Bug 958537

Summary: gdm user list does not include sssd users
Product: [Fedora] Fedora Reporter: Jeff Bastian <jbastian>
Component: accountsserviceAssignee: Matthias Clasen <mclasen>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: 19CC: mclasen, pkis, rstrode, stefw
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: accountsservice-0.6.32-1.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 959464 (view as bug list) Environment:
Last Closed: 2013-07-09 13:22:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 959458, 959464    
Attachments:
Description Flags
patch to revert upstream commit 8dd2ac2 none

Description Jeff Bastian 2013-05-01 19:09:58 UTC 
Description of problem:
My system is configured to run SSSD to authenticate users with LDAP & Kerberos, but the gdm user list does not show the ldap users.  Only local users (from /etc/passwd) appear on the gdm user list.  I have to select "Not listed?" and enter my username every time to login.

Previous versions of gdm would remember your username after you've logged in once via the "Not listed?" method.

This is also a problem for fast user switching since there's no indication that I'm already logged in (or *still* logged in) from the gdm screen.

Version-Release number of selected component (if applicable):
gdm-3.8.1.1-1.fc19.x86_64
accountsservice-0.6.31-1.fc19.x86_64
sssd-1.10.0-1.fc19.alpha1.x86_64
openldap-2.4.35-3.fc19.x86_64

How reproducible:
every time?

Steps to Reproduce:
1. configure system to use SSSD with LDAP & Kerberos servers
2. login with gdm once via "Not listed?" prompt
3. logout
  
Actual results:
gdm user list is missing the LDAP user

Expected results:
gdm remembers LDAP users and includes them in the user list

Additional info:
Comment 1 Jeff Bastian 2013-05-01 20:16:17 UTC 
This might be a problem with accountsservice.  I sent a dbus query and my UID is not listed:

$ dbus-send --system --type=method_call --print-reply \
    --dest=org.freedesktop.Accounts \
    /org/freedesktop/Accounts \
    org.freedesktop.Accounts.ListCachedUsers
method return sender=:1.85 -> dest=:1.314 reply_serial=2
   array [
      object path "/org/freedesktop/Accounts/User1000"
      object path "/org/freedesktop/Accounts/User1001"
   ]


UIDs 1000 and 1001 are the two local users in /etc/passwd.  My UID is 12257.


However, the accountsservice system *does* remember my preferred session:

$ dbus-send --system --type=method_call --print-reply \
    --dest=org.freedesktop.Accounts \
    /org/freedesktop/Accounts/User12257 \
    org.freedesktop.DBus.Properties.Get \
    string:"org.freedesktop.Accounts.User" string:"XSession"
method return sender=:1.85 -> dest=:1.315 reply_serial=2
   variant       string "gnome"
Comment 2 Jeff Bastian 2013-05-01 20:46:34 UTC 
I tried forcing it to cache me:

$ dbus-send --system --type=method_call --print-reply \
    --dest=org.freedesktop.Accounts \
    /org/freedesktop/Accounts \
    org.freedesktop.Accounts.CacheUser \
    string:"jbastian"
method return sender=:1.85 -> dest=:1.408 reply_serial=2
   object path "/org/freedesktop/Accounts/User12257"


It prompted for a password and, based on the reply, it appeared to work.  However, I'm still not cached:

$ dbus-send --system --type=method_call --print-reply \
    --dest=org.freedesktop.Accounts \
    /org/freedesktop/Accounts \
    org.freedesktop.Accounts.ListCachedUsers
method return sender=:1.85 -> dest=:1.415 reply_serial=2
   array [
      object path "/org/freedesktop/Accounts/User1000"
      object path "/org/freedesktop/Accounts/User1001"
   ]


Apparently accountsservice thinks I'm a system account and that's why it won't cache me:

$ dbus-send --system --type=method_call --print-reply \
    --dest=org.freedesktop.Accounts \
    /org/freedesktop/Accounts/User12257 \
    org.freedesktop.DBus.Properties.Get \
    string:"org.freedesktop.Accounts.User" string:"SystemAccount"
method return sender=:1.85 -> dest=:1.418 reply_serial=2
   variant       boolean true
Comment 3 Jeff Bastian 2013-05-01 21:06:11 UTC 
I downgraded to accountsservice-0.6.30-2.fc19.x86_64 and that fixed it!

I see my account now in the gdm user list, and I can verify it with dbus-send:

$ dbus-send --system --type=method_call --print-reply \
    --dest=org.freedesktop.Accounts \
    /org/freedesktop/Accounts \
    org.freedesktop.Accounts.ListCachedUsers
method return sender=:1.3 -> dest=:1.84 reply_serial=2
   array [
      object path "/org/freedesktop/Accounts/User12257"
      object path "/org/freedesktop/Accounts/User1000"
      object path "/org/freedesktop/Accounts/User1001"
   ]

$ dbus-send --system --type=method_call --print-reply \
    --dest=org.freedesktop.Accounts \
    /org/freedesktop/Accounts/User12257 \
    org.freedesktop.DBus.Properties.Get \
    string:"org.freedesktop.Accounts.User" string:"SystemAccount"
method return sender=:1.3 -> dest=:1.85 reply_serial=2
   variant       boolean false


I suspect this patch is the problem:
http://cgit.freedesktop.org/accountsservice/commit/?id=8dd2ac2a79636349de5846fab2050a7866f2ddee
Comment 4 Jeff Bastian 2013-05-01 21:10:33 UTC 
Since we use Kerberos, my password is just a "*" in the passwd entry (according to getent).  That would match a system account by the commit 8dd2ac2 mentioned above since that looks for passwords that match "$n$..." or "[./A-Za-z0-9]*"

Moving this to accountsservice component
Comment 5 Jeff Bastian 2013-05-01 21:40:31 UTC 
Created attachment 742381 [details]
patch to revert upstream commit 8dd2ac2

I reversed commit 8dd2ac2 from the 0.6.31 packages with the attached patch and built a test package:
  accountsservice-0.6.31-2.fc19.no8dd2ac2.x86_64
  http://koji.fedoraproject.org/koji/taskinfo?taskID=5322859

I still show up in the gdm list, and I'm in the cached-user-list still and I'm not marked as a system account, so I've confirmed that 8dd2ac2 is the problem.
Comment 6 Stef Walter 2013-05-03 14:23:27 UTC 
Hmm, yes that is indeed broken. We shouldn't count on reading a password hash.
Comment 7 Stef Walter 2013-05-14 07:30:26 UTC 
I've attached a better patch upstream at: https://bugs.freedesktop.org/show_bug.cgi?id=64186

Jeff, is this something you're interested in testing?
Comment 8 Jeff Bastian 2013-05-14 15:03:01 UTC 
Sure.  Do you have an rpm? or should I grab the upstream patch and build locally?
Comment 9 Jeff Bastian 2013-05-15 19:14:38 UTC 
I installed the latest accountsservice-0.6.32-1.fc19 from koji and verified that my account from sssd+ldap is listed at the gdm screen.  Thanks!

http://koji.fedoraproject.org/koji/buildinfo?buildID=419176
Comment 10 Stef Walter 2013-05-17 12:22:40 UTC 
Thanks for testing.
Comment 11 Stef Walter 2013-06-12 15:44:45 UTC 
Another update that should include this fix: https://admin.fedoraproject.org/updates/accountsservice-0.6.34-1.fc19

Installing, and testing here...