Closed callanova closed 2 months ago
Thanks for reporting this bug on authd. Let’s try to debug it together.
I notice that we need to update the template for bug report, as the package is not in ubuntu. Can you enter the details for "non ubuntu users" as we don’t have logs around (as the package is coming from a ppa) To get more verbose output to paste, please have a look at https://github.com/ubuntu/authd/wiki/05--Troubleshooting.
That will help debugging 1. and 2.
The 3rd one (which might explain 1 and 2 through autoselection) with "invalid_client" probably means that the client_id doesn’t match your tenant id in the configuration that you edited in /var/snap/authd-msentraid/current/broker.conf
. Do you mind pasting it here, redacting ofc the sensitve info?
Ensure in particular that <CLIENT_ID>
matches the "Application (client) id" in the Azure ui. You shouldn’t need a redirect URL. However, and indeed, this is missing in the docs, I think your issue might come from this missing settings:
In MS Entra ID, go to your application, then "Manage -> Authentication". Under "Advanced Settings", ensure "Enable the following mobile and desktop flows:" is set to Yes for "Allow public client flows". Note that you probably need to reboot then to ensure the msentraid broker is pulling the right configuration from Azure.
That should solve your issue when you don’t get a valid device flow authorization. Keep us posted!
authd version: authd 0.3.1~ppa4 Distribution: Ubuntu Distribution version): 24.04
Trying to modify any /etc/pam.d/ files or /usr/share/pam-configs/authd results in me being unable to run sudo commands:
sudo: PAM account management error: Permission denied sudo: a password is required
Could you provide more details on how to properly increase logging verbosity for the PAM and NSS modules?
Having "Allow public client flows" seems to have resolve the third one.
Within /var/snap/authd-msentraid/current/broker.conf, I replaced
[oidc]
issuer = https://login.microsoftonline.com/<ISSUER_ID>/v2.0
client_id = <CLIENT_ID>
[users]
home_base_dir = /home
Hey, @callanova! To increase verbosity, you need to:
For NSS -> Edit /etc/environment
and add the following line:
AUTHD_NSS_INFO=1
For PAM -> Edit /etc/pam.d/common-auth
, /etc/pam.d/common-account
and /etc/pam.d/common-password
and add debug=true
to the authd module line (do not reorder it, nor replace the other modules lines, change only the authd one, otherwise it could break authentication on your machine). It should look like this:
/etc/pam.d/common-auth
auth [success=3 ignore=ignore default=die] pam_authd_exec.so /usr/libexec/authd-pam debug=true
/etc/pam.d/common-account
account [default=ignore success=ok user_unknown=ignore] pam_authd_exec.so /usr/libexec/authd-pam debug=true
/etc/pam.d/common-password
password [success=4 ignore=ignore default=die] pam_authd_exec.so /usr/libexec/authd-pam debug=true
Hi guys,
We are facing the exact same issues as @callanova mentioned. @denisonbarbosa we managed to enable the debug logs, and these are the errors that we get:
This is when we select from the login UI-> not listed -> enter The entra id username:
2024-07-18T11:45:44.153566+03:00 rotmictubntdesktop gnome-shell[2573]: ActUserManager: user (null) has no username (uid: -1) 2024-07-18T11:45:44.193067+03:00 rotmictubntdesktop gdm-authd]: accountsservice: ActUserManager: user (null) has no username (uid: -1) 2024-07-18T11:45:44.207476+03:00 rotmictubntdesktop gnome-shell[2573]: Starting authd protocol
Once authentication with device code is succesfull from a browser:
2024-07-18T11:47:04.493523+03:00 rotmictubntdesktop gdm-session-worker[2992]: module returned error: gdm-authd failed: Authentication failure: could not get user info: could not fetch user info: could not get user groups: could not parse group name 2024-07-18T11:47:04.531507+03:00 rotmictubntdesktop gdm-authd]: accountsservice: ActUserManager: user (null) has no username (uid: -1) 2024-07-18T11:47:04.548986+03:00 rotmictubntdesktop gnome-shell[2573]: Starting authd protocol
The issue that we are having is that once we authenticate in a browser using device code auth, the ubuntu login screen goes back to user account list and nothing happens.
Thank you in advance for your help.
Thanks for your patience! Can you try the following:
apt policy gnome-shell
). It should be 46.3.1-1ubuntu1~24.04.1 which is the one in the ppa.login
.snap switch authd-msentraid --stable
snap restart authd-msentraid
That should help to pinpoint the issue.
