=0x7f6e24ebee03
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: github.com/ubuntu/aad-auth/internal/logger.Debug({0x7f6e2514c738, 0xc00007e060}, {0x7f6e24faff16?, 0x0?}, {0x0?, 0x0?, 0x0?})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /build/aad-auth-9e7ezC/aad-auth-0.4/internal/logger/logger.go:58 +0xaa fp=0xc000042730 sp=0xc0000426d0 pc=0x7f6e24e78c6a
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: github.com/ubuntu/aad-auth/internal/cache.(*Cache).Close.func1()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /build/aad-auth-9e7ezC/aad-auth-0.4/internal/cache/cache.go:276 +0x1bc fp=0xc0000427e0 sp=0xc000042730 pc=0x7f6e24eb76dc
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goexit()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000427e8 sp=0xc0000427e0 pc=0x7f6e24b459e1
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: created by github.com/ubuntu/aad-auth/internal/cache.(*Cache).Close
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /build/aad-auth-9e7ezC/aad-auth-0.4/internal/cache/cache.go:259 +0x15e
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: goroutine 2 [force gc (idle)]:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:381 +0xd6 fp=0xc000044fb0 sp=0xc000044f90 pc=0x7f6e24b16756
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goparkunlock(...)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:387
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.forcegchelper()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:305 +0xb0 fp=0xc000044fe0 sp=0xc000044fb0 pc=0x7f6e24b16590
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goexit()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000044fe8 sp=0xc000044fe0 pc=0x7f6e24b459e1
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: created by runtime.init.6
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:293 +0x25
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: goroutine 18 [GC sweep wait]:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:381 +0xd6 fp=0xc000040780 sp=0xc000040760 pc=0x7f6e24b16756
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goparkunlock(...)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:387
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.bgsweep(0x0?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mgcsweep.go:319 +0xde fp=0xc0000407c8 sp=0xc000040780 pc=0x7f6e24b0285e
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gcenable.func1()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mgc.go:178 +0x26 fp=0xc0000407e0 sp=0xc0000407c8 pc=0x7f6e24af7ae6
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goexit()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000407e8 sp=0xc0000407e0 pc=0x7f6e24b459e1
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: created by runtime.gcenable
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mgc.go:178 +0x6b
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: goroutine 19 [GC scavenge wait]:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gopark(0xc000080000?, 0x7f6e25045140?, 0x0?, 0x0?, 0x0?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:381 +0xd6 fp=0xc000040f70 sp=0xc000040f50 pc=0x7f6e24b16756
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goparkunlock(...)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:387
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.(*scavengerState).park(0x7f6e253e4340)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mgcscavenge.go:400 +0x53 fp=0xc000040fa0 sp=0xc000040f70 pc=0x7f6e24b00753
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.bgscavenge(0x0?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mgcscavenge.go:633 +0x65 fp=0xc000040fc8 sp=0xc000040fa0 pc=0x7f6e24b00d45
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gcenable.func2()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mgc.go:179 +0x26 fp=0xc000040fe0 sp=0xc000040fc8 pc=0x7f6e24af7a86
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goexit()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000040fe8 sp=0xc000040fe0 pc=0x7f6e24b459e1
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: created by runtime.gcenable
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mgc.go:179 +0xaa
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: goroutine 20 [finalizer wait]:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gopark(0x1a0?, 0x7f6e253e4aa0?, 0x20?, 0x48?, 0xc000044770?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:381 +0xd6 fp=0xc000044628 sp=0xc000044608 pc=0x7f6e24b16756
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.runfinq()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mfinal.go:193 +0x107 fp=0xc0000447e0 sp=0xc000044628 pc=0x7f6e24af6b07
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goexit()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000447e8 sp=0xc0000447e0 pc=0x7f6e24b459e1
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: created by runtime.createfing
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mfinal.go:163 +0x45
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: goroutine 12 [select]:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gopark(0xc000058f88?, 0x2?, 0x28?, 0xc1?, 0xc000058f84?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:381 +0xd6 fp=0xc000058e10 sp=0xc000058df0 pc=0x7f6e24b16756
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.selectgo(0xc000058f88, 0xc000058f80, 0x0?, 0x0, 0x0?, 0x1)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/select.go:327 +0x7be fp=0xc000058f50 sp=0xc000058e10 pc=0x7f6e24b25f3e
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: database/sql.(*DB).connectionOpener(0xc00019be10, {0x7f6e2514c690, 0xc0001765a0})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/database/sql/sql.go:1218 +0x8d fp=0xc000058fb8 sp=0xc000058f50 pc=0x7f6e24e8360d
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: database/sql.OpenDB.func1()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/database/sql/sql.go:791 +0x2e fp=0xc000058fe0 sp=0xc000058fb8 pc=0x7f6e24e8198e
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goexit()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000058fe8 sp=0xc000058fe0 pc=0x7f6e24b459e1
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: created by database/sql.OpenDB
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/database/sql/sql.go:791 +0x18d
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: goroutine 10 [IO wait]:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gopark(0xc42260610d6bb1ec?, 0xb?, 0x0?, 0x0?, 0x26?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:381 +0xd6 fp=0xc000054600 sp=0xc0000545e0 pc=0x7f6e24b16756
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.netpollblock(0x7f6e24b59465?, 0x24ae206f?, 0x6e?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/netpoll.go:527 +0xf7 fp=0xc000054638 sp=0xc000054600 pc=0x7f6e24b0ef77
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: internal/poll.runtime_pollWait(0x7f6e2542df08, 0x72)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/netpoll.go:306 +0x89 fp=0xc000054658 sp=0xc000054638 pc=0x7f6e24b40109
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: internal/poll.(*pollDesc).wait(0xc0001d4b00?, 0xc0004b6000?, 0x0)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/internal/poll/fd_poll_runtime.go:84 +0x32 fp=0xc000054680 sp=0xc000054658 pc=0x7f6e24bb6112
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: internal/poll.(*pollDesc).waitRead(...)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/internal/poll/fd_poll_runtime.go:89
