ubuntu / authd

Authentication daemon for external Brokers
GNU Lesser General Public License v3.0
120 stars 10 forks source link

Login fails with "could not access user's groups: Insufficient privileges to complete the operation" #450

Open saltstack-admin opened 3 months ago

saltstack-admin commented 3 months ago

Is there an existing issue for this?

Describe the issue

Hello,

I installed on a new system Ubuntu 24.04 and followed the documentation here: https://github.com/ubuntu/authd/wiki/01---Get-started-with-authd

I checked with our MS Admins multiple times the configuration, but nonetheless I get always this error: could not get user info: could not fetch user info: could not get user groups: Insufficient privileges to complete the operation.

Where does the issue happens

Steps to reproduce it

1) Install Ubuntu 24.04 2) Follow the documentation: https://github.com/ubuntu/authd/wiki/01---Get-started-with-authd
3) Login through GDM or login, a QR code and an Auth code is displayed 4) Navigate to microsoft.com/devicelogin , enter the Auth code, log in with MS Entra ID user and press lastly on "register" 5) After press on register the website microsoft.com/devicelogin tells me a successful login 6) On GDM the window with the QR code closes itself and goes back to user selection screen, the command "login" shows the error: could not get user info: could not fetch user info: could not get user groups: Insufficient privileges to complete the operation.

System information and logs

Environment

Log files

Aug 05 12:46:02 myhost.my.domain authd-pam[40858]: adapter.userSelected{username:"my.user@my.domain"}
Aug 05 12:46:02 myhost.my.domain authd-pam[40858]: adapter.supportedUILayoutsReceived{layouts:[]*authd.UILayout{(*authd.UILayout)(0xc00039c000), (*authd.UILayout)(0xc00039c070), (*authd.UILayout)(0xc00039c0e0)}}
Aug 05 12:46:02 myhost.my.domain authd-pam[40858]: adapter.UsernameOrBrokerListReceived{}
Aug 05 12:46:02 myhost.my.domain authd-pam[40858]: adapter.GetAuthenticationModesRequested{}
Aug 05 12:46:02 myhost.my.domain authd[38369]: DEBUGgithub.com/ubuntu/authd/internal/log/log.go:53 github.com/ubuntu/authd/internal/log.init.logFuncAdapter.func1() Check if this grpc call is requested by root
Aug 05 12:46:02 myhost.my.domain authd-pam[40858]: adapter.brokersListReceived{brokers:[]*authd.ABResponse_BrokerInfo{(*authd.ABResponse_BrokerInfo)(0xc00058e050), (*authd.ABResponse_BrokerInfo)(0xc00058e230)}}
Aug 05 12:46:02 myhost.my.domain authd-pam[40858]: adapter.UsernameOrBrokerListReceived{}
Aug 05 12:46:02 myhost.my.domain authd[38369]: DEBUGgithub.com/ubuntu/authd/internal/log/log.go:53 github.com/ubuntu/authd/internal/log.init.logFuncAdapter.func1() Check if this grpc call is requested by root
Aug 05 12:46:02 myhost.my.domain authd[38369]: DEBUGgithub.com/ubuntu/authd/internal/log/log.go:53 github.com/ubuntu/authd/internal/log.init.logFuncAdapter.func1() User "my.user@my.domain" is unknown
Aug 05 12:46:02 myhost.my.domain authd-pam[40858]: adapter.ChangeStage{Stage:1}
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: adapter.brokerSelected{brokerID:"1234567890"}
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: adapter.BrokerSelected{BrokerID:"1234567890"}
Aug 05 12:46:03 myhost.my.domain authd[38369]: DEBUGgithub.com/ubuntu/authd/internal/log/log.go:53 github.com/ubuntu/authd/internal/log.init.logFuncAdapter.func1() Check if this grpc call is requested by root
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: adapter.SessionStarted{brokerID:"1234567890", sessionID:"1234567890-12345678-1234-1234-1234-12345678901", encryptionKey:"MIIBIThisIsAKey"
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: adapter.GetAuthenticationModesRequested{}
Aug 05 12:46:03 myhost.my.domain authd[38369]: DEBUGgithub.com/ubuntu/authd/internal/log/log.go:53 github.com/ubuntu/authd/internal/log.init.logFuncAdapter.func1() Check if this grpc call is requested by root
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: authModes[id:"device_auth" label:"Device Authentication"]
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: adapter.authModesReceived{authModes:[]*authd.GAMResponse_AuthenticationMode{(*authd.GAMResponse_AuthenticationMode)(0xc000024be0)}}
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: adapter.authModeSelected{id:"device_auth"}
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: adapter.AuthModeSelected{ID:"device_auth"}
Aug 05 12:46:03 myhost.my.domain authd[38369]: DEBUGgithub.com/ubuntu/authd/internal/log/log.go:53 github.com/ubuntu/authd/internal/log.init.logFuncAdapter.func1() Check if this grpc call is requested by root
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: adapter.UILayoutReceived{layout:(*authd.UILayout)(0xc0001d7ab0)}
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: adapter.ChangeStage{Stage:3}
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: adapter.isAuthenticatedRequested{item:(*authd.IARequest_AuthenticationData_Wait)(0xc00037f600)}
Aug 05 12:46:03 myhost.my.domain authd-pam[40858]: adapter.isAuthenticatedRequestedSend{isAuthenticatedRequested:adapter.isAuthenticatedRequested{item:(*authd.IARequest_AuthenticationData_Wait)(0xc00037f600)}, ctx:(*context.cancelCtx)(0xc0001286e0)}
Aug 05 12:46:03 myhost.my.domain authd[38369]: DEBUGgithub.com/ubuntu/authd/internal/log/log.go:53 github.com/ubuntu/authd/internal/log.init.logFuncAdapter.func1() Check if this grpc call is requested by root
Aug 05 12:46:45 myhost.my.domain authd-pam[40858]: adapter.isAuthenticatedResultReceived{access:"denied", challenge:"", msg:"{\"message\":\"could not get user info: could not fetch user info: could not get user groups: Insufficient privileges to complete the operation.\"}"}
Aug 05 12:46:45 myhost.my.domain authd-pam[40858]: adapter.pamError{status:7, msg:"could not get user info: could not fetch user info: could not get user groups: Insufficient privileges to complete the operation."}
Aug 05 12:46:45 myhost.my.domain authd-pam[40858]: adapter.SessionEnded{}
Aug 05 12:46:45 myhost.my.domain authd[38369]: DEBUGgithub.com/ubuntu/authd/internal/log/log.go:53 github.com/ubuntu/authd/internal/log.init.logFuncAdapter.func1() Check if this grpc call is requested by root
Aug 05 12:46:45 myhost.my.domain authd-pam[40858]: AUTH: exiting with error Authentication failure: could not get user info: could not fetch user info: could not get user groups: Insufficient privileges to complete the operation.
Aug 05 12:46:47 myhost.my.domain login[40854]: FAILED LOGIN (1) on '/dev/pts/1' FOR 'UNKNOWN', Authentication failure

