so i installed it all according to documentation and video and interestingly I face tis behavior:
invalid username = Got response: User doesn't exist
valid username with wrong password = Got response: Invalid credentials
valid username with correct credentials = Got response: Invalid credentials
XX@jumphost:~$ journalctl -b0 | grep _aad
Aug 07 16:48:19 jumphost aad_auth[761]: nss_aad: Log output set to syslog
Aug 07 16:48:19 jumphost aad_auth[761]: nss_aad: Log level set to Debug
Aug 07 16:48:19 jumphost aad_auth[761]: nss_aad: get_all_entries for group
Aug 07 16:48:19 jumphost aad_auth[761]: nss_aad: opening database connection from /var/lib/aad/cache
Aug 07 16:48:19 jumphost aad_auth[761]: nss_aad: cache not found: no aad-auth cache found at "/var/lib/aad/cache"
Aug 07 16:48:19 jumphost aad_auth[774]: nss_aad: Log output set to syslog
Aug 07 16:48:19 jumphost aad_auth[774]: nss_aad: Log level set to Debug
Aug 07 16:48:19 jumphost aad_auth[774]: nss_aad: get_all_entries for group
Aug 07 16:48:19 jumphost aad_auth[774]: nss_aad: opening database connection from /var/lib/aad/cache
Aug 07 16:48:19 jumphost aad_auth[774]: nss_aad: cache not found: no aad-auth cache found at "/var/lib/aad/cache"
Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: Log output set to syslog
Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: Log level set to Debug
Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: get_all_entries for group
Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: opening database connection from /var/lib/aad/cache
Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: cache not found: no aad-auth cache found at "/var/lib/aad/cache"
Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: get_all_entries for group
Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: opening database connection from /var/lib/aad/cache
Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: cache not found: no aad-auth cache found at "/var/lib/aad/cache"
Aug 07 17:48:32 jumphost aad_auth[1324]: nss_aad: Log output set to syslog
Aug 07 17:48:32 jumphost aad_auth[1324]: nss_aad: Log level set to Debug
Aug 07 17:48:32 jumphost aad_auth[1324]: nss_aad: get_all_entries for group
Aug 07 17:48:32 jumphost aad_auth[1324]: nss_aad: opening database connection from /var/lib/aad/cache
Aug 07 17:48:32 jumphost aad_auth[1324]: nss_aad: cache not found: no aad-auth cache found at "/var/lib/aad/cache"
XX@jumphost:~$
Aug 07 17:49:12 jumphost sshd[1501]: pam_aad(sshd:auth): aad auth debug enabled
Aug 07 17:49:12 jumphost sshd[1501]: pam_aad(sshd:auth): PAM AAD DEBUG enabled
Aug 07 17:49:12 jumphost sshd[1501]: pam_aad(sshd:auth): Loading configuration from /etc/aad.conf
Aug 07 17:49:12 jumphost sshd[1501]: pam_aad(sshd:auth): Connecting to "https://login.microsoftonline.com/XXXXXXXX", with clientID "XXXXXXX" for user "XXXX@XXXX.XX"
Aug 07 17:49:13 jumphost sshd[1501]: pam_aad(sshd:auth): Got response: Invalid credentials
XX@jumphost:~$
here's the relevant configs
#
/etc/pam.d/common-auth - authentication settings common to all services
#
This file is included from other service-specific PAM config files,
and should contain a list of the authentication modules that define
the central authentication scheme for use on the system
(e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
traditional Unix authentication mechanisms.
#
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
here are the per-package modules (the "Primary" block)
for more information on how to set up an Azure AD app.