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: internal/poll.(*FD).Read(0xc0001d4b00, {0xc0004b6000, 0x2600, 0x2600})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/internal/poll/fd_unix.go:167 +0x299 fp=0xc000054718 sp=0xc000054680 pc=0x7f6e24bb74f9
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: net.(*netFD).Read(0xc0001d4b00, {0xc0004b6000?, 0xc0004b600d?, 0x1484?})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/net/fd_posix.go:55 +0x29 fp=0xc000054760 sp=0xc000054718 pc=0x7f6e24ca5149
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: net.(*conn).Read(0xc0000b2070, {0xc0004b6000?, 0x25f3?, 0xc0004b6005?})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/net/net.go:183 +0x45 fp=0xc0000547a8 sp=0xc000054760 pc=0x7f6e24cb34e5
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: net.(*TCPConn).Read(0xc000054840?, {0xc0004b6000?, 0xc000202d98?, 0x18?})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: <autogenerated>:1 +0x29 fp=0xc0000547d8 sp=0xc0000547a8 pc=0x7f6e24cc5809
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: crypto/tls.(*atLeastReader).Read(0xc000202d98, {0xc0004b6000?, 0xc000202d98?, 0x0?})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/crypto/tls/conn.go:788 +0x3d fp=0xc000054820 sp=0xc0000547d8 pc=0x7f6e24d0319d
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: bytes.(*Buffer).ReadFrom(0xc0000fa610, {0x7f6e25148f28, 0xc000202d98})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/bytes/buffer.go:202 +0x98 fp=0xc000054878 sp=0xc000054820 pc=0x7f6e24be1b18
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: crypto/tls.(*Conn).readFromUntil(0xc0000fa380, {0x7f6e251494a8?, 0xc0000b2070}, 0x7f6e24af3c30?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/crypto/tls/conn.go:810 +0xe5 fp=0xc0000548b8 sp=0xc000054878 pc=0x7f6e24d03385
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: crypto/tls.(*Conn).readRecordOrCCS(0xc0000fa380, 0x0)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/crypto/tls/conn.go:617 +0x116 fp=0xc000054c18 sp=0xc0000548b8 pc=0x7f6e24d00876
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: crypto/tls.(*Conn).readRecord(...)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/crypto/tls/conn.go:583
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: crypto/tls.(*Conn).Read(0xc0000fa380, {0xc0001f6000, 0x1000, 0x1d?})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/crypto/tls/conn.go:1316 +0x16f fp=0xc000054c88 sp=0xc000054c18 pc=0x7f6e24d0676f
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: net/http.(*persistConn).Read(0xc00018c6c0, {0xc0001f6000?, 0xc0000980c0?, 0xc000054d30?})
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/net/http/transport.go:1943 +0x4e fp=0xc000054ce8 sp=0xc000054c88 pc=0x7f6e24dc7d6e
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: bufio.(*Reader).fill(0xc000131c20)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/bufio/bufio.go:106 +0xff fp=0xc000054d20 sp=0xc000054ce8 pc=0x7f6e24d3d99f
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: bufio.(*Reader).Peek(0xc000131c20, 0x1)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/bufio/bufio.go:144 +0x5d fp=0xc000054d40 sp=0xc000054d20 pc=0x7f6e24d3dafd
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: net/http.(*persistConn).readLoop(0xc00018c6c0)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/net/http/transport.go:2107 +0x1ac fp=0xc000054fc8 sp=0xc000054d40 pc=0x7f6e24dc8b8c
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: net/http.(*Transport).dialConn.func5()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/net/http/transport.go:1765 +0x26 fp=0xc000054fe0 sp=0xc000054fc8 pc=0x7f6e24dc7326
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goexit()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000054fe8 sp=0xc000054fe0 pc=0x7f6e24b459e1
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: created by net/http.(*Transport).dialConn
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/net/http/transport.go:1765 +0x16ea
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: goroutine 23 [GC worker (idle)]:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gopark(0x4a27d972613d?, 0xc000098120?, 0xa0?, 0x82?, 0xc000045720?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:381 +0xd6 fp=0xc000045750 sp=0xc000045730 pc=0x7f6e24b16756
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gcBgMarkWorker()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mgc.go:1275 +0xf1 fp=0xc0000457e0 sp=0xc000045750 pc=0x7f6e24af9851
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goexit()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000457e8 sp=0xc0000457e0 pc=0x7f6e24b459e1
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: created by runtime.gcBgMarkStartWorkers
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mgc.go:1199 +0x25
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: goroutine 11 [select]:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gopark(0xc000055f90?, 0x2?, 0xf8?, 0x5d?, 0xc000055f34?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:381 +0xd6 fp=0xc000055db0 sp=0xc000055d90 pc=0x7f6e24b16756
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.selectgo(0xc000055f90, 0xc000055f30, 0xc00007a680?, 0x0, 0x0?, 0x1)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/select.go:327 +0x7be fp=0xc000055ef0 sp=0xc000055db0 pc=0x7f6e24b25f3e
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: net/http.(*persistConn).writeLoop(0xc00018c6c0)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/net/http/transport.go:2410 +0xf2 fp=0xc000055fc8 sp=0xc000055ef0 pc=0x7f6e24dca852
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: net/http.(*Transport).dialConn.func6()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/net/http/transport.go:1766 +0x26 fp=0xc000055fe0 sp=0xc000055fc8 pc=0x7f6e24dc72c6
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goexit()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000055fe8 sp=0xc000055fe0 pc=0x7f6e24b459e1
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: created by net/http.(*Transport).dialConn
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/net/http/transport.go:1766 +0x173d
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: goroutine 9 [GC worker (idle)]:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gopark(0x4a27d9748b26?, 0x0?, 0x0?, 0x0?, 0x0?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:381 +0xd6 fp=0xc000046750 sp=0xc000046730 pc=0x7f6e24b16756
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gcBgMarkWorker()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mgc.go:1275 +0xf1 fp=0xc0000467e0 sp=0xc000046750 pc=0x7f6e24af9851
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goexit()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000467e8 sp=0xc0000467e0 pc=0x7f6e24b459e1
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: created by runtime.gcBgMarkStartWorkers
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/mgc.go:1199 +0x25
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: goroutine 25 [chan receive]:
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.gopark(0xc000084ea0?, 0xc000056ec8?, 0xef?, 0x2a?, 0xc000032000?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/proc.go:381 +0xd6 fp=0xc000056e78 sp=0xc000056e58 pc=0x7f6e24b16756
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.chanrecv(0xc000282180, 0x0, 0x1)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/chan.go:583 +0x49d fp=0xc000056f08 sp=0xc000056e78 pc=0x7f6e24ae57dd
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.chanrecv1(0x7f6e24d074a0?, 0xc0000fa4f0?)