Authd entries:

journalctl -u authd.service

MS Entra ID broker entries:

Aug 05 12:58:43 myhost.my.domain systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 05 12:58:44 myhost.my.domain authd-msentraid.authd-msentraid[43308]: time=2024-08-05T12:58:44.019Z level=INFO msg="No configuration file: Config File \"authd-msentraid\" Not Found in \"[/var/snap/authd-msentraid/10 /root/snap/authd-msentraid/10 /etc/authd-msentraid /snap/authd-msentraid/10/bin]\".\nWe will only use the defaults, env variables or flags."
Aug 05 12:58:44 myhost.my.domain authd-msentraid.authd-msentraid[43308]: time=2024-08-05T12:58:44.019Z level=DEBUG msg="Debug mode is enabled"
Aug 05 12:58:44 myhost.my.domain authd-msentraid.authd-msentraid[43308]: time=2024-08-05T12:58:44.327Z level=DEBUG msg="Building new daemon"
Aug 05 12:58:44 myhost.my.domain authd-msentraid.authd-msentraid[43308]: time=2024-08-05T12:58:44.327Z level=DEBUG msg="Starting to serve requests"
Aug 05 12:58:44 myhost.my.domain authd-msentraid.authd-msentraid[43308]: time=2024-08-05T12:58:44.327Z level=INFO msg="Serving requests as com.ubuntu.authd.MSEntraID"

Application settings

???

