Bug 889980

Summary: lightdm sssd authentication failure when use_fully_qualified_names = False is set
Product: [Fedora] Fedora Reporter: combuster
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 18CC: jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-14 08:27:29 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
Bziped pam.d directory
none
sssd_pam.log
none
sssd_DOMAINX.log none

Description combuster 2012-12-24 03:55:34 EST
Created attachment 668383 [details]
Bziped pam.d directory

Description of problem:

First of all I am very pleased with the enterprise login option available in user accounts. And it works great. Only trouble I have is that, by default, entering username requires to be in the following format: DOMAIN\user.surname

Backslash is giving me headaches with sendmail and mutt and it is a lot easier to login and generally work when it is sufficient to just type user.surname as username. I've remembered the assume_default_domain (or similar) option in samba and I've tried to find a equivalent option in sssd and found it. So when I set use_fully_qualified_names = False in sssd.conf everything works as expected. I can send mail to user with just mail user.surname and can read mail with mutt etc.

The problem is that lightdm, sshd and xscreensaver doesn't respect this and I still have to enter username in the DOMAIN\user.surname format (with xscreensaver that's not possible at all since it gives me just the option to enter password). Here is the relevant output:

xscreensaver: pam_sss(xscreensaver:auth): authentication  failure; logname= uid=459001114 euid=459001114 tty=:0.0 ruser= rhost= user=user.surname
xscreensaver: pam_sss(xscreensaver:auth): received for user user.surname: 4 (System error)

And for lightdm:

lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=user.surname
lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user.surname
lightdm: pam_sss(lightdm:auth): received for user user.surname: 4 (System error)

The same output goes for sshd. When I enter username as DOMAIN\user.surname I can login with lightdm and ssh:

lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMAIN\user.surname
lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=DOMAIN\user.surname
lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
lightdm: pam_unix(lightdm:session): session opened for user DOMAIN\user.surname by (uid=0)

Also I have a problem with crontab, I can't list cronjobs with the following message:

You (user.surname) are not allowed to access to (crontab) because of pam configuration.

I will attach relevant pam configuration files.

su - user.surname however works

Version-Release number of selected component (if applicable):

Name        : sssd
Arch        : x86_64
Version     : 1.9.3
Release     : 1.fc18

Fedora 18 Xfce spin

How reproducible:

Always

Steps to Reproduce:
1. Set use_fully_qualified_names = False in sssd.conf
2. Reboot
3. Try to login without DOMAIN\ prefix in username
  
Actual results:

Lightdm reports to check password

Expected results:

Lightdm should start xfce4 session for user

Additional info:

If there is any additional information that could help, please let me know. Here is my sssd.conf

[sssd]
domains = DOMAINX
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/DOMAINX]
auth_provider = ad
simple_allow_users = user.surname
ad_domain = domainx.xxx.xxx
krb5_realm = DOMAIN.XXX.XXX
case_sensitive = False
enumerate = False
chpass_provider = ad
re_expression = (?P<domain>[^\\]+)\\(?P<name>[^\\]+)
cache_credentials = True
id_provider = ad
full_name_format = %2$s\%1$s
krb5_store_password_if_offline = True
access_provider = simple
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u

Sorry about the bziped file, didn't want to spam for most of the files in pam.d
Comment 1 Jakub Hrozek 2013-01-02 10:01:42 EST
We should probably be at least printing a better error message than System Error. Can you try putting debug_level=10 into the [pam] and [domain/DOMAINX] sections, restart the SSSD and attach the files (sanitized if needed) /var/log/sssd_pam.log, /var/log/sssd/sssd_DOMAINX.log and /var/log/sssd/krb5_child.log
Comment 2 combuster 2013-01-02 11:06:50 EST
At the moment all I could've tried is ssh to the box - tommorow I will post output from lightdm and xscreensaver

sshd[10892]: Invalid user user.surname from xxx.xxx.xxx.xxx
sshd[10892]: input_userauth_request: invalid user user.surname [preauth]
sshd[10892]: pam_unix(sshd:auth): check pass; user unknown
sshd[10892]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
sshd[10892]: Failed password for invalid user user.surname from xxx.xxx.xxx.xxx port xxxxx ssh2
sshd[10892]: pam_unix(sshd:auth): check pass; user unknown

krb5_child.log is empty

Attaching sssd_pam.log and sssd_DOMAINX.log
Comment 3 combuster 2013-01-02 11:10:03 EST
Created attachment 671537 [details]
sssd_pam.log
Comment 4 combuster 2013-01-02 11:10:28 EST
Created attachment 671539 [details]
sssd_DOMAINX.log
Comment 5 combuster 2013-01-03 04:18:53 EST
When I comment out the: 

re_expression = (?P<domain>[^\\]+)\\(?P<name>[^\\]+)

parameter I can login just fine without domain prefix. I really don't know why I haven't thought of this one before, I guess suspecting PAM was on the top of the list.

It is already mentioned in the man pages that

“(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”

allows all three (will try later) logon formats (username, username@domain and DOMAIN\username) but by default sssd is configured to accept only DOMAIN\username.

It would be nice if the enterprise login had an option to choose whether you want to use fqdn and to make sure re_expression by default allows all three login formats.

Jakub, thank you very much. I'll be happy to provide any information that could be useful before closing this bug report...
Comment 6 Jakub Hrozek 2013-02-14 08:27:29 EST
Enhancements to the regex schemas are being tracked in https://fedorahosted.org/sssd/ticket/1648 and https://fedorahosted.org/sssd/ticket/1468