Skip to content

Unable to start user session when logged in as active directory user on systemd 245 #15149

New issue
New issue
Closed
Closed
Unable to start user session when logged in as active directory user on systemd 245#15149
Labels
user-sessionuserdb
@dtwood

Description

@dtwood
dtwood
opened on Mar 17, 2020

Unable to start user session when logged in as active directory user

$ systemctl --version
systemd 245 (v245~rc1-4.fc32)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

Used distribution:

$ head -n 7 /etc/os-release
NAME=Fedora
VERSION="32 (Thirty Two)"
ID=fedora
VERSION_ID=32
VERSION_CODENAME=""
PLATFORM_ID="platform:f32"
PRETTY_NAME="Fedora 32 (Thirty Two)"

Expected (Fedora 31)

$ loginctl show-user $(id -u)
UID=14017
GID=100
Name=$USER@$AD_DOMAIN
Timestamp=Tue 2020-03-17 19:24:11 GMT
TimestampMonotonic=83671999059
RuntimePath=/run/user/14017
Service=user@14017.service
Slice=user-14017.slice
Display=16
State=active
Sessions=16
IdleHint=no
IdleSinceHint=1584473648404559
IdleSinceHintMonotonic=84269064636
Linger=yes
$ loginctl show-session 16
Id=16
User=14017
Name=$USER@$AD_DOMAIN
Timestamp=Tue 2020-03-17 19:27:15 GMT
TimestampMonotonic=83855967683
VTNr=0
TTY=pts/4
Remote=yes
RemoteHost=172.18.18.113
Service=sshd
Scope=session-16.scope
Leader=42799
Audit=16
Type=tty
Class=user
Active=yes
State=active
IdleHint=no
IdleSinceHint=1584473656404559
IdleSinceHintMonotonic=84277064636
LockedHint=no
$ loginctl --version
systemd 243 (v243.7-1.fc31)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

Log output:

Mar 17 19:27:15 $MACHINE sshd[42799]: Accepted publickey for $EMAIL from 172.18.18.113 port 10659 ssh2: ED25519 SHA256:XeuQh0yMEWO8fHFI+ru9O+nNf/3iiopIjPnZncIkjFs
[...]
Mar 17 19:27:15 $MACHINE systemd-logind[745]: New session 16 of user $USER@$AD_DOMAIN.
Mar 17 19:27:15 $MACHINE systemd[1]: Started Session 16 of user $USER@$AD_DOMAIN.
Mar 17 19:27:15 $MACHINE sshd[42799]: pam_unix(sshd:session): session opened for user $EMAIL by (uid=0)
Mar 17 19:27:15 $MACHINE sshd[42799]: pam_lastlog(sshd:session): username too long, output might be inaccurate
[...]
Mar 17 19:36:09 $MACHINE systemd[1]: session-16.scope: Succeeded.
Mar 17 19:36:09 $MACHINE sshd[42801]: Disconnected from user $EMAIL 172.18.18.113 port 10659
Mar 17 19:36:09 $MACHINE systemd-logind[745]: Session 16 logged out. Waiting for processes to exit.
Mar 17 19:36:09 $MACHINE sshd[42799]: pam_unix(sshd:session): session closed for user $EMAIL
Mar 17 19:36:09 $MACHINE systemd-logind[745]: Removed session 16.

Actual:

$ loginctl show-user 14017
Failed to get user: User ID 14017 is not logged in or lingering
$ loginctl list-users
No users.
$ loginctl --version
systemd 245 (v245~rc1-4.fc32)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

Log output:

Mar 17 19:46:38 $MACHINE sshd[52687]: Accepted publickey for $EMAIL from 172.18.18.113 port 11101 ssh2: ED25519 SHA256:XeuQh0yMEWO8fHFI+ru9O+nNf/3iiopIjPnZncIkjFs
[...]
Mar 17 19:46:38 $MACHINE sshd[52687]: pam_systemd(sshd:session): Failed to get user record: Invalid argument
Mar 17 19:46:38 $MACHINE sshd[52687]: pam_unix(sshd:session): session opened for user $EMAIL by (uid=0)
Mar 17 19:46:38 $MACHINE sshd[52687]: pam_lastlog(sshd:session): username too long, output might be inaccurate
[...]
Mar 17 19:47:27 $MACHINE sshd[52689]: Received disconnect from 172.18.18.113 port 11101:11: disconnected by user
[...]
Mar 17 19:47:27 $MACHINE sshd[52689]: Disconnected from user $EMAIL 172.18.18.113 port 11101
Mar 17 19:47:27 $MACHINE sshd[52687]: pam_unix(sshd:session): session closed for user $EMAIL

This also leads to some more critical things being missing, for example /run/user/14017 does not get created.

It looks like the EINVAL is coming from acquire_user_record/userdb_by_name/valid_user_group_name_compat/valid_user_group_name_full, although I'm not sure what it should be doing there.
POSIX disallows @ in a username, but it's how all the AD usernames will be represented.

A few other bits of output:

$ sudo userdbctl user 14017
   User name: $USER@$AD_DOMAIN
 Disposition: regular
    Login OK: yes
 Password OK: yes
         UID: 14017
         GID: 100 (users)
 Aux. Groups: (can't acquire: Invalid argument)
   Real Name: David Wood
   Directory: /home/$USER
     Storage: classic
       Shell: /bin/csh
   Passwords: none

$ sudo userdbctl user $EMAIL
Failed to find user $EMAIL: Invalid argument

$ sudo userdbctl user $USER@$AD_DOMAIN
Failed to find user $USER@$AD_DOMAIN: Invalid argument

$ sudo userdbctl user $NB_DOMAIN\\$USER
Failed to find user $NB_DOMAIN\$USER: Invalid argument

$ sudo cat /etc/sssd/sssd.conf
sudo cat /etc/sssd/sssd.conf
[sssd]
domains = $AD_DOMAIN
config_file_version = 2
services = nss, pam

[domain/$AD_DOMAIN]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = $AD_DOMAIN
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = $AD_DOMAIN
use_fully_qualified_names = True
ldap_id_mapping = False
access_provider = simple
simple_allow_users = $USER
simple_allow_groups = Linux-Admins
krb5_renew_interval = 3600
auth_provider = ad

[pam]

Metadata

Metadata

Assignees

No one assigned

    Labels

    user-sessionuserdb

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions