Issue: Get error: unable to open named profile (user): using the null configuration.

cristianapas commented 3 months ago

Is there an existing issue for this?

[X] I have searched the existing issues and found none that matched mine

Describe the issue

After installing adsys I get error unable to open named profile (user@domain): using the null configuration while logging. I tried to join the pc to the domain using sssd and winbind and in both cases it works the same.

Steps to reproduce it

Using Ubuntu Desktop 24.04, and Windows Server 2012r2

Ubuntu users: System information

No response

Non Ubuntu users: System information

Environment

adsys version: please run adsysctl version
Distribution: (NAME in /etc/os-release)
Distribution version: (VERSION_ID on /etc/os-release):

Log files

Please redact/remove sensitive information:

adsys service logs can be acquired by running `adsysctl service cat -v`.
You can increase the amount of information displayed by increasing the verbosity level (-v) to -vv or -vvv.

Application settings

Please redact/remove sensitive information:

Paste the contents of your adsys.yaml file here, if you created one.

Additional information

No response

Double check your logs

[X] I have redacted any sensitive information from the logs

didrocks commented 3 months ago

Do you mind expanding a bit what is the "null configuration". Also, we would need the logs and more informations about your system as requested by the template.

Thanks!

snussbaumermpreis commented 1 month ago

Hello,

I have just discovered the same problem. This almost made me switch back to Windows...

The problem is the following:

With the following sssd.conf:

[sssd] domains = domain.tld config_file_version = 2 services = nss, pam, ifp default_domain_suffix = domain.tld

[domain/DOMAIN.TLD] default_shell = /bin/bash krb5_store_password_if_offline = False cache_credentials = True krb5_realm = DOMAIN.TLD realmd_tags = manages-system joined-with-adcli id_provider = ad ldap_sasl_authid = HOSTNAME$ fallback_homedir = /home/%u@%d ad_domain = domain.tld use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad account_cache_expiration = 1 ad_gpo_access_control = enforcing ad_gpo_cache_timeout = 30 ad_gpo_ignore_unreadable = True ad_hostname = HOSTNAME.DOMAIN.TLD ad_gpo_map_remote_interactive = +nx auto_private_groups = true ldap_user_ssh_public_key = altSecurityIdentities ldap_user_extra_attrs = altSecurityIdentities

I get the following error with adsys 0.14.1 22.04 previously with Version 0.9.2 22.04.1 this worked fine.

Jul 17 15:06:09 HOSTNAME systemd[1]: Starting ADSys daemon service... Jul 17 15:06:09 HOSTNAME adsysd[35284]: level=error msg="couldn't create adsys service: could not initialize AD backend: can't get domain configuration from {Conf:/etc/sssd/sssd.conf CacheDir:/var/lib/sss/db}:could not find AD domain section corresponding to \"domain.tld\"> Jul 17 15:06:09 HOSTNAME systemd[1]: adsysd.service: Main process exited, code=exited, status=1/FAILURE Jul 17 15:06:09 HOSTNAME systemd[1]: adsysd.service: Failed with result 'exit-code'. Jul 17 15:06:09 HOSTNAME systemd[1]: Failed to start ADSys daemon service.

Because of the adsys pam module, Logins now fail!

With adsys 0.14.1~22.04 and the following sssd.conf (changed the Domainname from upper to lower case):

[sssd] domains = domain.tld config_file_version = 2 services = nss, pam, ifp default_domain_suffix = domain.tld

[domain/domain.tld] default_shell = /bin/bash krb5_store_password_if_offline = False cache_credentials = True krb5_realm = DOMAIN.TLD realmd_tags = manages-system joined-with-adcli id_provider = ad ldap_sasl_authid = HOSTNAME$ fallback_homedir = /home/%u@%d ad_domain = domain.tld use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad account_cache_expiration = 1 ad_gpo_access_control = enforcing ad_gpo_cache_timeout = 30 ad_gpo_ignore_unreadable = True ad_hostname = HOSTNAME.DOMAIN.TLD ad_gpo_map_remote_interactive = +nx auto_private_groups = true ldap_user_ssh_public_key = altSecurityIdentities ldap_user_extra_attrs = altSecurityIdentities

Adsys starts and works fine with this, but first of all, this is now a different username because that changes to lowercase too, but more importantly, when using any domain user now I cant change any GUI settings (not even Desktop backgrounds). This is because the user no gets an environment variable: DCONF_PROFILE=username@domain.tld and that dconf profile does not exist and ~/.config/dconf/user is not created! So the user has no dconf profile where the settings could be saved as far as I understand this, so this is where the original error message is coming from: unable to open named profile (user@domain): using the null configuration.

Some examples from syslog:

ul 16 11:36:46 HOSTNAME gsettings[21570]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:46 HOSTNAME gsettings[21572]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:46 HOSTNAME gsettings[21579]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:46 HOSTNAME gsettings[21587]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:46 HOSTNAME gsd-xsettings[21496]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:46 HOSTNAME gsd-media-keys[21477]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:46 HOSTNAME gsd-power[21478]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:46 HOSTNAME evolution-alarm[21531]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:47 HOSTNAME gnome-initial-s[21668]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:47 HOSTNAME xdg-desktop-por[21571]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:47 HOSTNAME xdg-desktop-por[21511]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:47 HOSTNAME xdg-desktop-por[21903]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:47 HOSTNAME nautilus[21428]: unable to open named profile (user@domain.tld): using the null configuration. Jul 16 11:36:48 HOSTNAME gnome-shell[20903]: DING: (gjs:21964): dconf-WARNING **: 11:36:48.088: unable to open named profile (user@domain.tld): using the null configuration.

So first of all adsys should still be able to parse the domainname from sssd if it is uppercase. Second and more importantly it should not mess up the users dconf.

Steps to reproduce:

Join a machine to a AD Domain with SSSD using the uppercase Domainname, then install adsys (0.14) you will get the error on service start, then change the domainname to lowercase, you wont be able (with a AD Domain User) to change any settings related to dconf/gsettings Databases.

I hope this helps. Meanwhile I will hold on to adsys 0.9.2...

denisonbarbosa commented 1 month ago

Hey, @snussbaumermpreis and @cristianapas! We have some suspicions about the possible cause of the issue, but before submitting any fixes, we'd like to ask you to try something if you can:

Keeping the domain configuration as you updated (with the lowercase domain), can you try configuring at least one dconf key (on the server) for the user you're trying to authenticate with?

This issue might be happening due to the user not having any dconf setting configured (which means that the user-specific profile won't be created), thus resulting in you not being able to change any user-specific dconf value.

snussbaumermpreis commented 1 month ago

Hello @denisonbarbosa and thank you for working on this!

I can definitly confirm that this happens even if the database is present and has entries. I have tried it with a existing database both by creating it (without adsys installed) and by moving an existing database. As I understand it, this not because it cant be created.

The file is the following: ~/.config/dconf/user

But (presumably adsys) sets "DCONF_PROFILE" with the username so: DCONF_PROFILE=user@domain.tld

I renamed the file, which did not change anything.

In my seperate issue: https://github.com/ubuntu/adsys/issues/1054 I provided some more infos about this dconf part.

My understanding of dconf is pretty minimal... So I cant tell you what exactly happens but this is definetly pretty odd...

Have you been able to recreate the issue? If not I could go through the hassle once again and try to make a foolproof step by step to recreate it. I am not to keen on that though and I hope I have reported enough infos for you to provide some sort of fix.

denisonbarbosa commented 1 week ago

Hey, guys! The fixed version (0.14.2) is now available at ppa:ubuntu-enterprise-desktop/adsys if you'd like to use it while we are preparing things for releasing the fixes into the archive. Thanks again for reporting the issue and helping us make adsys better!

sebma commented 1 week ago

Hey, guys! The fixed version (0.14.2) is now available at ppa:ubuntu-enterprise-desktop/adsys if you'd like to use it while we are preparing things for releasing the fixes into the archive. Thanks again for reporting the issue and helping us make adsys better!

@denisonbarbosa Thanks a LOT !!!

Your #1070 PR solved my user profil pb.

Got bless you abundantly.

ubuntu / adsys