Hi @didrocks
gnome-shell: Installed: 46.3.1-1ubuntu1~24.04.1 Candidate: 46.3.1-1ubuntu1~24.04.1 Version table: *** 46.3.1-1ubuntu1~24.04.1 500 500 https://ppa.launchpadcontent.net/ubuntu-enterprise-desktop/authd/ubuntu noble/main amd64 Packages 100 /var/lib/dpkg/status 46.0-0ubuntu5.1 500 500 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages 46.0-0ubuntu5 500 500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages
Login from terminal:
After running:
snap switch authd-msentraid --stable
snap restart authd-msentraid
Logs:
2024-07-18T13:31:40.489705+03:00 rotmictubntdesktop authd-pam[4894]: adapter.userSelected{username:"redacted"} 2024-07-18T13:31:40.490660+03:00 rotmictubntdesktop authd-pam[4894]: adapter.supportedUILayoutsReceived{layouts:[]authd.UILayout{(authd.UILayout)(0xc0002f6000), (authd.UILayout)(0xc0002f6070), (authd.UILayout)(0xc0002f60e0)}} 2024-07-18T13:31:40.491146+03:00 rotmictubntdesktop authd-pam[4894]: adapter.UsernameOrBrokerListReceived{} 2024-07-18T13:31:40.491376+03:00 rotmictubntdesktop authd-pam[4894]: adapter.GetAuthenticationModesRequested{} 2024-07-18T13:31:40.493191+03:00 rotmictubntdesktop authd-pam[4894]: adapter.brokersListReceived{brokers:[]authd.ABResponse_BrokerInfo{(authd.ABResponse_BrokerInfo)(0xc00050c0a0), (authd.ABResponse_BrokerInfo)(0xc00050c280)}} 2024-07-18T13:31:40.494145+03:00 rotmictubntdesktop authd-pam[4894]: adapter.UsernameOrBrokerListReceived{} 2024-07-18T13:31:40.499445+03:00 rotmictubntdesktop authd-pam[4894]: adapter.ChangeStage{Stage:1} 2024-07-18T13:31:41.635387+03:00 rotmictubntdesktop authd-pam[4894]: adapter.brokerSelected{brokerID:"2182967434"} 2024-07-18T13:31:41.635637+03:00 rotmictubntdesktop authd-pam[4894]: adapter.BrokerSelected{BrokerID:"2182967434"} 2024-07-18T13:31:41.640153+03:00 rotmictubntdesktop authd-pam[4894]: adapter.SessionStarted{brokerID:"2182967434", sessionID:" 2024-07-18T13:31:41.640891+03:00 rotmictubntdesktop authd-pam[4894]: adapter.GetAuthenticationModesRequested{} 2024-07-18T13:31:41.686769+03:00 rotmictubntdesktop authd-pam[4894]: authModes[id:"device_auth" label:"Device Authentication"] 2024-07-18T13:31:41.687102+03:00 rotmictubntdesktop authd-pam[4894]: adapter.authModesReceived{authModes:[]authd.GAMResponse_AuthenticationMode{(authd.GAMResponse_AuthenticationMode)(0xc000128dc0)}} 2024-07-18T13:31:41.689468+03:00 rotmictubntdesktop authd-pam[4894]: adapter.authModeSelected{id:"device_auth"} 2024-07-18T13:31:41.689984+03:00 rotmictubntdesktop authd-pam[4894]: adapter.AuthModeSelected{ID:"device_auth"} 2024-07-18T13:31:41.926338+03:00 rotmictubntdesktop authd-pam[4894]: adapter.UILayoutReceived{layout:(authd.UILayout)(0xc0005942a0)} 2024-07-18T13:31:41.928658+03:00 rotmictubntdesktop authd-pam[4894]: adapter.ChangeStage{Stage:3} 2024-07-18T13:31:41.943619+03:00 rotmictubntdesktop authd-pam[4894]: adapter.isAuthenticatedRequested{item:(authd.IARequest_AuthenticationData_Wait)(0xc000587bd0)} 2024-07-18T13:31:41.945296+03:00 rotmictubntdesktop authd-pam[4894]: adapter.isAuthenticatedRequestedSend{isAuthenticatedRequested:adapter.isAuthenticatedRequested{item:(authd.IARequest_AuthenticationData_Wait)(0xc000587bd0)}, ctx:(*context.cancelCtx)(0xc000024500)}
==> cups/access_log <== localhost - - [18/Jul/2024:13:31:55 +0300] "POST / HTTP/1.1" 200 182 Renew-Subscription successful-ok
==> syslog <== 2024-07-18T13:32:12.728137+03:00 rotmictubntdesktop authd-pam[4894]: adapter.isAuthenticatedResultReceived{access:"denied", challenge:"", msg:"{\"message\":\"could not get user info: could not fetch user info: could not get user groups: could not parse group name\"}"} 2024-07-18T13:32:12.730555+03:00 rotmictubntdesktop authd-pam[4894]: adapter.pamError{status:7, msg:"could not get user info: could not fetch user info: could not get user groups: could not parse group name"}
AUTH: exiting with error Authentication failure: could not get user info: could not fetch user info: could not get user groups: could not parse group name
2024-07-18T13:32:16.080024+03:00 rotmictubntdesktop login[4890]: FAILED LOGIN (1) on '/dev/pts/1' FOR 'UNKNOWN', Authentication failure ^C
P.S. This is the succesfull Entra Login from Browser:
Thanks for the additional info. It might be that your user is not part of any groups and it seems we wrongly reject that use case.
Can you confirm that your user doesn’t have any group on msentra id portal? Can you try adding one and tell us if that fixes your issue?
For your information, this error happens on the display name of the group, which might be the wrong field to take too.