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/chan.go:442 +0x18 fp=0xc000056f30 sp=0xc000056f08 pc=0x7f6e24ae52d8
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: github.com/ubuntu/aad-auth/internal/cache.(*Cache).Close.func1()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /build/aad-auth-9e7ezC/aad-auth-0.4/internal/cache/cache.go:260 +0x65 fp=0xc000056fe0 sp=0xc000056f30 pc=0x7f6e24eb7585
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: runtime.goexit()
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /usr/lib/go-1.20/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000056fe8 sp=0xc000056fe0 pc=0x7f6e24b459e1
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: created by github.com/ubuntu/aad-auth/internal/cache.(*Cache).Close
Jun 27 11:33:24 print-ipp-everywhere-test cupsd[42221]: /build/aad-auth-9e7ezC/aad-auth-0.4/internal/cache/cache.go:259 +0x15e
Jun 27 11:33:24 print-ipp-everywhere-test systemd[1]: cups.service: Main process exited, code=dumped, status=6/ABRT
CUPS Configuration
LogLevel info
Port 631
ServerName print-ipp-everywhere-test
Listen /run/cups/cups.sock
Listen /var/run/cups/cups.sock
ServerAlias *
Browsing On
WebInterface yes
KeepAlive On
KeepAliveTimeout 60
MaxClients 600
MaxClientsPerHost 0
MaxLogSize 25165824
MaxRequestSize 0
Timeout 300
PreserveJobHistory No
MaxJobs 1500
JobRetryInterval 60
JobRetryLimit 240
# we can use Basic auth here because the server uses AAD for auth
DefaultAuthType Basic
<Location />
Order allow,deny
Allow all
AuthType Default
Require valid-user
</Location>
<Location /admin>
Order allow,deny
AuthType Default
Allow all
Require user print-admin
</Location>
<Location /admin/conf>
Order allow,deny
AuthType Default
Allow all
Require user print-admin
</Location>
<Policy default>
JobPrivateAccess @OWNER @SYSTEM print-admin
JobPrivateValues default
SubscriptionPrivateAccess @OWNER @SYSTEM print-admin
SubscriptionPrivateValues default
<Limit CUPS-Get-Printers Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
AuthType Default
Require valid-user
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM print-admin
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM print-admin
Require group lp
Satisfy any
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM print-admin
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM print-admin
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
Investigate CI tests failing for NSS Group queries
CI tests are failing with Expected no error but got one: signal: aborted (core dumped) for Group queries on NSS. The debug message shows thread '<unnamed>' panicked at 'misaligned pointer dereference: address must be a multiple of 0x8 but is 0x55bc0ac5fca7', /home/runner/.cargo/git/checkouts/libnss-rs-4e6320ade2d0483d/02e0fa4/libnss/src/interop.rs:161:13.
This seems to be a problem with the pointers of Group, since it has a Vec in its field.
Able to login to using Azure AD account but cannot run any applications previous installed
Issue Description:
I can log in using my Azure AD credentials after following the README and tweaking the setup per the details in the other issue raised on the documentation (thanks, @peat-psuwit)
I get to the desktop but can't find an application that will start; I've tried Firefox and Ubuntu Software.
I get the usual spinning wheel, but it stops after a few seconds, and the application fails to start. It feels like a rights issue, but it's a guess, I'm investing more deeply, and I'll report back to this issue if I resolve the problem.
Remove global variable testopts
In internal/nss/{passwd,group,shadow}/ testopts is a global variable and set in SetCacheOptions(). This prevents tests to be executed in parallel.
This variable must be removed and added as an optional parameter to any function that requires cache options.
Ensure that:
- testopts is not used anymore.
- SetCacheOptions() and setCacheOptions() are removed.
- Tests for each package must use the new optional parameter.
- Integration tests for NSS must use the new optional parameter.
- Tests must run in parallel.
userdel/deluser aad user
We must have the option to remove AAD users from the system...
Support translations
Add support for translations:
- Generate PO files
- Integrate to CI with auto updates (cf adsys)
- Bind to text domain
- Verify that user messages are translated.
Azure AD Password Change from Linux
Hello,
I have made test with a new user, with a clean password, but I can't login with pam-aad. I had the result "login incorrect"
From Azure AD, audit log, the problem was "The user's password is expired, and therefore their login or session was ended." because my test user have to reset his password.
Can we have a more explicit message instead of "login incorrect"
The best should be to detect the password change and give an option to reset it directly from a linux prompt (this feature will need more rights on microsoft.graph)
Regards
journalctl?
The documentation mentions journalctl but it doesn't say what module name to use in the -u parameter for better readibility.
Rust NSS: Investigate error when building package for armhf
When building for armhf, tests that query multiple entries on the Shadow database are failing with segfault. Since this is not possible to happen with pure Rust code, this is likely due to some error / bug in the external libnss crate.
Improve consistency of cache offline expiration
Right now, the cache considers the value 0 as a signal to not be cleaned. However, this is also the value that is used to block offline authentication. This means that users can not authenticate offline, despite being the cache.
This could be solved by dividing those functionalities in two different sets of values (e.g. 0 to prevent offline authentication and negative numbers to prevent the cache from being cleaned, or vice-versa).
connection to azuread from an http proxy
Unable to authenticate to azuread from the internal network (Internet access is through a proxy). I also set the classical environment variables http_proxy and https_proxy in /etc/environment but from tcpdump I see that calls to microsoft services do not go through the proxy. What are the other configurations to do?
Make the linter duplicate rule more explicit.
As we discussed on meet, the previous duplication rule was too broad.
The one introduced in https://github.com/ubuntu/aad-auth/pull/39/files is still too broad, it ignores everything under nss/ and internal/. As discussed, this is the least desired option (even the 3rd was to blacklist + ignoring all tests files).
This currently makes the linter useless. I suggest that we cherry-pick and escape this linter on the known false positive stenza with a comment.
New test: cover the nss log writer forced by env variable to write to stderr
in internal/nss/logger.go cover:
if os.Getenv(nssLogEnv) == "stderr" {
return ctx
}
Configurable username AAD attribute
In
Lines 75 to 80 in 01c88d4
Can the username itself be configurable as well? IIRC currently the UPN is taken. In our company the UPN is changing in certain scenarios, therefore it's not ideal. This doesn't happen daily, but often enough to bug quite a lot of people. For example name changes due to marriage/divorce usually trigger this.
If we can configure, which user object attribute is being taken as user name, this would suit our needs better to provide a stable AAD wide unique username.
As a compromise, I think it's okay to identify the user by UPN during initial login. It just would be nice if the attribute (instead of the UPN) could be configurable determining the value to be taken when the users home dir is created and $USER is defined.
Fix Linter tests
Fix all the gci-lint errors and warning.