Broker configuration:

[oidc]
issuer = https://login.microsoftonline.com/1234567890-12345678-1234-1234-1234-12345678901/v2.0
client_id = 12345678-1234-1234-1234-123456789012

[users]
home_base_dir =/home

Broker authd configuration:

[authd]
name = Microsoft Entra ID
brand_icon = /snap/authd-msentraid/current/broker_icon.png
dbus_name = com.ubuntu.authd.MSEntraID
dbus_object = /com/ubuntu/authd/MSEntraID

Relevant information

No response

Double check your logs

didrocks commented 3 months ago

Hey! Thanks for the detailed bug report. It seems that you can’t list groups from your application.

Seeing Insufficient privileges to complete the operation.: are you sure you followed those steps in particular? You need to ensure that you give the application the correct API permission (delegated through the admin, not the application ones).

saltstack-admin commented 3 months ago

Hello,

that is the problem, before I created the issue, we triple-checked our configuration. Our application registration has permissions for "Microsoft Graph" with "GroupMember.Read.All", "openid" and "User.Read" as type "Delegated". We fulfilled the "Admin consent required" too. In Manage->Authentication->Advanced Settings we changed the slider for "Allow public client flows" to yes.

I will try to request screenshots from our MS Admins.

didrocks commented 3 months ago

Yes, sounds good to me (and we can’t really check that client side apart from getting failure when listing groups, which is what we do). Please get some screenshots on those config, just in case.

saltstack-admin commented 3 months ago

Hi,

got screenshots from our MS Admins. Picture 1 shows the API permissions and picture 2 shows the authentication permissions. 2024-08-07-EntraID1 2024-08-07-EntraID2

didrocks commented 3 months ago

I see that your IS department also added the application type permission for GroupMemeber.ReadAll which shouldn’t be necessary.

I wonder if that would cause a clash for you. There are limited chances to be due to this, but maybe starting removing this would be a first good step.

Also, do you know of other admin restrictions on group listing that your organization could have set? All the rest of the configuration seems correct to me.

Also, when you are getting the authentication screen on your webbrowser, which are the permissions requests listed?

saltstack-admin commented 3 months ago

I forwarded your suggestion and your question to our MS Admins.

About your last question: I do not get any requested permissions? The documentation does not have screenshots for comparison.

I get always a login screen with 6 steps, translated:

  1. Please provide the authentication code displayed below the QR code
  2. Select the user you want to login with and I select my.user@my.domain
  3. Please provide the password for my.user@my.domain
  4. Please verify the 2FA
  5. Do you really want to register the system against this "application registration"? I click on "next"
  6. You have successfully registered against the "application registration"

After that the GDM lock screen flashes once and reverts back to the user selection.

2024-08-07 09_55_16-Login1 2024-08-07 09_55_44-Login2 2024-08-07 09_55_54-Login3 2024-08-07 09_56_15-Login4 2024-08-07 09_56_27-Login5 2024-08-07 09_56_36-Login6

didrocks commented 3 months ago

You are right, contrary to other providers, MSEntraID doesn’t show the admin approved delegated permissions to the user. So, that doesn’t help us that much on the debugging front.

You are using the stable version of the snap, correct? Do you mind switching to edge, we changed slightly the logic there (at least, it may give us better logs from the broker)

ebashcobaltix commented 3 months ago

Facing exact same issue

saltstack-admin commented 3 months ago

You are right, contrary to other providers, MSEntraID doesn’t show the admin approved delegated permissions to the user. So, that doesn’t help us that much on the debugging front.

You are using the stable version of the snap, correct? Do you mind switching to edge, we changed slightly the logic there (at least, it may give us better logs from the broker)

Well, the last tries and the logs I provided had been made with the edge version. Is there an even more experimental version, that you want me to install?

didrocks commented 3 months ago

We can’t reproduce the issue here. There is no additional debugging that could help after searching on the documentation. The seems I’m surprised about as you are using the edge channel is that I don’t find trace of that error string: https://github.com/ubuntu/authd-oidc-brokers/blob/main/internal/providers/msentraid/msentraid.go#L104, which would be the direct error in the additional check calls we added there.