Hi @didrocks ,
My user is at least ~ 50 Entra ID Security Groups. However from the documentation for me is not clear if has to be these 3 specific groups:
https://github.com/ubuntu/authd/wiki/04---Usage
Cheers!
Hi,
I've also created in Entra ID the linux-sudo group, and added my user. Unfortunately the behaviour is the same. Nonetheless like I mentioned above, my user is part of roughly 50 security groups in Entra ID.
Is there any special Token configuration needed in the App Registratin in Entra ID that we should make, to include specific group claims in the token? Like in the picture below:
Hey, @tararambumbum!
However from the documentation for me is not clear if has to be these 3 specific groups
Those groups are just used as an example. The first is a default group matching the username that authd
creates automatically for the user. The second, linux-sudo
, is an example of how to configure a local unix group through azure, such as sudo
, the linux-
prefix will be stripped and only the suffix will be considered. The last one is the remote group that will be created as is for your user locally.
Is there any special Token configuration needed in the App Registratin in Entra ID that we should make, to include specific group claims in the token?
Right now, we rely on graphsdk to get the user groups, so you don't need to configure anything else in the token configuration for it to work (we are exploring ways of relying only on the token claims to fetch the user groups, so that we don't need to rely on graphsdk for it).
Now, for your issue...
We need more info on what could be failing. My guess is that the graph API is returning other objects rather than only the user groups, so we built a new version of the broker that logs the object when it fails to parse the display name. It will still fail, but it will give us more information on what could be the issue so that we can work on a proper fix.
To try it, run the following commands:
snap switch authd-msentraid --edge
snap restart authd-msentraid
Then, try authenticating again. The logs will be shown in the system journal, which you can look at by running:
journalctl -b -u snap.authd-msentraid.authd-msentraid.service
You should look for messages containing the string Invalid group found
.
PS.: Don't forget to redact sensitive information, but try to keep as much information as possible.
Thanks for the help!
gnome-shell:
apt policy gnome-shell
gnome-shell:
Installed: 46.3.1-1ubuntu1~24.04.1
Candidate: 46.3.1-1ubuntu1~24.04.1
Version table:
*** 46.3.1-1ubuntu1~24.04.1 500
500 https://ppa.launchpadcontent.net/ubuntu-enterprise-desktop/authd/ubuntu noble/main amd64 Packages
100 /var/lib/dpkg/status
46.0-0ubuntu6~24.04.1 100
100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
46.0-0ubuntu5.1 500
500 http://us.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
46.0-0ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Thanks @denisonbarbosa for providing that. After increasing verbosity I got the same could not get user info: could not fetch user info: could not get user groups: could not parse group name
message as @tararambumbum.
Ran snap switch authd-msentraid --edge
and snap restart authd-msentraid
, however, journalctl -b -u snap.authd-msentraid.authd-msentraid.service
doesn't show any messages outside of:
Jul 18 06:59:04 ubuntu-test systemd[1]: Stopping snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid...
Jul 18 06:59:04 ubuntu-test systemd[1]: snap.authd-msentraid.authd-msentraid.service: Deactivated successfully.
Jul 18 06:59:04 ubuntu-test systemd[1]: Stopped snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Jul 18 06:59:04 ubuntu-test systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Glad that at least you end up with a common issue than @tararambumbum :)
Ran snap switch authd-msentraid --edge and snap restart authd-msentraid, however, journalctl -b -u snap.authd-msentraid.authd-msentraid.service doesn't show any messages.
As you were probably already on edge channel before, I’m unsure the snap switch
refreshes the snap, so let’s do it manually:
snap refresh authd-msentraid
snap restart authd-msentraid
You can confirm you are running revision 13 with snap info authd-msentaid
. Please try to fetch the log again with that revision.