MFA is not enforced
Our Azure AD is configured to enforce MFA on all cloud applications. When logging in Ubuntu, there is no prompt for a MFA code, but the login is accepted anyway, even though there is a MFA policy error on Azure side.
Is MFA supposed to be implemented in this plugin?
Ship a default configuration file as part of the package.
Shipping a conffile in the package allow to have it managed by apt, giving default example and being purged by apt. I suggest shipping thus a default /etc/aad.conf which:
- contains all values in the default section, with a comment explaining what it does and a comment in front on the value. Something like:
# Your Azure AD tenant ID (required)
# tenant_id = abcd1234-123-1234-5678-efgh012345678
- Have some commented example of override per domain.
I suggest that we repurpose conf/aad.conf.template as something like aad.conf.example, and install it as /etcaad.conf
New PAM integration tests
3 new tests to add to existing table tests for PAM:
- Use a config that is not the default values for home and shell settings, log as a new user (no existing database) and compare the golden for home and shell.
- Use a config that is not the default values for domain options, log as a new user (no existing database) and compare the golden.
- With an existing cache database, change the home and shell settings, login with an existing user and verify that the existing settings of home and shell have not been updated.
Screen sharing problem with aad user
Hello all,
For tests, I have deployed a new ubuntu 23.04 with AAD and Firefox.
During my tests, I have tried to create a meeting to share a screen with firefox.
On the test machine, if I use an aad user, I can't share the screen (feature seems to be blocked). The windows which allow what I want to share never appear.
On the same machine, if I create a local user and do the same things, I can share the screen, all features are OK.
If I check the difference between the 2 accounts, the local account is member of users group but not the aad user.
I have added aad user to users group but it the same result. It don't work.
Do you have an idear about this problem ?
Regards
Issue: No successful logon with uppercase letters contained UPN
Is there an existing issue for this?
- I have searched the existing issues and found none that matched mine
Describe the issue
Logon will not success if the UPN contains uppercase letters.
- "Password does not correct" even if the password corrects.
- Silently go back to the logon screen after entering the password.
UPN examples:
- U[email protected]
- user@Contoso.onmicrosoft.com
- User@Contoso.onmicrosoft.com
Enter the UPN in lowercase on the logon screen, the logon will be successful.
Steps to reproduce it
- Create an Azure AD user with uppercase letters.
- Logon to Ubuntu Desktop in a normal manner.
Ubuntu users: System information and logs
No response
Non Ubuntu users: System information and logs
Environment
- aad-auth version: aad-cli 0.4, libpam-aad 0.4, libnss-aad 0.4
- Distribution: Ubuntu
- Distribution version: 23.04
Log files
Please redact/remove sensitive information:
7月 08 01:55:16 ulxja gdm-password][3278]: pam_aad(gdm-password:auth): user id for "[email protected]" is 937526944
7月 08 01:55:24 ulxja aad_auth[3985]: nss_aad: query error: database is locked
7月 08 01:55:27 ulxja aad_auth[791]: nss_aad: database error: database is locked
7月 08 01:55:27 ulxja aad_auth[4020]: nss_aad: query error: database is locked
7月 08 01:55:28 ulxja aad_auth[3860]: nss_aad: query error: database is locked
7月 08 01:56:05 ulxja aad_auth[1030]: nss_aad: database error: unable to open database file: /var/lib/aad/cache/passwd.db
7月 08 02:04:01 ulxja gdm-password][7984]: pam_aad(gdm-password:auth): user id for "[email protected]" is 3586229920
7月 08 02:04:51 ulxja aad_auth[791]: nss_aad: database error: database is locked
7月 08 02:04:57 ulxja aad_auth[8079]: nss_aad: query error: database is locked
7月 08 02:04:57 ulxja aad_auth[8038]: nss_aad: database error: database is locked
7月 08 02:04:57 ulxja aad_auth[8075]: nss_aad: query error: database is locked
7月 08 02:04:57 ulxja aad_auth[8068]: nss_aad: query error: database is locked
7月 08 02:33:39 ulxja aad_auth[1030]: nss_aad: database error: unable to open database file: /var/lib/aad/cache/passwd.db
Application settings
Please redact/remove sensitive information:
### required values
## See https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
## for more information on how to set up an Azure AD app.
tenant_id = ZZZZZZZZ-ZZZZ-ZZZZ-ZZZZ-ZZZZZZZZZZZZ
app_id = VVVVVVVV-VVVV-VVVV-VVVV-VVVVVVVVVVVV
### optional values (defaults)
# offline_credentials_expiration = 90 ; duration in days a user can log in without online verification
; set to 0 to prevent old users from being cleaned and allow offline authentication for an undetermined amount of time
; set to a negative value to prevent offline authentication
# homedir = /home/%f ; home directory pattern for the user, the following mapping applies:
# ; %f - full username
# ; %U - UID
# ; %l - first char of username
# ; %u - username without domain
# ; %d - domain
# shell = /bin/bash ; default shell for the user
### overriding values for a specific domain, every value inside a section is optional
# [domain.com]
# tenant_id = aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
# app_id = bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb
# offline_credentials_expiration = 30
# homedir = /home/domain.com/%u
# shell = /bin/zsh
Relevant information
No response
Double check your logs
- I have redacted any sensitive information from the logs
Default home dir must be /home/%f
On a fresh installation default homedir is /home/%u and it must be /home/%f
root@aad:~# login [email protected]
Password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-43-generic x86_64)
[...]
Last login: mar. août 9 11:54:10 CEST 2022 on pts/6
Creating directory '/home/u6'.
[email protected]@aad:~$ pwd
/home/u6
Add dependabot
Add support for dependabot in github.
Login succeeds but dbus crashes on openSUSE
I've built aad-auth on openSUSE, and I'm encountering an issue (posting here to see if you guys have any ideas).
The authentication is successful and nss is working fine, but I'm seeing the following error from dbus:
May 04 13:22:03 localhost.localdomain /usr/libexec/gdm/gdm-wayland-session[8186]: dbus[8186]: Could not get password database information for UID of current process: User "???" unknown or no memory to allocate password entry
After which I'm dumped back to the login shell.
The message is coming from dbus: dbus-1.14.6/dbus/dbus-sysdeps-unix.c:fill_user_info which has apparently been passed a NULL username.
Any thoughts?
Got Response: "Invalid Credentials"
Trying to setup for login on a brand new ubuntu machine running 23.04 release.
- Installed the packages as specified in the documentation.