From the MS Entra ID documentation related to that issue, it seems that it’s really linked to permissions issues. Did you get any feedback from your IT department to ensure that the app permission is deleted and only the delegated ones are available? They should look if anything could prevent the application to list groups that the current user is member of.

didrocks commented 3 months ago

Facing exact same issue

Can you reexport your logs? Sometimes, the issues are the same but the root cause different. Reporting either another bug that we duplicate or printing all requested logs here will help. Thank you so much!

saltstack-admin commented 3 months ago

We can’t reproduce the issue here. There is no additional debugging that could help after searching on the documentation. The seems I’m surprised about as you are using the edge channel is that I don’t find trace of that error string: https://github.com/ubuntu/authd-oidc-brokers/blob/main/internal/providers/msentraid/msentraid.go#L104, which would be the direct error in the additional check calls we added there.

From the MS Entra ID documentation related to that issue, it seems that it’s really linked to permissions issues. Did you get any feedback from your IT department to ensure that the app permission is deleted and only the delegated ones are available? They should look if anything could prevent the application to list groups that the current user is member of.

I got an answer from our MS Admins and they so only one suspicious log message:

Sign-in error code: 50199
Failure reason: For security reasons, user confirmation is required for this request. Please repeat the request allowing user interaction.
This is a security feature that helps prevent spoofing attacks. This occurs because a system webview has been used to request a token for a native application.
To avoid this prompt, the redirect URI should be part of the following safe list:
http://
https://
chrome-extension:// (desktop Chrome browser only)
namato1 commented 3 months ago

Seeing a similar issue. Will grab logs and upload

myname101us commented 3 months ago

I also have this issue. Oddly, it works for some users and not others. Syslog is showing that it IS case sensitive. I am only seeing minor inconsistencies between users within Graph. Can confirm that no Conditional Access policies are stopping login. AuthD showing in syslog that it can't retrieve user info or groups.

taspanja commented 3 months ago

Hey guys,

Same issue here I guess, below are my logs from gnome shell from terminal still getting same issue could not get user info: could not fetch user info: could not get user groups: Insufficient privileges to complete the operation.