Hi,
After:
snap refresh authd-msentraid snap restart authd-msentraid
The logs:
Jul 18 18:00:01 rotmictubntdesktop authd-pam[4521]: adapter.userSelected{username:”redacted”} Jul 18 18:00:01 rotmictubntdesktop authd-pam[4521]: adapter.supportedUILayoutsReceived{layouts:[]authd.UILayout{(authd.UILayout)(0xc000226000), (authd.UILayout)(0xc000226070), (authd.UILayout)(0xc0002260e0)}} Jul 18 18:00:01 rotmictubntdesktop authd-pam[4521]: adapter.UsernameOrBrokerListReceived{} Jul 18 18:00:01 rotmictubntdesktop authd-pam[4521]: adapter.GetAuthenticationModesRequested{} Jul 18 18:00:01 rotmictubntdesktop authd-pam[4521]: adapter.brokersListReceived{brokers:[]authd.ABResponse_BrokerInfo{(authd.ABResponse_BrokerInfo)(0xc0004ce370), (*authd.ABResponse_BrokerInfo)(0xc0004ce550)}} Jul 18 18:00:01 rotmictubntdesktop authd-pam[4521]: adapter.UsernameOrBrokerListReceived{} Jul 18 18:00:01 rotmictubntdesktop authd-pam[4521]: adapter.ChangeStage{Stage:1}
Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: adapter.brokerSelected{brokerID:"2182967434"} Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: adapter.BrokerSelected{BrokerID:"2182967434"} Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: adapter.SessionStarted{brokerID:"2182967434", sessionID:"", encryptionKey:""} Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: adapter.GetAuthenticationModesRequested{} Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: authModes[id:"device_auth" label:"Device Authentication"] Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: adapter.authModesReceived{authModes:[]authd.GAMResponse_AuthenticationMode{(authd.GAMResponse_AuthenticationMode)(0xc000622230)}} Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: adapter.authModeSelected{id:"device_auth"} Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: adapter.AuthModeSelected{ID:"device_auth"} Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: adapter.UILayoutReceived{layout:(authd.UILayout)(0xc000226310)} Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: adapter.ChangeStage{Stage:3} Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: adapter.isAuthenticatedRequested{item:(authd.IARequest_AuthenticationData_Wait)(0xc000216b70)} Jul 18 18:00:02 rotmictubntdesktop authd-pam[4521]: adapter.isAuthenticatedRequestedSend{isAuthenticatedRequested:adapter.isAuthenticatedRequested{item:(authd.IARequest_AuthenticationData_Wait)(0xc000216b70)}, ctx:(context.cancelCtx)(0xc00018e550)} Jul 18 18:00:18 rotmictubntdesktop authd-msentraid.authd-msentraid[4482]: time=2024-07-18T18:00:18.236+03:00 level=WARN msg="Invalid group found: &models.\x1b[32mDirectoryRole\x1b[0m{\n \x1b[33mDirectoryObject\x1b[0m: models.\x1b[32mDirectoryObject\x1b[0m{\n \x1b[33mEntity\x1b[0m: models.\x1b[32mEntity\x1b[0m{\n \x1b[33mbackingStore\x1b[0m: &store.\x1b[32mInMemoryBackingStore\x1b[0m{\n \x1b[33mreturnOnlyChangedValues\x1b[0m: \x1b[36m\x1b[1mfalse\x1b[0m,\n \x1b[33minitializationCompleted\x1b[0m: \x1b[36m\x1b[1mtrue\x1b[0m,\n \x1b[33mstore\x1b[0m: \x1b[32mmap[string]interface {}\x1b[0m{\n \x1b[31m\x1b[1m\"\x1b[0m\x1b[31madditionalData\x1b[0m\x1b[31m\x1b[1m\"\x1b[0m: \x1b[32mmap[string]interface {}\x1b[0m{},\n \x1b[31m\x1b[1m\"\x1b[0m\x1b[31modataType\x1b[0m\x1b[31m\x1b[1m\"\x1b[0m: &\x1b[31m\x1b[1m\"\x1b[0m\x1b[31m#microsoft.graph.directoryRole\x1b[0m\x1b[31m\x1b[1m\"\x1b[0m,\n \x1b[31m\x1b[1m\"\x1b[0m\x1b[31mid\x1b[0m\x1b[31m\x1b[1m\"\x1b[0m: &\x1b[31m\x1b[1m\"\x1b[0m\x1b[31mbcb4bf66-5c40-410e-b48d-d047dbd588c6\x1b[0m\x1b[31m\x1b[1m\"\x1b[0m,\n },\n \x1b[33msubscribers\x1b[0m: map[string]store.\x1b[32mBackingStoreSubscriber\x1b[0m{},\n \x1b[33mchangedValues\x1b[0m: \x1b[32mmap[string]bool\x1b[0m{\n \x1b[31m\x1b[1m\"\x1b[0m\x1b[31madditionalData\x1b[0m\x1b[31m\x1b[1m\"\x1b[0m: \x1b[36m\x1b[1mtrue\x1b[0m,\n \x1b[31m\x1b[1m\"\x1b[0m\x1b[31modataType\x1b[0m\x1b[31m\x1b[1m\"\x1b[0m: \x1b[36m\x1b[1mtrue\x1b[0m,\n \x1b[31m\x1b[1m\"\x1b[0m\x1b[31mid\x1b[0m\x1b[31m\x1b[1m\"\x1b[0m: \x1b[36m\x1b[1mtrue\x1b[0m,\n },\n },\n },\n },\n}" Jul 18 18:00:18 rotmictubntdesktop authd-pam[4521]: adapter.isAuthenticatedResultReceived{access:"denied", challenge:"", msg:"{\"message\":\"could not get user info: could not fetch user info: could not get user groups: could not parse group name\"}"} Jul 18 18:00:18 rotmictubntdesktop authd-pam[4521]: adapter.pamError{status:7, msg:"could not get user info: could not fetch user info: could not get user groups: could not parse group name"} Jul 18 18:00:18 rotmictubntdesktop authd-pam[4521]: adapter.SessionEnded{} Jul 18 18:00:18 rotmictubntdesktop authd-pam[4521]: AUTH: exiting with error Authentication failure: could not get user info: could not fetch user info: could not get user groups: could not parse group name
As a side note, before this lat command snap refresh and snap restart, we tried with both stable and edge, but the error logs were the same, without more information available.
Cheers.
Hey, @tararambumbum and @callanova!
