Unable to authenticate as sudo

[espenalb]

Is there an existing issue for this?

• [X] I have searched the existing issues and found none that matched mine

Describe the issue

After configuring our Ubuntu machine for Azure AD, we are able to log in and start a session, however we are not able to authenticate as sudo.

Steps to reproduce it

1. Ubuntu 23.04 configured to use our Azure AD
2. Log in as an Azure AD user who is a member of the sudo group
3. Start a terminal and try to authenticate sudo nano /etc/aad.conf

Expected behavior: Successfully authenticated Observed behavior: Incorrect password

Ubuntu users: System information and logs

This is the log from /var/log/auth.log:

023-08-01T15:25:07.377744+02:00 sonair-build sudo: pam_aad(sudo:auth): aad auth debug enabled
2023-08-01T15:25:07.378095+02:00 sonair-build sudo: pam_aad(sudo:auth): PAM AAD DEBUG enabled
2023-08-01T15:25:07.378264+02:00 sonair-build sudo: pam_aad(sudo:auth): Loading configuration from /etc/aad.conf
2023-08-01T15:25:07.378412+02:00 sonair-build sudo: pam_aad(sudo:auth): Connecting to "https://login.microsoftonline.com/itentionally_removed", with clientID "also_removed" for user "espen@sonair.com"
2023-08-01T15:25:07.613737+02:00 sonair-build sudo: pam_aad(sudo:auth): Authentication successful even if requiring MFA
2023-08-01T15:25:07.614004+02:00 sonair-build sudo: pam_aad(sudo:auth): Cache initialization
2023-08-01T15:25:07.614160+02:00 sonair-build sudo: pam_aad(sudo:auth): Opening cache in /var/lib/aad/cache
2023-08-01T15:25:07.614316+02:00 sonair-build sudo: pam_aad(sudo:auth): check file permissions on /var/lib/aad/cache/passwd.db
2023-08-01T15:25:07.614545+02:00 sonair-build sudo: pam_aad(sudo:auth): check file permissions on /var/lib/aad/cache/shadow.db
2023-08-01T15:25:07.614745+02:00 sonair-build sudo: pam_aad(sudo:auth): Shadow db mode: 0
2023-08-01T15:25:07.614895+02:00 sonair-build sudo: pam_aad(sudo:auth): getting user information from cache for "espen@sonair.com"
2023-08-01T15:25:07.615065+02:00 sonair-build sudo: pam_aad(sudo:auth): generate user id for user "espen@sonair.com"
2023-08-01T15:25:07.615174+02:00 sonair-build sudo: pam_aad(sudo:auth): user id for "espen@sonair.com" is 231163552
2023-08-01T15:25:07.615288+02:00 sonair-build sudo: pam_aad(sudo:auth): Getting home directory for espen@sonair.com
2023-08-01T15:25:07.615451+02:00 sonair-build sudo: pam_aad(sudo:auth): inserting in cache user "espen@sonair.com"
2023-08-01T15:25:07.615604+02:00 sonair-build sudo: pam_aad(sudo:auth): can not create/open cache for nss database: failed to insert user "espen@sonair.com" in local cache: shadow database is not accessible for writing: 0. Denying access.
2023-08-01T15:25:07.615764+02:00 sonair-build sudo: pam_aad(sudo:auth): Close database request
2023-08-01T15:25:37.633236+02:00 sonair-build sudo: pam_unix(sudo:auth): No use of cache, closing underlying DB.
2023-08-01T15:25:37.634006+02:00 sonair-build sudo: pam_unix(sudo:auth): request to close passwd iteration in db
2023-08-01T15:25:37.634113+02:00 sonair-build sudo: pam_unix(sudo:auth): request to close group iteration in db
2023-08-01T15:25:37.634226+02:00 sonair-build sudo: pam_unix(sudo:auth): request to close shadow iteration in db
2023-08-01T15:29:00.481246+02:00 sonair-build sudo: pam_unix(sudo:auth): conversation failed
2023-08-01T15:29:00.483079+02:00 sonair-build sudo: pam_unix(sudo:auth): auth could not identify password for [espen@sonair.com]

Non Ubuntu users: System information and logs

Environment

• aad-auth version: please run aad-cli version
• Distribution: (NAME in /etc/os-release)
• Distribution version: (VERSION_ID on /etc/os-release):

Log files

Please redact/remove sensitive information:

aad-auth logs can be found in the system journal and queried with:
`journalctl | grep _aad`

Application settings

Please redact/remove sensitive information:

You can get the configuration file from /etc/aad.conf

Relevant information

We followed the instructions in the README file - no problems there.

After installing libpam-aad and libnss-aad, we rebooted - but the "user not listed" was not displayed on the login prompt, so I proceeded to manually add the AD user: sudo adduser --allow-badname espen@sonair.com This worked - I am now able to log in to Ubuntu using my Microsoft credentials. Next step was to add this user to sudo - and that is when the problems start - it seems that the pam_aad fails when trying to authenticate.

It is communicating with Azure AD - because if I intentionally enter an incorrect password, I get

Double check your logs

• [X] I have redacted any sensitive information from the logs

[denisonbarbosa]

Hey, @espenalb! Thanks for reporting the issue. This was already solved by #215, but we didn't release the fix on the archive yet.