Skip to content
This repository has been archived by the owner on May 2, 2024. It is now read-only.

Login fails #420

Open
2 tasks done
turowicz opened this issue Dec 19, 2023 · 5 comments
Open
2 tasks done

Login fails #420

turowicz opened this issue Dec 19, 2023 · 5 comments
Labels
bug Something isn't working

Comments

@turowicz
Copy link

turowicz commented Dec 19, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues and found none that matched mine

Describe the issue

I have installed libpam-aad and libnss-aad and configured the app_id and tenant_id in aad.conf, but the login doesn't work.

Steps to reproduce it

  1. Go to Ubuntu login
  2. Enter azure ad login (lowercase)
  3. Enter password
  4. Login failed

Ubuntu users: System information and logs

libnss_report.txt
libpam_report.txt

Non Ubuntu users: System information and logs

Environment

  • aad-auth version: 0.5.2
  • Distribution: Ubuntu
  • Distribution version: 23.10

Log files

Please redact/remove sensitive information:

Dec 19 16:18:30 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): aad auth debug enabled
Dec 19 16:18:30 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): PAM AAD DEBUG enabled
Dec 19 16:18:30 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): Loading configuration from /etc/aad.conf
Dec 19 16:18:30 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): Connecting to "https://login.microsoftonline.com/7dc146bd-2748-4f55-a91b-6959e70f2a90", with clientID "c7e4dc0f-9e0c-4b2d-9cc8-3c08b7fd2663" for user "wojciech.turowicz@surveily.com"
Dec 19 16:18:33 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): Authentication successful even if requiring MFA
Dec 19 16:18:33 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): Cache initialization
Dec 19 16:18:33 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): Opening cache in /var/lib/aad/cache
Dec 19 16:18:33 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): check file permissions on /var/lib/aad/cache/shadow.db
Dec 19 16:18:33 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): check file permissions on /var/lib/aad/cache/passwd.db
Dec 19 16:18:33 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): Shadow db mode: 2
Dec 19 16:18:33 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): Cleaning up db. Removing entries that last authenticated online more than 180 days ago
Dec 19 16:18:33 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): getting user information from cache for "wojciech.turowicz@surveily.com"
Dec 19 16:18:33 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): encrypt password for user "wojciech.turowicz@surveily.com"
Dec 19 16:18:33 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): updating from last online login information for user "wojciech.turowicz@surveily.com"
Dec 19 16:18:34 surveily-wt-04 gdm-password][26054]: pam_aad(gdm-password:auth): Close database request

Application settings

Please redact/remove sensitive information:

tenant_id = 7dc146bd-2748-4f55-a91b-6959e70f2a90
app_id = c7e4dc0f-9e0c-4b2d-9cc8-3c08b7fd2663

Relevant information

I install the pam and nss libraries from apt.

Double check your logs

  • I have redacted any sensitive information from the logs
@turowicz turowicz added the bug Something isn't working label Dec 19, 2023
@turowicz
Copy link
Author

cc @GabrielNagy @jibel

@turowicz
Copy link
Author 

2023-12-19T16:18:30.564395+01:00 surveily-wt-04 gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=wojciech.turowicz@surveily.com
2023-12-19T16:18:30.600908+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): Connecting to "https://login.microsoftonline.com/7dc146bd-2748-4f55-a91b-6959e70f2a90", with clientID "c7e4dc0f-9e0c-4b2d-9cc8-3c08b7fd2663" for user "wojciech.turowicz@surveily.com"
2023-12-19T16:18:33.481626+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): getting user information from cache for "wojciech.turowicz@surveily.com"
2023-12-19T16:18:33.481800+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): encrypt password for user "wojciech.turowicz@surveily.com"
2023-12-19T16:18:33.531897+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): updating from last online login information for user "wojciech.turowicz@surveily.com"
2023-12-20T09:10:40.228948+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): Connecting to "https://login.microsoftonline.com/7dc146bd-2748-4f55-a91b-6959e70f2a90", with clientID "c7e4dc0f-9e0c-4b2d-9cc8-3c08b7fd2663" for user "wojciech.turowicz@surveily.com"
2023-12-20T09:10:43.319456+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): Connecting to "https://login.microsoftonline.com/7dc146bd-2748-4f55-a91b-6959e70f2a90", with clientID "c7e4dc0f-9e0c-4b2d-9cc8-3c08b7fd2663" for user "wojciech.turowicz@surveily.com"
2023-12-20T09:11:09.685972+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): Connecting to "https://login.microsoftonline.com/7dc146bd-2748-4f55-a91b-6959e70f2a90", with clientID "c7e4dc0f-9e0c-4b2d-9cc8-3c08b7fd2663" for user "wojciech.turowicz@surveily.com"
2023-12-20T09:11:10.087521+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): getting user information from cache for "wojciech.turowicz@surveily.com"
2023-12-20T09:11:10.087642+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): generate user id for user "wojciech.turowicz@surveily.com"
2023-12-20T09:11:10.087745+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): user id for "wojciech.turowicz@surveily.com" is 2794555040
2023-12-20T09:11:10.087871+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): Getting home directory for wojciech.turowicz@surveily.com
2023-12-20T09:11:10.087954+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): inserting in cache user "wojciech.turowicz@surveily.com"
2023-12-20T09:11:10.094460+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): encrypt password for user "wojciech.turowicz@surveily.com"
2023-12-20T09:11:10.143655+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): updating from last online login information for user "wojciech.turowicz@surveily.com"
2023-12-20T09:36:34.956574+01:00 surveily-wt-04 gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=wojciech.turowicz@surveily.com
2023-12-20T09:36:34.957750+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): Connecting to "https://login.microsoftonline.com/7dc146bd-2748-4f55-a91b-6959e70f2a90", with clientID "c7e4dc0f-9e0c-4b2d-9cc8-3c08b7fd2663" for user "wojciech.turowicz@surveily.com"
2023-12-20T09:36:35.434113+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): getting user information from cache for "wojciech.turowicz@surveily.com"
2023-12-20T09:36:35.434218+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): encrypt password for user "wojciech.turowicz@surveily.com"
2023-12-20T09:36:35.483019+01:00 surveily-wt-04 gdm-password]: pam_aad(gdm-password:auth): updating from last online login information for user "wojciech.turowicz@surveily.com"