- Created an app registration in Azure AD
- Ensured that the "Allow public client flows" was set to "Yes" (not in the documentation but mentioned in other issues)
- Ensured that Microsoft Graph -> User.Read is granted for the application (again not in the documentation but mentioned in other issues)
- Ensured that the /etc/aad.conf file was updated with tenant_id and app_id
- Restarted the OS to ensure that the configuration is picked up
Attempts to login fail with "Invalid Credentials" when using legitimate credentials. Invalid users are flagged as non existing users and Attempts to login without a domain suffix are also flagged as missing the suffix.
Sign in logs in Azure against the app registration show that the credential is invalid.
Worth noting that our organisation uses our verified domain and not a *.onmicrosoft.com for the UPN.
Unable to login on Ubuntu server using AAD-auth "The request body must contain the following parameter: 'client_assertion' or 'client_secret'."
Config
- Ubuntu 23.04 LTS server
- aad-cli == 0.4
- libpam-aad == 0.4
- libnss-aad == 0.4
Error msg summary
App Sign-in logs "Failure reason The request body must contain the following parameter: 'client_assertion' or 'client_secret'."
Improvement ability
- Add instructions how to point aad.conf to 'client_assertion' or 'client_secret'.
- If needed, ensure encoded step in a configuration script and/or
aad-clito be able to place 'client_secret' on the target machine (where AAD login is required).
Details: Azure > Subscription > Ent. App. > Activity Details: Sign-ins
Failure reason
The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Additional Details
Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.
User
**------------------------------------------**
Username
**------------------------------------------**
User ID
**------------------------------------------**
Sign-in identifier
**------------------------------------------**
User type
Member
Cross tenant access type
None
Application
ubuntu_aad
Application ID
**------------------------------------------**
Resource
Microsoft Graph
Resource ID
**------------------------------------------**
Resource tenant ID
**------------------------------------------**
Home tenant ID
**------------------------------------------**
Home tenant name
Client app
Browser
Client credential type
None
Service principal ID
Service principal name
Resource service principal ID
**------------------------------------------**
Unique token identifier
**------------------------------------------**
Token issuer type
Azure AD
Token issuer name
Incoming token type
None
Authentication Protocol
ROPC
Latency
91ms
Flagged for review
No
User agent
Go-http-client/1.1
Thanks in advanced !
Unable to `sudo` anything while logged in as AAD user
Description / Steps to Re-produce:
- Login in using an AAD account (I'm a global admin)
- Open Terminal Windows
- Try to use
sudo, for examplesudo pro attach [key] - Type in account password when requested
Always returns: Sorry, try again
My password is correct (it does have Upper, Lower and Symbols in it)
My local account (which has the same password), works if I switch users etc.
Unable to login using username.
Unable to login using username. Have to use [email protected]. Is there any parameters that can be used in aad.conf file like that available in sssd.conf?
Also when setting homedir to home/%u doesn’t seem to create homedir. Had to use home/%f and it created fine.
Question: Is home folder synchronised to cloud?
It is on Windows by default. Would be nice to have it also do that on Linux (dotfolders, dotfiles, Documents etc)
Replace testutils.Setenv with t.SetEnv
Go has a t.SetEnv() from 1.17, remove our testutils function.
Refactor existing DB setup in tests
Currently tests are using binary database files for existing datasets. This is a bit limiting and relatively difficult to manage.
The idea is to use database dumps for passwd and shadow in text format as input and create the databases required by the tests in the setup of the tests. Also login timestamps must be updated to the time of the test run.
There are 2 types of databases:
- DB with old users
- DB with existing users matching internal/cache/helper_test.go usersForTest
WithOfflineCredentialsExpiration is set to 0 in multiple test to not clean the cache, this will not be needed anymore for tests that do not test cache expiration .
shell setting in /etc/aad.conf does not work
Introdutory notes
Description
The setting shell = /bin/zsh has no effect.
Reproduction
Add the following line to /etc/aad.conf
shell = /bin/zsh
Restart (or logout). Check shell with
ps -p $$
For me it is:
$ ps -p $$
PID TTY TIME CMD
3589 pts/1 00:00:00 bash
Environment
ProblemType: Bug
.etc.adduser.conf:
# /etc/adduser.conf: `adduser' configuration.
# See adduser(8) and adduser.conf(5) for full documentation.
# A commented out setting indicates that this is the default in the
# code. If you need to change those settings, remove the comment and
# make your intended change.
# The DSHELL variable specifies the default login shell on your
# system.
# Default: DSHELL=/bin/bash
#DSHELL=/bin/bash
# The DHOME variable specifies the directory containing users' home
# directories.
# Default: DHOME=/home
#DHOME=/home
# If GROUPHOMES is "yes", then the home directories will be created as
# /home/groupname/user.
# Default: GROUPHOMES=no
#GROUPHOMES=no
# If LETTERHOMES is "yes", then the created home directories will have
# an extra directory - the first letter of the user name. For example:
# /home/u/user.
# Default: LETTERHOMES=no
#LETTERHOMES=no
# The SKEL variable specifies the directory containing "skeletal" user
# files; in other words, files such as a sample .profile that will be
# copied to the new user's home directory when it is created.
# Default: SKEL=/etc/skel
#SKEL=/etc/skel
# FIRST_SYSTEM_[GU]ID to LAST_SYSTEM_[GU]ID inclusive is the range for UIDs
# for dynamically allocated administrative and system accounts/groups.
# Please note that system software, such as the users allocated by the
# base-passwd package, may assume that UIDs less than 100 are unallocated.
# Default: FIRST_SYSTEM_UID=100, LAST_SYSTEM_UID=999
#FIRST_SYSTEM_UID=100
#LAST_SYSTEM_UID=999
# Default: FIRST_SYSTEM_GID=100, LAST_SYSTEM_GID=999
#FIRST_SYSTEM_GID=100
#LAST_SYSTEM_GID=999
# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically
# allocated user accounts/groups.
# Default: FIRST_UID=1000, LAST_UID=59999
#FIRST_UID=1000
#LAST_UID=59999
# Default: FIRST_GID=1000, LAST_GID=59999
#FIRST_GID=1000
#LAST_GID=59999
# The USERGROUPS variable can be either "yes" or "no". If "yes" each
# created user will be given their own group to use as a default. If
# "no", each created user get the primary group defined below as
# USERS_GROUP or USERS_GID.
# Default: USERGROUPS=yes
#USERGROUPS=yes
# Newly created users get this group as primary group if USERGROUPS
# "no", and as a supplemental group if USERGROUPS is "yes".
# Set one of the variables to reference the group. Don't set both.
# Default: USERS_GID=undefined, USERS_GROUP=undefined
#USERS_GID=100
#USERS_GROUP=users
# If DIR_MODE is set, directories will be created with the specified
# mode. Otherwise the default mode 0750 will be used.
# Default: DIR_MODE=0750
#DIR_MODE=0750
# When creating system accounts: if SYS_DIR_MODE is set (and a home
# location is specified), the directories will be created with the
# specified mode. Otherwise the default mode 0750 will be used.
# Default: SYS_DIR_MODE=0750
#SYS_DIR_MODE=0750
# If SETGID_HOME is "yes" home directories for users with their own
# group the setgid bit will be set. This was the default for
# versions << 3.13 of adduser. Because it has some bad side effects we
# no longer do this per default. If you want it nevertheless you can
# still set it here. Note: this feature is DEPRECATED and will be
# removed in a future version of adduser; please use the DIR_MODE
# settings above instead.
# Default: SETGID_HOME=no
#SETGID_HOME=no
# If QUOTAUSER is set, a default quota will be set from that user with
# `edquota -p QUOTAUSER newuser'
# Default: QUOTAUSER=""
#QUOTAUSER=""
# If SKEL_IGNORE_REGEX is set, adduser will ignore files matching this
# regular expression when creating a new home directory
# Default: SKEL_IGNORE_REGEX="(dpkg|ucf)-(old|new|dist|save)"
#SKEL_IGNORE_REGEX="(dpkg|ucf)-(old|new|dist|save)"
# Set this if you want the --add-extra-groups option to adduser to add
# new users to other groups.
# This is the list of groups that new non-system users will be added to
# Default: EXTRA_GROUPS="users"
#EXTRA_GROUPS="users"
# If ADD_EXTRA_GROUPS is set to something non-zero, the EXTRA_GROUPS
# option above will be default behavior for adding new, non-system users
# Default: ADD_EXTRA_GROUPS=0
#ADD_EXTRA_GROUPS=0
# check user and group names also against this regular expression.
# Default: NAME_REGEX="^[a-z][-a-z0-9_]*\$?$"
#NAME_REGEX="^[a-z][-a-z0-9_]*\$?$"
# check system user and group names also against this regular expression.
# Default: SYS_NAME_REGEX="^[A-Za-z_][-A-Za-z0-9_]*\$?$"
#SYS_NAME_REGEX="^[A-Za-z_][-A-Za-z0-9_]*\$?$"
# use extrausers by default
#USE_EXTRAUSERS=1
.etc.pam.d.common-auth:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_unix.so nullok
auth [success=2 default=ignore] pam_sss.so use_first_pass
auth [success=1 default=ignore] pam_aad.so
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
ApportVersion: 2.26.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Tue Jun 20 10:44:24 2023
Dependencies:
aad-common 0.4
apt 2.6.0
apt-utils 2.6.0
base-passwd 3.6.1
ca-certificates 20230311ubuntu0.23.04.1
debconf 1.5.82
debconf-i18n 1.5.82
dpkg 1.21.21ubuntu1
gcc-13-base 13-20230320-1ubuntu1
gpgv 2.2.40-1.1ubuntu1
krb5-locales 1.20.1-1build1
libacl1 2.3.1-3
libapt-pkg6.0 2.6.0
libaudit-common 1:3.0.9-1
libaudit1 1:3.0.9-1
libbz2-1.0 1.0.8-5build1
libc6 2.37-0ubuntu2
libcap-ng0 0.8.3-1build2
libcap2 1:2.66-3ubuntu2
libcom-err2 1.47.0-1ubuntu1
libcrypt1 1:4.4.33-2
libdb5.3 5.3.28+dfsg2-1
libdebconfclient0 0.267ubuntu1
libffi8 3.4.4-1
libgcc-s1 13-20230320-1ubuntu1
libgcrypt20 1.10.1-3ubuntu1
libgmp10 2:6.2.1+dfsg1-1.1ubuntu1
libgnutls30 3.7.8-5ubuntu1
libgpg-error-l10n 1.46-1
libgpg-error0 1.46-1
libgssapi-krb5-2 1.20.1-1build1
libhogweed6 3.8.1-2
libidn2-0 2.3.3-1build1
libk5crypto3 1.20.1-1build1
libkeyutils1 1.6.3-2
libkrb5-3 1.20.1-1build1
libkrb5support0 1.20.1-1build1
liblocale-gettext-perl 1.07-5
liblz4-1 1.9.4-1
liblzma5 5.4.1-0.2
libmd0 1.0.4-2
libnettle8 3.8.1-2
libnsl2 1.3.0-2build2
libnss-nis 3.1-0ubuntu6
libnss-nisplus 1.3-0ubuntu6
libp11-kit0 0.24.1-2ubuntu1
libpam0g 1.5.2-5ubuntu1
libpcre2-8-0 10.42-1
libseccomp2 2.5.4-1ubuntu3
libselinux1 3.4-1build4
libssl3 3.0.8-1ubuntu1.2
libstdc++6 13-20230320-1ubuntu1
libsystemd0 252.5-2ubuntu3
libtasn1-6 4.19.0-2
libtext-charwidth-perl 0.04-11
libtext-iconv-perl 1.7-8
libtext-wrapi18n-perl 0.06-10
libtirpc-common 1.3.3+ds-1
libtirpc3 1.3.3+ds-1
libudev1 252.5-2ubuntu3
libunistring2 1.0-2
libxxhash0 0.8.1-1
libzstd1 1.5.4+dfsg2-4
openssl 3.0.8-1ubuntu1.2
perl-base 5.36.0-7ubuntu0.23.04.1
tar 1.34+dfsg-1.2ubuntu0.1
ubuntu-keyring 2021.03.26
zlib1g 1:1.2.13.dfsg-1ubuntu4
DistroRelease: Ubuntu 23.04
InstallationDate: Installed on 2023-06-08 (11 days ago)
InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230417)
NonfreeKernelModules: nvidia_modeset nvidia
Package: libpam-aad 0.4
PackageArchitecture: amd64
ProcCpuinfoMinimal:
processor : 3
vendor_id : GenuineIntel
cpu family : 6
model : 158
model name : Intel(R) Xeon(R) CPU E3-1225 v6 @ 3.30GHz
stepping : 9
microcode : 0xf0
cpu MHz : 3584.598
cache size : 8192 KB
physical id : 0
siblings : 4
core id : 3
cpu cores : 4
apicid : 6
initial apicid : 6
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities
vmx flags : vnmi preemption_timer invvpid ept_x_only ept_ad ept_1gb flexpriority tsc_offset vtpr mtf vapic ept vpid unrestricted_guest ple shadow_vmcs pml ept_mode_based_exec
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed
bogomips : 6599.98
clflush size : 64
cache_alignment : 64
address sizes : 39 bits physical, 48 bits virtual
power management:
ProcEnviron:
LANG=en_US.UTF-8
LC_ADDRESS=de_DE.UTF-8
LC_IDENTIFICATION=de_DE.UTF-8
LC_MEASUREMENT=de_DE.UTF-8
LC_MONETARY=de_DE.UTF-8
LC_NAME=de_DE.UTF-8
LC_NUMERIC=de_DE.UTF-8
LC_PAPER=de_DE.UTF-8
LC_TELEPHONE=de_DE.UTF-8
LC_TIME=de_DE.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
ProcVersionSignature: Ubuntu 6.2.0-20.20-generic 6.2.6
RelatedPackageVersions:
libpam-runtime 1.5.2-5ubuntu1
libpam0g 1.5.2-5ubuntu1
SourcePackage: aad-auth
Tags: lunar
Uname: Linux 6.2.0-20-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
_MarkForUpload: True
Improve documentation around how to set up Azure AD application
In README.md, it mentions the need to create an Azure AD application, and links to Azure's documentation for application registration in general. However,
- It doesn't mention that "Allow public client flows" has to be enabled [1].
- It doesn't mention that a consent has to be given to the application, either tenant-wide, or from user itself.
- For tenant-wide admin consent, see [2].
- For per-user consent, well... let's say that aad-auth isn't really designed to be used this way. However, if one isn't a tenant's administrator (as I'm not) and want to try this out, I can report that following this tutorial [3] (intended for a completely different purpose) does grant the necessary consent.
- Off topic, but it would be nice if GDM could have the browser shown for the interactive authorization flow.
- The linked document [4] mentions "assign(ing) a role to the application". However, since we're essentially a client-facing application, it's not required. This makes debugging more confusing.
The first 2 points is partially addressed as an error message improvement in #193, but it would be nice if Ubuntu documents how to configure the Azure AD application correctly in the first place (either here or in a documentation somewhere).
[1] https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris
[2] https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal
[3] https://s4erka.wordpress.com/2021/03/26/azure-ad-application-to-test-oauth2-0/
[4] https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Check device login in Intune
Where to check the device logged in using the AAD credentials in Azure AAD portal? I am trying to find it in enterprise applications but couldn’t find it.
Can not add aad user to sudoers
Description
I'm unable to give sudoers rights to a aad account.
Reproduction
I have sucessfully added a aad account that is authenticating against my aad.
Now I would like to give sudoers rights to this account, to give him local admin privileges when needed.
I have added an entry in /etc/sudoers.d/aad_admins with correct permissions :
[email protected] ALL=(ALL:ALL) ALL
The command visudo -c tells me the sudo configuration is ok :
/etc/sudoers: parsed OK
/etc/sudoers.d/README: parsed OK
/etc/sudoers.d/aad_admins: parsed OK
But when trying to get sudo rights, I'm receiving password error : Sorry, try again.
In /var/log/auth.log :
sudo; pam_unix(sudo:auth): authentication failure; logname= uid=XXXXX euid=0 tty=/dev/pts/4 [email protected] rhost= [email protected]
sudo: pam_aad(sudo:auth): can not create/open cache for nss database: failed to update user "[email protected]" in local cache:shadow database is not accessible for writing: 0. Denying access.
Environment
Ubuntu latest
packages not found
When running sudo apt install libpam-aad libnss-aad I get package not found for both of them.
When I run apt update and check the apt cache it's definitely not got the two packages listed. I see that the Ubunto Pro subscription is required for the overall solution to work. Is it required for me to even see the packages in the universe repository?
Sudo execution
Hello,
From side, with aad-auth module installed:
- I can login localy (console) with my O365 account
- MFA is not requested (a bug is already open)
- I can login with ssh (after adding "auth [success=1 default=ignore] pam_aad.so" in /etc/pam.d/sshd file)
- BUT I can't execute sudo command. It's like the password is always wrong. password Cache is disabled. I have added "auth [success=1 default=ignore] pam_aad.so" in /etc/pam.d/sudo and sudo-i files. The problem can come from misconfiguration. User in member of sudo group
Do you have an explain for this issue ?
Regards
20230529:
I have re-enabled cache by changing in aad.conf file offline_credentials_expiration from -1 to 2. Computer rebooted.
Here are my logfiles
May 29 09:44:38 ubuntu sudo[1030]: pam_aad(sudo:auth): aad auth debug enabled
May 29 09:44:38 ubuntu sudo[1030]: pam_aad(sudo:auth): PAM AAD DEBUG enabled
May 29 09:44:38 ubuntu sudo[1030]: pam_aad(sudo:auth): Loading configuration from /etc/aad.conf
May 29 09:44:38 ubuntu sudo[1030]: pam_aad(sudo:auth): Connecting to "https://login.microsoftonline.com/XXXXXXXXXXXX", with clientID "XXXX>
May 29 09:44:39 ubuntu sudo[1030]: pam_aad(sudo:auth): Authentication successful even if requiring MFA
May 29 09:44:39 ubuntu sudo[1030]: pam_aad(sudo:auth): Reusing existing opened cache
May 29 09:44:39 ubuntu sudo[1030]: pam_aad(sudo:auth): getting user information from cache for "myuser@mydomain"
May 29 09:44:39 ubuntu sudo[1030]: pam_aad(sudo:auth): encrypt password for user "myuser@mydomain"
May 29 09:44:39 ubuntu sudo[1030]: pam_aad(sudo:auth): updating from last online login information for user "myuser@mydomain"
May 29 09:44:39 ubuntu sudo[1030]: pam_aad(sudo:auth): can not create/open cache for nss database: failed to update user "myuser@mydomain" in local cache: shadow database>
May 29 09:44:39 ubuntu sudo[1030]: pam_aad(sudo:auth): Close database request
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: get_entry_by_name for passwd for name: myuser@mydomain
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: opening database connection from /var/lib/aad/cache
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: found record: Passwd { name: "myuser@mydomain", passwd: "x", uid: 3901916832, gid: 3901916832, gecos: "", home: "/home/myu>
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: get_entry_by_name for shadow for name: myuser@mydomain
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: opening database connection from /var/lib/aad/cache
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: found record: Shadow { name: "myuser@mydomain", passwd: "REDACTED", last_pwd_change: -1, min_pwd_age: -1, max_pwd_age: -1,>
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: get_entry_by_name for passwd for name: pam_unix_non_existent:
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: opening database connection from /var/lib/aad/cache
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
May 29 09:44:41 ubuntu aad_auth[1030]: nss_aad: no record found
May 29 09:44:42 ubuntu sudo[1030]: pam_unix(sudo:auth): conversation failed
May 29 09:44:42 ubuntu sudo[1030]: pam_unix(sudo:auth): auth could not identify password for [myuser@mydomain]
May 29 09:44:42 ubuntu sudo[1030]: pam_aad(sudo:auth): aad auth debug enabled
May 29 09:44:42 ubuntu sudo[1030]: pam_aad(sudo:auth): PAM AAD DEBUG enabled
May 29 09:44:42 ubuntu sudo[1030]: pam_aad(sudo:auth): no password found
May 29 09:44:42 ubuntu sudo[1030]: myuser@mydomain : 2 incorrect password attempts ; TTY=pts/0 ; PWD=/home/myuser@mydomain ; USER=root ; COMMAND=/usr/bin/whoami
NSS database seems to be unable to be updated
Support for other Azure Clouds
I work for a company that is required to use Azure GCC High and it appears that the endpoint is currently hardcoded to the Azure Public Cloud. This means we are unable to evaluate aad-auth for our users.