It seems our suspicions were correct. If you look at the logs, you can see Invalid group found: &models.\x1b[32mDirectoryRole ...
, which means that indeed the API is returning more than just the user groups (a Directory Role, in this case).
We're already working on a fix for it and will let you guys know when it's available.
@didrocks thank you for that. I can confirm I get the same message as @tararambumbum. Sounds good, thank you @denisonbarbosa.
hey @callanova, @tararambumbum. Rev 14 on the edge channel of the snap should fix that particular issue.
You should refresh it (ensure you are on edge channel, with the previous message) with:
snap refresh authd-msentraid
snap restart authd-msentraid
and try login again. Let’s cross fingers that was the only issue that differs between the test and production configurations!
We have also updated the documentation to include the missing pieces, enhancing the bug templates and add more info on how to get debug logs.
Thanks for bearing with us and keep us posted if that solved it for you (or we can iterate otherwise :)).
EDIT: just something to bear in mind, we will probably promote that version to the stable channel by the end of next week as it needs a corresponding authd upload to the ppa. By then, you should really switch back to the stable channel as it’s the only ones we are testing completely with the latest authd release. Until then, ssh login (when the user doesn’t exist on the machine) and offline login will be broken with current authd, but the rest of the features should work.
Hi @didrocks @denisonbarbosa ,
I confirm that it is working as expected right now! Thank you very much for your fast responses and brilliant support!
Regards, Mihai
@didrocks / @denisonbarbosa,I'm still seeing could not parse group name
with both sudo login
and GUI while on rev 15:
2024-07-19T06:24:25.793839-07:00 ubuntu-test gdm-session-worker[3164]: module returned error: gdm-authd failed: Authentication failure: could not get user info: could not fetch user info: could not get user groups: could not parse group name
sudo snap info authd-msentraid
name: authd-msentraid
summary: MSEntra ID broker for authd
publisher: Canonical✓
store-url: https://snapcraft.io/authd-msentraid
license: GPL-3.0
description: |
This is the MS Entra ID broker snap for authd to provide MS Entra ID OIDC based authentication on
Ubuntu with authd.
services:
authd-msentraid: simple, enabled, active
snap-id: vS3oJLMss6lgWwoFcPqYDUA2HB20I1Dc
tracking: 0.x/edge
refresh-date: today at 03:40 PDT
channels:
0.x/stable: 0.1 2024-07-18 (10) 17MB -
0.x/candidate: ↑
0.x/beta: ↑
0.x/edge: 0.1 2024-07-19 (15) 17MB -
installed: 0.1 (15) 17MB -
Hey, @callanova! It's unfortunate that the fix wasn't enough to fix your issue. We pushed a new revision with more logging for issues when parsing the group's information.
Can you rerun the commands to refresh
and restart
(after running them, make sure you have the right revision, it should be 17) the snap and provide us the system logs for the failure? Since it's still failing for you, one (or more) group likely does not contain the expected information or it could be a configuration issue in Azure. Hopefully, these new log messages will help us pinpoint the problem.
Thanks for the patience!
Thank you for getting out a new revision out so quickly. Let me know if you need any additional info.
sudo snap info authd-msentraid
name: authd-msentraid
summary: MSEntra ID broker for authd
publisher: Canonical✓
store-url: https://snapcraft.io/authd-msentraid
license: GPL-3.0
description: |
This is the MS Entra ID broker snap for authd to provide MS Entra ID OIDC based authentication on
Ubuntu with authd.
services:
authd-msentraid: simple, enabled, active
snap-id: vS3oJLMss6lgWwoFcPqYDUA2HB20I1Dc
tracking: 0.x/edge
refresh-date: today at 08:46 PDT
channels:
0.x/stable: 0.1 2024-07-18 (10) 17MB -
0.x/candidate: ↑
0.x/beta: ↑
0.x/edge: 0.1 2024-07-19 (17) 17MB -
installed: 0.1 (17) 17MB -
journalctl -b -u snap.authd-msentraid.authd-msentraid.service
:
Jul 19 08:48:27 ubuntu-test authd-msentraid.authd-msentraid[10876]: time=2024-07-19T08:48:27.501-07:00 level=WARN msg="Invalid group object (ID: %s) found: %v0xc00011e510 &{{{0xc000365420}}}"
/var/log/syslog
:
2024-07-19T08:48:27.502123-07:00 ubuntu-test authd-msentraid.authd-msentraid[10876]: time=2024-07-19T08:48:27.501-07:00 level=WARN msg="Invalid group object (ID: %s) found: %v0xc00011e510 &{{{0xc000365420}}}"
2024-07-19T08:48:27.504425-07:00 ubuntu-test authd-pam[11527]: adapter.isAuthenticatedResultReceived{access:"denied", challenge:"", msg:"{\"message\":\"could not get user info: could not fetch user info: could not get user groups: could not parse group name\"}"}
2024-07-19T08:48:27.504487-07:00 ubuntu-test authd-pam[11527]: adapter.pamError{status:7, msg:"could not get user info: could not fetch user info: could not get user groups: could not parse group name"}
Hey, @callanova. Thanks for reporting back on this. It does look like the provider is returning an invalid group on the request. I'm not exactly sure if this could be a configuration setting in Azure (i.e. something that redacts the display name for the group) or a problem in the API itself. Would you mind double checking the groups assigned to the user you're trying to authenticate with? Maybe we can spot something off there.
The groups types the user I'm trying to authenticate with are:
The groups have varying visibility:
There are also a handful of security enabled groups.
All the groups have null as their uniqueName
.
If I look through each of the groups, there's no sensitivity label
.
Should all the groups have Public visibility? @denisonbarbosa, please let me know if there's any additional info you need or if there's any specific configuration / setting I should be looking for. Thank you for your help!
@callanova So, it seems we need to improve the debugging to get exactly which group is problematic. We don’t want to blindly skip them until we understand which ones could have those issues.
Please update and restart on rev 18 and provide the logs again. It would be beneficial to know exactly which properties have those groups in term of visibility/type so that we can reproduce locally and recreate the issue to ensure that we take the right decision when fixing it! Thanks a lot!
sudo snap info authd-msentraid
name: authd-msentraid
summary: MSEntra ID broker for authd
publisher: Canonical✓
store-url: https://snapcraft.io/authd-msentraid
license: GPL-3.0
description: |
This is the MS Entra ID broker snap for authd to provide MS Entra ID OIDC based authentication on
Ubuntu with authd.
services:
authd-msentraid: simple, enabled, active
snap-id: vS3oJLMss6lgWwoFcPqYDUA2HB20I1Dc
tracking: 0.x/edge
refresh-date: today at 05:42 PDT
channels:
0.x/stable: 0.1 2024-07-18 (10) 17MB -
0.x/candidate: ↑
0.x/beta: ↑
0.x/edge: 0.1 2024-07-22 (19) 17MB -
installed: 0.1 (19) 17MB -
Got the Could not get displayName from group object
message. The ID was able to come through in the logs this time around. However, the msGroup was showing up as:
found: &{{{0xc00041b5e0}}}"
When I check the ID it reported using az ad group show --group <ID>
:
Cloud
Teams
enabledNo writeback
Unified
groupTypePublic
visibilityuniqueName
is set to nullsecurityEnabled
is set to falseSomething I noticed, is it has the resourceBehaviorOptions of HideGroupInOutlook
. However, there's another group that has that set and it didn't seem to have any problems.
The only other thing I could notice is the displayName
is a bit longer "Company Name Location Inc" rather than "Group" or "group-name" for example.
Ok, that’s progress! We don’t have access to all those properties in our test tenant, so we need to dig deeper. Thanks for the details of the properties about it and find exactly which one is triggering this behaviour. The long "displayName" sholudn't be the issue as it’s failing when casting the content.
So that we get access to everything the object we retrieve holds, here is another attempt (this time handling properly the pointer in debugging), which should give the exact object content we are getting. Do you mind retrying with this on snap rev 20? Ofc, redacts any sensitive info, but try to keep the length and semantic of each fields! Thanks again.
sudo snap info authd-msentraid
name: authd-msentraid
summary: MSEntra ID broker for authd
publisher: Canonical✓
store-url: https://snapcraft.io/authd-msentraid
license: GPL-3.0
description: |
This is the MS Entra ID broker snap for authd to provide MS Entra ID OIDC based authentication on
Ubuntu with authd.
services:
authd-msentraid: simple, enabled, active
snap-id: vS3oJLMss6lgWwoFcPqYDUA2HB20I1Dc
tracking: 0.x/edge
refresh-date: today at 09:23 PDT
channels:
0.x/stable: 0.1 2024-07-18 (10) 17MB -
0.x/candidate: ↑
0.x/beta: ↑
0.x/edge: 0.1 2024-07-22 (20) 17MB -
installed: 0.1 (20) 17MB -
Got the Could not get displayName from group object
message. Rev 20 is showing found: {{{0xc00012d620}}}
.
I did a local build (putting the logs in a non error case) and I confirm, there are multiple objects pointing to each other and the library didn’t follow them.
There is a new version (rev 21) where we switched to another package which then unwrap properly nested object. It doesn’t seem the opaque object has a lot of properties (not Visibility for instance), but we can hope that it will be more verbose for MS 365 groups and that we could dig a little bit further there. For instance, here we have something like the following:
"… found: models.Group{
DirectoryObject: models.DirectoryObject{
Entity: models.Entity{
backingStore: &store.InMemoryBackingStore{
returnOnlyChangedValues: false,
initializationCompleted: true,
store: map[string]interface {}{
\"groupTypes\": []string{},
\"renewedDateTime\": &(unexported time.Time),
\"createdDateTime\": &(unexported time.Time),
\"securityIdentifier\": &\"S-1-12-1-999999999999-1330676530-999999999999-999999999999\",
\"serviceProvisioningErrors\": []models.ServiceProvisioningErrorable{},
\"odataType\": &\"#microsoft.graph.group\",
\"displayName\": &\"Azure_OIDC_Test\",
\"onPremisesProvisioningErrors\": []models.OnPremisesProvisioningErrorable{},
\"id\": &\"SOME_UID\",
\"description\": &\"Group for OIDC POC\",
\"mailEnabled\": &false,
\"proxyAddresses\": []string{},
\"securityEnabled\": &true,
\"additionalData\": map[string]interface {}{
\"creationOptions\": []interface {}{},
\"resourceProvisioningOptions\": []interface {}{},
\"resourceBehaviorOptions\": []interface {}{},
},
\"mailNickname\": &\"pbzzy693-z\",
},
subscribers: map[string]store.BackingStoreSubscriber{},
changedValues: map[string]bool{
\"serviceProvisioningErrors\": true,
\"additionalData\": true,
\"proxyAddresses\": true,
\"renewedDateTime\": true,
\"securityIdentifier\": true,
\"description\": true,
\"mailEnabled\": true,
\"mailNickname\": true,
\"securityEnabled\": true,
\"odataType\": true,
\"groupTypes\": true,
\"createdDateTime\": true,
\"displayName\": true,
\"onPremisesProvisioningErrors\": true,
\"id\": true,
},
},
},
},
}"
Mind giving it a try? The end result will probably be that you don’t have a displayName
and probably that we should skip over this group, but it’s still some interesting results. Thanks!
Edit: for reference, here is an example for our ms 365 group:
found: models.Group{
DirectoryObject: models.DirectoryObject{
Entity: models.Entity{
backingStore: &store.InMemoryBackingStore{
returnOnlyChangedValues: false,
initializationCompleted: true,
store: map[string]interface {}{
\"description\": &\"This is the MS 365 group\",
\"securityEnabled\": &true,
\"groupTypes\": []string{
\"Unified\",
},
\"mailNickname\": &\"MS-365-group\",
\"additionalData\": map[string]interface {}{
\"resourceProvisioningOptions\": []interface {}{},
\"creationOptions\": []interface {}{},
\"resourceBehaviorOptions\": []interface {}{},
},
\"proxyAddresses\": []string{
\"SMTP:MS-365-group@something.onmicrosoft.com\",
},
\"createdDateTime\": &(unexported time.Time),
\"securityIdentifier\": &\"S-1-12-1-999999999-999999999-999999999-999999999\",
\"renewedDateTime\": &(unexported time.Time),
\"mail\": &\"MS-365-group@something.onmicrosoft.com\",
\"id\": &\"aaaaaaaaa-zzzz-zzzz-zzzz-aaaaaaaaa\",
\"visibility\": &\"Private\",
\"onPremisesProvisioningErrors\": []models.OnPremisesProvisioningErrorable{},
\"odataType\": &\"#microsoft.graph.group\",
\"displayName\": &\"MS-365-group\",
\"serviceProvisioningErrors\": []models.ServiceProvisioningErrorable{},
\"mailEnabled\": &true,
},
subscribers: map[string]store.BackingStoreSubscriber{},
changedValues: map[string]bool{
\"groupTypes\": true,
\"serviceProvisioningErrors\": true,
\"proxyAddresses\": true,
\"description\": true,
\"securityEnabled\": true,
\"onPremisesProvisioningErrors\": true,
\"mailNickname\": true,
\"displayName\": true,
\"mailEnabled\": true,
\"mail\": true,
\"id\": true,
\"visibility\": true,
\"additionalData\": true,
\"securityIdentifier\": true,
\"renewedDateTime\": true,
\"createdDateTime\": true,
\"odataType\": true,
},
},
},
},
}
sudo snap info authd-msentraid
name: authd-msentraid
summary: MSEntra ID broker for authd
publisher: Canonical✓
store-url: https://snapcraft.io/authd-msentraid
license: GPL-3.0
description: |
This is the MS Entra ID broker snap for authd to provide MS Entra ID OIDC based authentication on
Ubuntu with authd.
services:
authd-msentraid: simple, enabled, active
snap-id: vS3oJLMss6lgWwoFcPqYDUA2HB20I1Dc
tracking: 0.x/edge
refresh-date: today at 06:07 PDT
channels:
0.x/stable: 0.1 2024-07-18 (10) 17MB -
0.x/candidate: ↑
0.x/beta: ↑
0.x/edge: 0.1 2024-07-23 (23) 17MB -
installed: 0.1 (23) 17MB -
Yep, you're right displayName
isn't showing up. Here's the output:
2024-07-23T06:08:41.686002-07:00 ubuntu-test authd-msentraid.authd-msentraid[76719]: time=2024-07-23T06:08:41.685-07:00 level=WARN msg="Could not get displayName from group object (ID: \"b3f0157d-4320-4bb5-9fa1-865d8a92e5d3\")
found: models.Group{
DirectoryObject: models.DirectoryObject{
Entity: models.Entity{
backingStore: &store.InMemoryBackingStore{
returnOnlyChangedValues: false,
initializationCompleted: true,
store: map[string]interface {}{
\"serviceProvisioningErrors\": []models.ServiceProvisioningErrorable{},
\"onPremisesProvisioningErrors\": []models.OnPremisesProvisioningErrorable{},
\"additionalData\": map[string]interface {}{
\"resourceBehaviorOptions\": []interface {}{},
\"resourceProvisioningOptions\": []interface {}{},
\"creationOptions\": []interface {}{},
},
\"odataType\": &\"#microsoft.graph.group\",
\"groupTypes\": []string{},
\"id\": &\"b3f0157d-4320-4bb5-9fa1-865d8a92e5d3\",
\"proxyAddresses\": []string{},
},
subscribers: map[string]store.BackingStoreSubscriber{},
changedValues: map[string]bool{
\"odataType\": true,
\"groupTypes\": true,
\"id\": true,
\"proxyAddresses\": true,
\"serviceProvisioningErrors\": true,
\"onPremisesProvisioningErrors\": true,
\"additionalData\": true,
},
},
},
},
}
I should mention, if I use az ad group show --group <ID>
, the displayName comes through.