tenant_id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
app_id = yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
tenant_id = XXXXXX
app_id = XXXXXX
optional values (defaults)
offline_credentials_expiration = 90 ; duration in days a user can log in without online verification
; set to 0 to prevent old users from being cleaned and allow offline authentication for an undetermined amount of time
; set to a negative value to prevent offline authentication
homedir = /home/%f ; home directory pattern for the user, the following mapping applies:
; %f - full username
; %U - UID
; %l - first char of username
; %u - username without domain
; %d - domain
shell = /bin/bash ; default shell for the user
overriding values for a specific domain, every value inside a section is optional
so i installed it all according to documentation and video and interestingly I face tis behavior:
invalid username = Got response: User doesn't exist valid username with wrong password = Got response: Invalid credentials valid username with correct credentials = Got response: Invalid credentials
XX@jumphost:~$ journalctl -b0 | grep _aad Aug 07 16:48:19 jumphost aad_auth[761]: nss_aad: Log output set to syslog Aug 07 16:48:19 jumphost aad_auth[761]: nss_aad: Log level set to Debug Aug 07 16:48:19 jumphost aad_auth[761]: nss_aad: get_all_entries for group Aug 07 16:48:19 jumphost aad_auth[761]: nss_aad: opening database connection from /var/lib/aad/cache Aug 07 16:48:19 jumphost aad_auth[761]: nss_aad: cache not found: no aad-auth cache found at "/var/lib/aad/cache" Aug 07 16:48:19 jumphost aad_auth[774]: nss_aad: Log output set to syslog Aug 07 16:48:19 jumphost aad_auth[774]: nss_aad: Log level set to Debug Aug 07 16:48:19 jumphost aad_auth[774]: nss_aad: get_all_entries for group Aug 07 16:48:19 jumphost aad_auth[774]: nss_aad: opening database connection from /var/lib/aad/cache Aug 07 16:48:19 jumphost aad_auth[774]: nss_aad: cache not found: no aad-auth cache found at "/var/lib/aad/cache" Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: Log output set to syslog Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: Log level set to Debug Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: get_all_entries for group Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: opening database connection from /var/lib/aad/cache Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: cache not found: no aad-auth cache found at "/var/lib/aad/cache" Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: get_all_entries for group Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: opening database connection from /var/lib/aad/cache Aug 07 16:48:20 jumphost aad_auth[895]: nss_aad: cache not found: no aad-auth cache found at "/var/lib/aad/cache" Aug 07 17:48:32 jumphost aad_auth[1324]: nss_aad: Log output set to syslog Aug 07 17:48:32 jumphost aad_auth[1324]: nss_aad: Log level set to Debug Aug 07 17:48:32 jumphost aad_auth[1324]: nss_aad: get_all_entries for group Aug 07 17:48:32 jumphost aad_auth[1324]: nss_aad: opening database connection from /var/lib/aad/cache Aug 07 17:48:32 jumphost aad_auth[1324]: nss_aad: cache not found: no aad-auth cache found at "/var/lib/aad/cache" XX@jumphost:~$ Aug 07 17:49:12 jumphost sshd[1501]: pam_aad(sshd:auth): aad auth debug enabled Aug 07 17:49:12 jumphost sshd[1501]: pam_aad(sshd:auth): PAM AAD DEBUG enabled Aug 07 17:49:12 jumphost sshd[1501]: pam_aad(sshd:auth): Loading configuration from /etc/aad.conf Aug 07 17:49:12 jumphost sshd[1501]: pam_aad(sshd:auth): Connecting to "https://login.microsoftonline.com/XXXXXXXX", with clientID "XXXXXXX" for user "XXXX@XXXX.XX" Aug 07 17:49:13 jumphost sshd[1501]: pam_aad(sshd:auth): Got response: Invalid credentials XX@jumphost:~$
here's the relevant configs
#
/etc/pam.d/common-auth - authentication settings common to all services
#
This file is included from other service-specific PAM config files,
and should contain a list of the authentication modules that define
the central authentication scheme for use on the system
(e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
traditional Unix authentication mechanisms.
#
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_unix.so nullok auth [success=2 default=ignore] pam_sss.so use_first_pass auth [success=1 default=ignore] pam_aad.so debug
here's the fallback if no module succeeds
auth requisite pam_deny.so
prime the stack with a positive return value if there isn't one already;
this avoids us returning an error just because nothing sets a success code
since the modules above will each just jump around
auth required pam_permit.so
and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
end of pam-auth-update config
/etc/pam.d/common-auth (END)
NSS_AAD_DEBUG=1 PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin" /etc/environment (END)
uname -a Linux jumphost 6.2.0-26-generic #26-Ubuntu SMP PREEMPT_DYNAMIC Mon Jul 10 23:39:54 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
required values
See https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
for more information on how to set up an Azure AD app.
tenant_id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
app_id = yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
tenant_id = XXXXXX app_id = XXXXXX
optional values (defaults)
offline_credentials_expiration = 90 ; duration in days a user can log in without online verification
homedir = /home/%f ; home directory pattern for the user, the following mapping applies:
; %f - full username
; %U - UID
; %l - first char of username
; %u - username without domain
; %d - domain
shell = /bin/bash ; default shell for the user
overriding values for a specific domain, every value inside a section is optional
[domain.com]
tenant_id = aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
app_id = bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb
offline_credentials_expiration = 30
homedir = /home/domain.com/%u
shell = /bin/zsh
/etc/aad.conf (END)
any idea where I am doing it wrong?