@turowicz
Copy link
Author

turowicz commented Dec 20, 2023
edited
Loading

This test URL gives me right credentials:

https://login.microsoftonline.com/7dc146bd-2748-4f55-a91b-6959e70f2a90/oauth2/v2.0/authorize?client_id=c7e4dc0f-9e0c-4b2d-9cc8-3c08b7fd2663&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid+profile+User.read&response_type=id_token

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "T1St-dLTvyWRgxB_676u8krXS-I"
}.{
  "aud": "c7e4dc0f-9e0c-4b2d-9cc8-3c08b7fd2663",
  "iss": "https://login.microsoftonline.com/7dc146bd-2748-4f55-a91b-6959e70f2a90/v2.0",
  "iat": 1703066461,
  "nbf": 1703066461,
  "exp": 1703070361,
  "aio": "AWQAm/8VAAAAB7eWpjyQj0Pr2G781ukBTUcovHnf25QAmZ4OpEwXEFQkgCuWju7JMqkU8GSPqQGSreXR6ItizDmpzw4KIo+XJMadckLQN7vboiRAnXxt+ND7pBbb4QLJJm7EdR8BMyA5",
  "cc": "CgEAEgxzdXJ2ZWlseS5jb20aEgoQXDmCxtJlZEejgD5JScfvtSISChAb+SjKTCV4RbTy9rt0CnkAMgJFVTgA",
  "family_name": "Turowicz",
  "given_name": "Wojciech",
  "name": "Wojciech Turowicz",
  "nonce": "defaultNonce",
  "oid": "467f62a3-d65f-4a00-8031-7e5c3f40e02d",
  "preferred_username": "wojciech.turowicz@surveily.com",
  "rh": "0.ATwAvUbBfUgnVU-pG2lZ5w8qkA_c5McMni1LnMg8CLf9JmM8AKM.",
  "sub": "S-ZgY3BfsM5YyyJeT-TPoC3Ont4gya6S_N8Poebjadc",
  "tid": "7dc146bd-2748-4f55-a91b-6959e70f2a90",
  "uti": "G_koykwleEW08va7dAp5AA",
  "ver": "2.0"
}.[Signature]

@turowicz turowicz mentioned this issue Dec 20, 2023
Open
@turowicz
Copy link
Author 

Dec 20 11:40:27 surveily-wt-04 aad_auth[53266]: nss_aad: Log output set to syslog
Dec 20 11:40:27 surveily-wt-04 aad_auth[53266]: nss_aad: Log level set to Debug
Dec 20 11:40:27 surveily-wt-04 aad_auth[53266]: nss_aad: get_all_entries for group
Dec 20 11:40:27 surveily-wt-04 aad_auth[53266]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:40:27 surveily-wt-04 aad_auth[53266]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:40:27 surveily-wt-04 aad_auth[53266]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:40:27 surveily-wt-04 aad_auth[53266]: nss_aad: found record: Group { name: "wojciech.turowicz@surveily.com", passwd: "x", gid: 2794555040, members: ["wojciech.turowicz@surveily.com"] }
Dec 20 11:40:30 surveily-wt-04 aad_auth[53464]: nss_aad: Log output set to syslog
Dec 20 11:40:30 surveily-wt-04 aad_auth[53464]: nss_aad: Log level set to Debug
Dec 20 11:40:30 surveily-wt-04 aad_auth[53464]: nss_aad: get_all_entries for group
Dec 20 11:40:30 surveily-wt-04 aad_auth[53464]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:40:30 surveily-wt-04 aad_auth[53464]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:40:30 surveily-wt-04 aad_auth[53464]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:40:30 surveily-wt-04 aad_auth[53464]: nss_aad: found record: Group { name: "wojciech.turowicz@surveily.com", passwd: "x", gid: 2794555040, members: ["wojciech.turowicz@surveily.com"] }
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: Log output set to syslog
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: Log level set to Debug
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: get_all_entries for group
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: found record: Group { name: "wojciech.turowicz@surveily.com", passwd: "x", gid: 2794555040, members: ["wojciech.turowicz@surveily.com"] }
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: get_all_entries for group
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:40:30 surveily-wt-04 aad_auth[53478]: nss_aad: found record: Group { name: "wojciech.turowicz@surveily.com", passwd: "x", gid: 2794555040, members: ["wojciech.turowicz@surveily.com"] }
Dec 20 11:41:03 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): aad auth debug enabled
Dec 20 11:41:03 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): PAM AAD DEBUG enabled
Dec 20 11:41:03 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): Loading configuration from /etc/aad.conf
Dec 20 11:41:03 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): Connecting to "https://login.microsoftonline.com/7dc146bd-2748-4f55-a91b-6959e70f2a90", with clientID "c7e4dc0f-9e0c-4b2d-9cc8-3c08b7fd2663" for user "wojciech.turowicz@surveily.com"
Dec 20 11:41:04 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): Authentication successful even if requiring MFA
Dec 20 11:41:04 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): Cache initialization
Dec 20 11:41:04 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): Opening cache in /var/lib/aad/cache
Dec 20 11:41:04 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): check file permissions on /var/lib/aad/cache/passwd.db
Dec 20 11:41:04 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): check file permissions on /var/lib/aad/cache/shadow.db
Dec 20 11:41:04 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): Shadow db mode: 2
Dec 20 11:41:04 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): Cleaning up db. Removing entries that last authenticated online more than 180 days ago
Dec 20 11:41:04 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): getting user information from cache for "wojciech.turowicz@surveily.com"
Dec 20 11:41:04 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): encrypt password for user "wojciech.turowicz@surveily.com"
Dec 20 11:41:04 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): updating from last online login information for user "wojciech.turowicz@surveily.com"
Dec 20 11:41:04 surveily-wt-04 gdm-password][53881]: pam_aad(gdm-password:auth): Close database request
Dec 20 11:41:14 surveily-wt-04 aad_auth[54107]: nss_aad: Log output set to syslog
Dec 20 11:41:14 surveily-wt-04 aad_auth[54107]: nss_aad: Log level set to Debug
Dec 20 11:41:14 surveily-wt-04 aad_auth[54107]: nss_aad: get_entry_by_name for passwd for name: pam_unix_non_existent:
Dec 20 11:41:14 surveily-wt-04 aad_auth[54107]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:41:14 surveily-wt-04 aad_auth[54107]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:41:14 surveily-wt-04 aad_auth[54107]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:41:14 surveily-wt-04 aad_auth[54107]: nss_aad: no record found
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: get_all_entries for group
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: found record: Group { name: "wojciech.turowicz@surveily.com", passwd: "x", gid: 2794555040, members: ["wojciech.turowicz@surveily.com"] }
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: get_all_entries for group
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: found record: Group { name: "wojciech.turowicz@surveily.com", passwd: "x", gid: 2794555040, members: ["wojciech.turowicz@surveily.com"] }
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: get_all_entries for group
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:41:17 surveily-wt-04 aad_auth[54107]: nss_aad: found record: Group { name: "wojciech.turowicz@surveily.com", passwd: "x", gid: 2794555040, members: ["wojciech.turowicz@surveily.com"] }
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: Log output set to syslog
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: Log level set to Debug
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: get_all_entries for group
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: found record: Group { name: "wojciech.turowicz@surveily.com", passwd: "x", gid: 2794555040, members: ["wojciech.turowicz@surveily.com"] }
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: get_entry_by_name for passwd for name: pam_unix_non_existent:
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:41:36 surveily-wt-04 aad_auth[54673]: nss_aad: no record found
Dec 20 11:41:38 surveily-wt-04 aad_auth[54673]: nss_aad: get_all_entries for group
Dec 20 11:41:38 surveily-wt-04 aad_auth[54673]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:41:38 surveily-wt-04 aad_auth[54673]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:41:38 surveily-wt-04 aad_auth[54673]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:41:38 surveily-wt-04 aad_auth[54673]: nss_aad: found record: Group { name: "wojciech.turowicz@surveily.com", passwd: "x", gid: 2794555040, members: ["wojciech.turowicz@surveily.com"] }
Dec 20 11:41:38 surveily-wt-04 aad_auth[54673]: nss_aad: get_all_entries for group
Dec 20 11:41:38 surveily-wt-04 aad_auth[54673]: nss_aad: opening database connection from /var/lib/aad/cache
Dec 20 11:41:38 surveily-wt-04 aad_auth[54673]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Dec 20 11:41:38 surveily-wt-04 aad_auth[54673]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Dec 20 11:41:38 surveily-wt-04 aad_auth[54673]: nss_aad: found record: Group { name: "wojciech.turowicz@surveily.com", passwd: "x", gid: 2794555040, members: ["wojciech.turowicz@surveily.com"] }

@turowicz
Copy link
Author

This computer has been previously joined to a regular Active Directory with sssd. Perhaps that is the issue? I have uninstalled sssd-ad sssd-tools realmd adcli krb5-user but maybe there are some leftovers?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@turowicz