Speaking of skipping over groups, is it possible to include some way to set groups to ignore via /var/snap/authd-msentraid/current/broker.conf? Maybe by ID?
So, we tried hard to replicate it with our current setup without any success…
The only way we were able to reproduce this is by removing the GroupMember.Read.All
permission on the application (or by removing the admin consent). Then, we can still iterate over groups from the API, but with the same set of fields than the one you show up above.
That would explain the difference with the ad
command too, which should have a great set of permission.
Can you double check the permission is granted with admin consent (https://github.com/ubuntu/authd/wiki/03---Configuration#entra-id-configuration), or that you don’t have any other filtering blocking this permission?
On skipping groups, it seems that there may be ways to do that in Azure AD directly, or even only listing groups assigned to the application, which seems to be easier to configure for the admin. We will investigate that.
Ahhh, that's it. I used the Application permissions version of GroupMember.Read.All not the Delegated permissions version of GroupMember.Read.All.
Original settings:
Removed:
Correct settings:
Should I submit a feature request for the group stuff? How about a request for documentation on migrating off the PPA? I appreciate all the assistance. Thank you for your patience while helping with this!
Excellent news! FYI, we merged yesterday some additional calls so that the "permission denied" can be explicitely returned as an error. We then won’t loop on those weird empty groups yet.
About the group filtering, it’s something we will look at, but as said in the previous comment, this is probably only documentation on how to do that on the Azure AD side.
It’s really too early to talk about migrating off the PPA, this documentation will come when this pre-release is mature enough for this :)
Do not hesitate if you experience anything suspicious. We’ll report here when we cut another release of authd in the ppa and when you should switch again to the 0.x/stable channel for the snap to not live in a more tested ground :)
I’m closing thus this bug!
@callanova Ok, we started to look at filtering groups. It’s not clear how Entra ID admins would do that as there seems to be multiple venues for it.
We prefer to avoid any broker-side filtering as this means potentially looking groups, have to update them in the configuration and deploy a remote one here.
Do you mind thus open a bug report with this feature request, so that we collect more feedbacks on the ideal ways of filtering groups?
Thanks a lot!
This is still an issue:
OK switching to --edge
worked
Is there an existing issue for this?
Describe the issue
After going through the setup process at https://github.com/ubuntu/authd/wiki/01---Get-started-with-authd and attempting to login in an Ubuntu 24.04 Desktop install, I see one of three behaviors. The first is it waits a little bit and returns to the general login page with the local user and the “Not listed?” option. The second is it waits a little bit, returns to the select the broker screen, and then goes back to general login page with the local user and the “Not listed?” option. The third (albeit rare behavior) is it shows the following error message: "could not authneticate user: oauth2: “invalid_client” “AADSTS700218: The request body must contain the following” I’m not able to see the last line, for whatever reason it seems to be cut off.
Is there any chance you could expand on what the “Client credentials” or web “Redirect URIs” are configured as at [03 Configuration · ubuntu/authd Wiki · GitHub](https://github.com/ubuntu/authd/wiki/03---Configuration)? I tried setting the web Redirect URI as http://localhost/, however, it doesn’t seem to make a difference compared to leaving it blank.
What I expected to happen: After authentication at https://microsoft.com/devicelogin, it should prompt to create a local password.
Steps to reproduce it
Follow the steps at https://github.com/ubuntu/authd/wiki/01---Get-started-with-authd. When completing "Entra ID configuration", setup a generic secret, configure a Web redirect URI for http://localhost or leave it blank, and leave the "Implicit grant and hybrid flows" unselected. Attempt login following https://github.com/ubuntu/authd/wiki/04---Usage and use device login option.
Ubuntu users: System information and logs
sudo ubuntu-bug authd --save=/tmp/report.txt
*** Collecting problem information
The collected information can be sent to the developers to improve the application. This might take a few minutes. ..
*** Problem in authd
The problem cannot be reported:
This does not seem to be an official Ubuntu package. Please retry after updating the indexes of available packages, if that does not work then remove related third party packages and try again.
Press any key to continue...
No pending crash reports. Try --help for more information.
Non Ubuntu users: System information and logs
Environment
/etc/os-release
)/etc/os-release
):Log files
Please redact/remove sensitive information:
Application settings
Please redact/remove sensitive information:
Relevant information
No response
Double check your logs