Description of problem: My system is configured to run SSSD to authenticate users with LDAP & Kerberos, but the gdm user list does not show the ldap users. Only local users (from /etc/passwd) appear on the gdm user list. I have to select "Not listed?" and enter my username every time to login. Previous versions of gdm would remember your username after you've logged in once via the "Not listed?" method. This is also a problem for fast user switching since there's no indication that I'm already logged in (or *still* logged in) from the gdm screen. Version-Release number of selected component (if applicable): gdm-3.8.1.1-1.fc19.x86_64 accountsservice-0.6.31-1.fc19.x86_64 sssd-1.10.0-1.fc19.alpha1.x86_64 openldap-2.4.35-3.fc19.x86_64 How reproducible: every time? Steps to Reproduce: 1. configure system to use SSSD with LDAP & Kerberos servers 2. login with gdm once via "Not listed?" prompt 3. logout Actual results: gdm user list is missing the LDAP user Expected results: gdm remembers LDAP users and includes them in the user list Additional info:
This might be a problem with accountsservice. I sent a dbus query and my UID is not listed: $ dbus-send --system --type=method_call --print-reply \ --dest=org.freedesktop.Accounts \ /org/freedesktop/Accounts \ org.freedesktop.Accounts.ListCachedUsers method return sender=:1.85 -> dest=:1.314 reply_serial=2 array [ object path "/org/freedesktop/Accounts/User1000" object path "/org/freedesktop/Accounts/User1001" ] UIDs 1000 and 1001 are the two local users in /etc/passwd. My UID is 12257. However, the accountsservice system *does* remember my preferred session: $ dbus-send --system --type=method_call --print-reply \ --dest=org.freedesktop.Accounts \ /org/freedesktop/Accounts/User12257 \ org.freedesktop.DBus.Properties.Get \ string:"org.freedesktop.Accounts.User" string:"XSession" method return sender=:1.85 -> dest=:1.315 reply_serial=2 variant string "gnome"
I tried forcing it to cache me: $ dbus-send --system --type=method_call --print-reply \ --dest=org.freedesktop.Accounts \ /org/freedesktop/Accounts \ org.freedesktop.Accounts.CacheUser \ string:"jbastian" method return sender=:1.85 -> dest=:1.408 reply_serial=2 object path "/org/freedesktop/Accounts/User12257" It prompted for a password and, based on the reply, it appeared to work. However, I'm still not cached: $ dbus-send --system --type=method_call --print-reply \ --dest=org.freedesktop.Accounts \ /org/freedesktop/Accounts \ org.freedesktop.Accounts.ListCachedUsers method return sender=:1.85 -> dest=:1.415 reply_serial=2 array [ object path "/org/freedesktop/Accounts/User1000" object path "/org/freedesktop/Accounts/User1001" ] Apparently accountsservice thinks I'm a system account and that's why it won't cache me: $ dbus-send --system --type=method_call --print-reply \ --dest=org.freedesktop.Accounts \ /org/freedesktop/Accounts/User12257 \ org.freedesktop.DBus.Properties.Get \ string:"org.freedesktop.Accounts.User" string:"SystemAccount" method return sender=:1.85 -> dest=:1.418 reply_serial=2 variant boolean true
I downgraded to accountsservice-0.6.30-2.fc19.x86_64 and that fixed it! I see my account now in the gdm user list, and I can verify it with dbus-send: $ dbus-send --system --type=method_call --print-reply \ --dest=org.freedesktop.Accounts \ /org/freedesktop/Accounts \ org.freedesktop.Accounts.ListCachedUsers method return sender=:1.3 -> dest=:1.84 reply_serial=2 array [ object path "/org/freedesktop/Accounts/User12257" object path "/org/freedesktop/Accounts/User1000" object path "/org/freedesktop/Accounts/User1001" ] $ dbus-send --system --type=method_call --print-reply \ --dest=org.freedesktop.Accounts \ /org/freedesktop/Accounts/User12257 \ org.freedesktop.DBus.Properties.Get \ string:"org.freedesktop.Accounts.User" string:"SystemAccount" method return sender=:1.3 -> dest=:1.85 reply_serial=2 variant boolean false I suspect this patch is the problem: http://cgit.freedesktop.org/accountsservice/commit/?id=8dd2ac2a79636349de5846fab2050a7866f2ddee
Since we use Kerberos, my password is just a "*" in the passwd entry (according to getent). That would match a system account by the commit 8dd2ac2 mentioned above since that looks for passwords that match "$n$..." or "[./A-Za-z0-9]*" Moving this to accountsservice component
Created attachment 742381 [details] patch to revert upstream commit 8dd2ac2 I reversed commit 8dd2ac2 from the 0.6.31 packages with the attached patch and built a test package: accountsservice-0.6.31-2.fc19.no8dd2ac2.x86_64 http://koji.fedoraproject.org/koji/taskinfo?taskID=5322859 I still show up in the gdm list, and I'm in the cached-user-list still and I'm not marked as a system account, so I've confirmed that 8dd2ac2 is the problem.
Hmm, yes that is indeed broken. We shouldn't count on reading a password hash.
I've attached a better patch upstream at: https://bugs.freedesktop.org/show_bug.cgi?id=64186 Jeff, is this something you're interested in testing?
Sure. Do you have an rpm? or should I grab the upstream patch and build locally?
I installed the latest accountsservice-0.6.32-1.fc19 from koji and verified that my account from sssd+ldap is listed at the gdm screen. Thanks! http://koji.fedoraproject.org/koji/buildinfo?buildID=419176
Thanks for testing.
Another update that should include this fix: https://admin.fedoraproject.org/updates/accountsservice-0.6.34-1.fc19 Installing, and testing here...