It would be nice if the endpoint were configurable alongside the existing configuration.
In cache tests, replace SetShadowMode() by WithShadowMode()
SetShadowMode() is now deprecated and replaced by WithShadowMode(). Replace it in internal cache tests.
Configurable UID/GID AAD attribute and mapping
The UID (also used as GID) seems to be device locally generated based on the username and some heuristics to avoid local collisions.
As already stated in #207 in our company the UPN can change. Therefore this highly likely yields also new UID/GID values. If the username would be configurable to a more stable user object attribute like proposed in #207 this would also result in more stable UID/GID values.
Can the attribute to be taken as base for that computation/generation be configurable as well? For example the AAD object ID is guarantied to be unique and stable throughout the AAD and therefore way better suited IMHO.
It would be even better if the mapping computation would be a bi-directional one to one mapping. Then aad-auth can guaranty not have UID collisions with all AAD users on all (AAD) devices. This would enable scenarios like one NFS share for all AAD users. And audits would be way easier because there is an actual connection back from the UID towards the AAD user object.
Best case would probably be, if the AAD would actually provide an user object integer attribute for UID guarantied to be unique in the scope of the AAD. AFAIK there is no such thing, but it can probably already be added with extension attributes. Therefore a configurable option to disable a mapping (or the current heuristics) and just taking a configurable attribute value as UID would be an ideal option.
Add aad-auth during OS provisioning
The new Ubuntu installer looks sharp!
However, adding aad-auth DURING the installation of the OS will make the process much more streamlined.
gnome-control-center takes excessively long to open
When logged in as an AAD user account, opening the gnome-control-center app takes much longer than expected to open.
For an AAD user, it is taking roughly 25 seconds to open every time.
For a local user on the same machine, it is taking ~1 second.
Following the systemd journal, while attempting to open the app, I can't see any obvious issues, but I'm including the relevant output here:
Apr 25 08:17:35 test3 dbus-daemon[4716]: [session uid=3300935328 pid=4716] Activating via systemd: service name='org.freedesktop.impl.portal.desktop.gtk' unit='xdg-desktop-portal-gtk.service' requested by ':1.59' (uid=3300935328 pid=5131 comm="/usr/libexec/xdg-desktop-portal" label="unconfined")
Apr 25 08:17:35 test3 systemd[4693]: Starting xdg-desktop-portal-gtk.service - Portal service (GTK/GNOME implementation)...
Apr 25 08:17:35 test3 xdg-desktop-por[5467]: g_dbus_connection_signal_subscribe: assertion 'object_path == NULL || g_variant_is_object_path (object_path)' failed
Apr 25 08:17:35 test3 xdg-desktop-por[5467]: g_dbus_connection_signal_subscribe: assertion 'object_path == NULL || g_variant_is_object_path (object_path)' failed
Apr 25 08:17:35 test3 xdg-desktop-por[5467]: g_dbus_connection_call_internal: assertion 'object_path != NULL && g_variant_is_object_path (object_path)' failed
Apr 25 08:17:41 test3 gnome-character[5374]: JS LOG: Characters Application started
Apr 25 08:17:41 test3 gnome-character[5374]: JS LOG: Characters Application exiting
Apr 25 08:17:46 test3 systemd[4693]: Started app-gnome-ubuntu\x2dadvantage\x2dnotification-5495.scope - Application launched by gnome-session-binary.
Apr 25 08:17:46 test3 systemd[4693]: Started app-gnome-update\x2dnotifier-5497.scope - Application launched by gnome-session-binary.
Apr 25 08:17:55 test3 dbus-daemon[710]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.261' (uid=3300935328 pid=5460 comm="gnome-control-center" label="unconfined")
Apr 25 08:17:55 test3 systemd[1]: Starting systemd-hostnamed.service - Hostname Service...
Apr 25 08:17:55 test3 dbus-daemon[710]: [system] Successfully activated service 'org.freedesktop.hostname1'
Apr 25 08:17:55 test3 systemd[1]: Started systemd-hostnamed.service - Hostname Service.
Apr 25 08:17:55 test3 NetworkManager[796]: ((src/core/nm-dbus-manager.c:1630)): assertion '<dropped>' failed
Apr 25 08:17:55 test3 NetworkManager[796]: ((src/core/nm-dbus-manager.c:1630)): assertion '<dropped>' failed
Apr 25 08:17:55 test3 NetworkManager[796]: ((src/core/nm-dbus-manager.c:1630)): assertion '<dropped>' failed
A wild guess, but I assume this could be related to policy-kit in some way since trying to add network connections via the gnome-control-center also is not possible. The buttons are all greyed-out.
Again, I don't have this problem with a local user account (also non-privileged).
Question: Is Ubuntu Pro subscription required to use the login feature?
Managing Ubuntu machines (servers esp.) is very useful. Do we have to pay for the Pro license to be able to do it?
Passwordless login with FIDO key in AAD
Hello, I work in a federal public company in Brazil, and I would like to know if it is possible to authenticate in the AAD in the ubuntu login using the passwordles method with FIDO key
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.