search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
604 stars 247 forks source link

offline authentication and desktop profiles #5846

Closed stanislavlevin closed 3 years ago

stanislavlevin commented 3 years ago

sssd version: 2.5.2, 2.6.0 (older ones were not checked). Linux distro: ALTLinux. domain type: IPA

Offline authentication described in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-cache-cred doesn't work for my distro.

How to reproduce: I set cache_credentials = True for IPA domain, made success login by a domain user on a host while it was online. Next, I failed to log in by that user via sddm while the host is offline.

Reason: PAM_SESSION_ERR for PAM session stack configured as session required pam_sss.so.

Logs: pam_sss.log: 

(2021-10-22 17:39:43): [pam] [pd_set_primary_name] (0x0400): User's primary name is us
er01@ipaoffline.test                                                            
(2021-10-22 17:39:43): [pam] [pam_initgr_check_timeout] (0x2000): User [user01] found
in PAM cache.                                                                   
(2021-10-22 17:39:43): [pam] [pam_dp_send_req] (0x0100): Sending request [CID #2] with
 the following data:                                                            
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] command: SSS_PAM_OPEN
_SESSION                                                                        
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] domain: ipaoffline.te
st                                                                              
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] user: user01@ipaoffli
ne.test                                                                         
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] service: systemd-user
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] tty: not set   
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] ruser: not set 
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] rhost: not set 
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] authtok type: 0 (No a
uthentication token available)                                                  
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] newauthtok type: 0 (N
o authentication token available)                                               
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] priv: 1         
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] cli_pid: 3508  
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] logon name: user01
(2021-10-22 17:39:43): [pam] [pam_print_data] (0x0100): [CID #2] flags: 0       
(2021-10-22 17:39:43): [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(2021-10-22 17:39:43): [pam] [sbus_dispatch] (0x4000): Dispatching.             
(2021-10-22 17:39:43): [pam] [pam_dp_send_req_done] (0x0200): received: [14 (Cannot ma
ke/remove an entry for the specified session)][ipaoffline.test][CID #2]         
(2021-10-22 17:39:43): [pam] [pam_reply] (0x4000): pam_reply initially called with res
ult [14]: Cannot make/remove an entry for the specified session. this result might be
changed during processing                                                       
(2021-10-22 17:39:43): [pam] [pam_reply] (0x0200): blen: 32                     
(2021-10-22 17:39:43): [pam] [pam_reply] (0x0200): Returning [14]: Cannot make/remove an entry for the specified session to the client [CID #2]

sssd_be.log: 

(2021-10-22 17:39:43): [be[ipaoffline.test]] [dp_pam_handler_send] (0x0100): Got reque
st with the following data                                                      
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] comma
nd: SSS_PAM_OPEN_SESSION                                                        
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] domai
n: ipaoffline.test                                                              
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] user:
 user01@ipaoffline.test                                                         
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] servi
ce: systemd-user                                                                
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] tty:
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] ruser
:                                                                               
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] rhost
:                                                                               
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] autht
ok type: 0 (No authentication token available)                                  
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] newau
thtok type: 0 (No authentication token available)                               
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] priv:
 1                                                                              
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] cli_p
id: 3508                                                                        
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] logon
 name: not set                                                                  
(2021-10-22 17:39:43): [be[ipaoffline.test]] [pam_print_data] (0x0100): [CID #2] flags
: 0                                                                             
(2021-10-22 17:39:43): [be[ipaoffline.test]] [dp_attach_req] (0x0400): DP Request [PAM
 Open Session #288]: REQ_TRACE: New request. [sssd.pam CID #2] Flags [0000].    
(2021-10-22 17:39:43): [be[ipaoffline.test]] [dp_attach_req] (0x0400): Number of activ
e DP request: 1                                                                 
(2021-10-22 17:39:43): [be[ipaoffline.test]] [sss_domain_get_state] (0x1000): Domain i
paoffline.test is Active                                                        
(2021-10-22 17:39:43): [be[ipaoffline.test]] [ipa_pam_session_handler_send] (0x0400):
Retrieving Desktop Profile rules                                                
(2021-10-22 17:39:43): [be[ipaoffline.test]] [remove_tree_with_ctx] (0x0020): Cannot o
pen /var/lib/sss/deskprofile/ipaoffline.test/user01: [2]: No such file or directory
(2021-10-22 17:39:43): [be[ipaoffline.test]] [remove_tree_with_ctx] (0x0020): Cannot o
pen /var/lib/sss/deskprofile/ipaoffline.test/user01: [2]: No such file or directory
(2021-10-22 17:39:43): [be[ipaoffline.test]] [ipa_fetch_deskprofile_send] (0x4000): Co
nnection status is [offline].                                                   
(2021-10-22 17:39:43): [be[ipaoffline.test]] [ipa_fetch_deskprofile_send] (0x0400): Performing cached Desktop Profile evaluation
(2021-10-22 17:39:43): [be[ipaoffline.test]] [deskprofile_get_cached_priority] (0x0020): sysdb_search_custom_by_name() failed [2]: No such file or directory
(2021-10-22 17:39:43): [be[ipaoffline.test]] [ipa_pam_session_handler_save_deskprofile_rules] (0x0020): deskprofile_get_cached_priority() failed [2]: No such file or directory
(2021-10-22 17:39:43): [be[ipaoffline.test]] [dp_req_done] (0x0400): DP Request [PAM Open Session #288]: Request handler finished [0]: Success

In this case, DC is not configured for desktop profiles (there is no corresponding LDAP schema/entries). That is why desktop profile config and rules have not been cached on sysdb on successful online logon.

Existent workarounds:

But both require manual configuration.

pbrezina commented 3 years ago

Pushed PR: https://github.com/SSSD/sssd/pull/5847