Gnome Shell Log

Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 38 with keysym 38 (keycode 11).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 31 with keysym 31 (keycode a).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 32 with keysym 32 (keycode b).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 33 with keysym 33 (keycode c).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 36 with keysym 36 (keycode f).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 33 with keysym 33 (keycode c).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 35 with keysym 35 (keycode e).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 39 with keysym 39 (keycode 12).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 31 with keysym 31 (keycode a).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 35 with keysym 35 (keycode e).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 37 with keysym 37 (keycode 10).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 38 with keysym 38 (keycode 11).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 34 with keysym 34 (keycode d).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 32 with keysym 32 (keycode b).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 39 with keysym 39 (keycode 12).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 37 with keysym 37 (keycode 10).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 34 with keysym 34 (keycode d).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 36 with keysym 36 (keycode f).
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: GNOME Shell started at Mon Aug 26 2024 13:20:28 GMT+0200 (Central European Summer Time)
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: Registering session with GDM
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: Launching DING process
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[43142]: Connection to xwayland lost
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[43142]: Xwayland terminated, exiting since it was mandatory
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[43142]: Lost or failed to acquire name org.gnome.Mutter.ServiceChannel
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: Gio.UnixInputStream has been moved to a separate platform-specific library. Please update your code to use GioUnix.InputStream instead.
                                                       0 spawnv() ["file:///usr/share/gnome-shell/extensions/ding@rastersoft.com/extension.js":517:76]
                                                       1 launchDesktop() ["file:///usr/share/gnome-shell/extensions/ding@rastersoft.com/extension.js":435:37]
                                                       2 innerEnable/this.data.dbusConnectionId<() ["file:///usr/share/gnome-shell/extensions/ding@rastersoft.com/extension.js":251:17]
                                                       3 anonymous() ["resource:///org/gnome/shell/ui/init.js":21:19]
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: Detected async api for thumbnails
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: (gjs:44613): Gjs-WARNING **: 13:20:30.856: GLib.unix_signal_add has been moved to a separate platform-specific library. Please update your code to use GLibUnix.signal_add instead.
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: 0 DesktopManager() ["/usr/share/gnome-shell/extensions/ding@rastersoft.com/app/desktopManager.js":263:12]
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: 1 anonymous() ["/usr/share/gnome-shell/extensions/ding@rastersoft.com/app/ding.js":180:25]
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: 2 anonymous() ["/usr/share/gnome-shell/extensions/ding@rastersoft.com/app/ding.js":197:20]
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: 3 <TOP LEVEL> ["/usr/share/gnome-shell/extensions/ding@rastersoft.com/app/ding.js":206:12]
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: ** Message: 13:20:30.906: Connecting to org.freedesktop.Tracker3.Miner.Files
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: GNOME nautilus 46.2
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: DBus interface for Switcheroo control (net.hadess.SwitcherooControl) is now available.
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: DBus interface for Nautilus (org.gnome.Nautilus.FileOperations2) is now available.
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: DBus interface for Nautilus (org.freedesktop.FileManager1) is now available.
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: DBus interface for Gvfs daemon (org.gtk.vfs.Metadata) is now available.
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: Received notification for window. 0 notifications remaining.
Aug 26 13:20:33 test-Latitude-7400 gnome-shell[44007]: Received error from D-Bus search provider org.gnome.Terminal.desktop: Gio.IOErrorEnum: Cannot invoke method; proxy is for the well-known name org.gnome.Terminal without an owner, and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
Aug 26 13:20:33 test-Latitude-7400 gnome-shell[44007]: Received error from D-Bus search provider org.gnome.Terminal.desktop: Gio.IOErrorEnum: Cannot invoke method; proxy is for the well-known name org.gnome.Terminal without an owner, and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
Aug 26 13:20:33 test-Latitude-7400 gnome-shell[44007]: Received error from D-Bus search provider org.gnome.Terminal.desktop: Gio.IOErrorEnum: Cannot invoke method; proxy is for the well-known name org.gnome.Terminal without an owner, and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
Aug 26 13:20:34 test-Latitude-7400 gnome-shell[44007]: Received error from D-Bus search provider org.gnome.Terminal.desktop: Gio.IOErrorEnum: Cannot invoke method; proxy is for the well-known name org.gnome.Terminal without an owner, and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
Aug 26 13:20:34 test-Latitude-7400 gnome-shell[44007]: Received error from D-Bus search provider org.gnome.Terminal.desktop: Gio.IOErrorEnum: Cannot invoke method; proxy is for the well-known name org.gnome.Terminal without an owner, and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
Aug 26 13:20:47 test-Latitude-7400 gnome-shell[44007]: meta_window_set_stack_position_no_sync: assertion 'window->stack_position >= 0' failed
Aug 26 13:20:50 test-Latitude-7400 gnome-shell[44007]: Error in size change accounting.
Aug 26 13:21:03 test-Latitude-7400 gnome-shell[44007]: Error in size change accounting.
adombeck commented 2 months ago

Quick update: We believe that this issue is fixed via https://github.com/ubuntu/authd-oidc-brokers/pull/135. The fixed version is currently only available on the edge channel of the authd-msentraid snap. It would help us if you could try it out and report if it fixes the issue for you. If you do so, please switch back to the stable channel afterwards (because we use the edge channel for development and testing and can't guarantee that it's always compatible with the latest released version of authd).

divgo commented 2 months ago

I was experiencing this same issue with the failure to read groups. and per the last comment, I updated to the edge-channel to test the new fix, which resulted in a new error stating that it cannot validate the user info (forgot to copy the exact error).

I went back into EntraID and adjusted the permissions on the App Registration as follows; EntraIDBroker

Which are CLEARLY excessive, BUT: Once I made these changes and Granted Consent, my next attempt at logging in resulted in the following;

| == Qr Code authentication (use 'r' to go back) ==
| 1 - Wait for the QR code scan result
| 2 - Request new login code
| Select action: 1
| Insert 'r' to cancel the request and go back
| Create a local password:
| Repeat the previously inserted password or insert 'r' to cancel the request a
> nd go back
| Create a local password:
End of keyboard-interactive prompts from server
Creating directory '/home/test@XXXXX.com'.
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-1014-azure x86_64)

Now that this is working, I went back and checked Logs for the EntraID broker and found this;

Sep 15 13:12:24 server-sftp01 authd-msentraid.authd-msentraid[12045]: time=2024-09-15T13:12:24.538Z level=INFO msg="Serving requests as com.ubuntu.authd.MSEntraID"
Sep 15 13:20:13 server-sftp01 authd-msentraid.authd-msentraid[12045]: time=2024-09-15T13:20:13.185Z level=WARN msg="**missing required scopes: User.Read**"
Sep 15 13:20:13 server-sftp01 authd-msentraid.authd-msentraid[12045]: time=2024-09-15T13:20:13.973Z level=ERROR msg="could not get user info: failed to get user groups: Insufficient privileges to complete the operation."

So, it looks like that one specific Permission was the missing one, not all those other ones I added.

Hope this helps other people.

adombeck commented 2 months ago

@divgo: Please change the permissions to exactly those which are listed in https://github.com/ubuntu/authd/wiki/03---How%E2%80%90to-configure (i.e. User.Read, GroupMember.Read.All, and openid - remove any other permissions) and try again. If that fails with a different error than "could not access user's groups: Insufficient privileges to complete the operation", please open a new issue and fill out the issue template with the logs. Thanks!

saltstack-admin commented 2 months ago

Quick update: We believe that this issue is fixed via ubuntu/authd-oidc-brokers#135. The fixed version is currently only available on the edge channel of the authd-msentraid snap. It would help us if you could try it out and report if it fixes the issue for you. If you do so, please switch back to the stable channel afterwards (because we use the edge channel for development and testing and can't guarantee that it's always compatible with the latest released version of authd).

I switched to the Edge-Channel, refreshed and restarted the snap. After clicking through all the windows I get still the error with the insufficient privileges.

The logs do show only two new lines: Sep 16 13:55:44 myhost.my.domain authd-msentraid.authd-msentraid[8004]: time=2024-09-16T13:55:44.327Z level=WARN msg="missing required scopes: GroupMember.Read.All, User.Read" Sep 16 13:35:44 myhost.my.domain authd-msentraid.authd-msentraid[8004]: time=2024-09-16T13:55:44.327Z level=ERROR msg="could not get user into: the Microsoft Entra ID app is missing the GroupMember.Read.All permission"

adombeck commented 2 months ago

@saltstack-admin: Thanks for reporting back!

Sep 16 13:55:44 myhost.my.domain authd-msentraid.authd-msentraid[8004]: time=2024-09-16T13:55:44.327Z level=WARN msg="missing required scopes: GroupMember.Read.All, User.Read" Sep 16 13:35:44 myhost.my.domain authd-msentraid.authd-msentraid[8004]: time=2024-09-16T13:55:44.327Z level=ERROR msg="could not get user into: the Microsoft Entra ID app is missing the GroupMember.Read.All permission"

So the access token that the authd broker receives after authentication doesn't have the GroupMember.Read.All and User.Read permissions. Could you double check that the Microsoft Entra app that's configured in /var/snap/authd-msentraid/current/broker.conf has those permissions and the admin consent was granted?

saltstack-admin commented 2 months ago

I asked my colleagues, they said yes and provided me this screenshot: image

adombeck commented 2 months ago

@saltstack-admin: Did you also double check that the app in that screenshot is the one that's configured via the client_id option in /var/snap/authd-msentraid/current/broker.conf?

saltstack-admin commented 2 months ago

Hi,

@saltstack-admin: Did you also double check that the app in that screenshot is the one that's configured via the client_id option in /var/snap/authd-msentraid/current/broker.conf?

Yes, we did.

Today I had a meeting with our Micorosoft admins and we tried the excessive solution from divgo .

We got now a new error and had been able to determine, that our security policy is blocking all logins from authd. One of our policy enforces, that only compliant and known devices are allowed to use the application registration. Well, no Linux device can fulfill these requirements and Microsoft denies the login.

Our Microsoft admins had the idea, to exclude the application registration from this policy, but this is impossible as long as "Allow public client workflows" is enabled. According to the documentation of authd this option must be enabled and a dead lock is created.

If no one has an idea, I will close this issue in a few days, if I don't forget it.

adombeck commented 2 months ago

@saltstack-admin: Thanks for reporting back!

One of our policy enforces, that only compliant and known devices are allowed to use the application registration.

That's interesting! Is that a Conditional Access policy? We plan to work on support for Microsoft Entra device registration, so I expect that you will be able to use authd with this policy at some point.

saltstack-admin commented 2 months ago

Yes, our problem is created by a Conditonal Access policy.