Open saltstack-admin opened 3 months ago
Hey! Thanks for the detailed bug report. It seems that you can’t list groups from your application.
Seeing Insufficient privileges to complete the operation.
: are you sure you followed those steps in particular? You need to ensure that you give the application the correct API permission (delegated through the admin, not the application ones).
Hello,
that is the problem, before I created the issue, we triple-checked our configuration. Our application registration has permissions for "Microsoft Graph" with "GroupMember.Read.All", "openid" and "User.Read" as type "Delegated". We fulfilled the "Admin consent required" too. In Manage->Authentication->Advanced Settings we changed the slider for "Allow public client flows" to yes.
I will try to request screenshots from our MS Admins.
Yes, sounds good to me (and we can’t really check that client side apart from getting failure when listing groups, which is what we do). Please get some screenshots on those config, just in case.
Hi,
got screenshots from our MS Admins. Picture 1 shows the API permissions and picture 2 shows the authentication permissions.
I see that your IS department also added the application type permission for GroupMemeber.ReadAll
which shouldn’t be necessary.
I wonder if that would cause a clash for you. There are limited chances to be due to this, but maybe starting removing this would be a first good step.
Also, do you know of other admin restrictions on group listing that your organization could have set? All the rest of the configuration seems correct to me.
Also, when you are getting the authentication screen on your webbrowser, which are the permissions requests listed?
I forwarded your suggestion and your question to our MS Admins.
About your last question: I do not get any requested permissions? The documentation does not have screenshots for comparison.
I get always a login screen with 6 steps, translated:
After that the GDM lock screen flashes once and reverts back to the user selection.
You are right, contrary to other providers, MSEntraID doesn’t show the admin approved delegated permissions to the user. So, that doesn’t help us that much on the debugging front.
You are using the stable version of the snap, correct? Do you mind switching to edge
, we changed slightly the logic there (at least, it may give us better logs from the broker)
Facing exact same issue
You are right, contrary to other providers, MSEntraID doesn’t show the admin approved delegated permissions to the user. So, that doesn’t help us that much on the debugging front.
You are using the stable version of the snap, correct? Do you mind switching to
edge
, we changed slightly the logic there (at least, it may give us better logs from the broker)
Well, the last tries and the logs I provided had been made with the edge
version.
Is there an even more experimental version, that you want me to install?
We can’t reproduce the issue here. There is no additional debugging that could help after searching on the documentation. The seems I’m surprised about as you are using the edge channel is that I don’t find trace of that error string: https://github.com/ubuntu/authd-oidc-brokers/blob/main/internal/providers/msentraid/msentraid.go#L104, which would be the direct error in the additional check calls we added there.
From the MS Entra ID documentation related to that issue, it seems that it’s really linked to permissions issues. Did you get any feedback from your IT department to ensure that the app permission is deleted and only the delegated ones are available? They should look if anything could prevent the application to list groups that the current user is member of.
Facing exact same issue
Can you reexport your logs? Sometimes, the issues are the same but the root cause different. Reporting either another bug that we duplicate or printing all requested logs here will help. Thank you so much!
We can’t reproduce the issue here. There is no additional debugging that could help after searching on the documentation. The seems I’m surprised about as you are using the edge channel is that I don’t find trace of that error string: https://github.com/ubuntu/authd-oidc-brokers/blob/main/internal/providers/msentraid/msentraid.go#L104, which would be the direct error in the additional check calls we added there.
From the MS Entra ID documentation related to that issue, it seems that it’s really linked to permissions issues. Did you get any feedback from your IT department to ensure that the app permission is deleted and only the delegated ones are available? They should look if anything could prevent the application to list groups that the current user is member of.
I got an answer from our MS Admins and they so only one suspicious log message:
Sign-in error code: 50199
Failure reason: For security reasons, user confirmation is required for this request. Please repeat the request allowing user interaction.
This is a security feature that helps prevent spoofing attacks. This occurs because a system webview has been used to request a token for a native application.
To avoid this prompt, the redirect URI should be part of the following safe list:
http://
https://
chrome-extension:// (desktop Chrome browser only)
Seeing a similar issue. Will grab logs and upload
I also have this issue. Oddly, it works for some users and not others. Syslog is showing that it IS case sensitive. I am only seeing minor inconsistencies between users within Graph. Can confirm that no Conditional Access policies are stopping login. AuthD showing in syslog that it can't retrieve user info or groups.
Hey guys,
Same issue here I guess, below are my logs from gnome shell from terminal still getting same issue could not get user info: could not fetch user info: could not get user groups: Insufficient privileges to complete the operation.
Gnome Shell Log
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 38 with keysym 38 (keycode 11).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 31 with keysym 31 (keycode a).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 32 with keysym 32 (keycode b).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 33 with keysym 33 (keycode c).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 36 with keysym 36 (keycode f).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 33 with keysym 33 (keycode c).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 35 with keysym 35 (keycode e).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 39 with keysym 39 (keycode 12).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 31 with keysym 31 (keycode a).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 35 with keysym 35 (keycode e).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 37 with keysym 37 (keycode 10).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 38 with keysym 38 (keycode 11).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 34 with keysym 34 (keycode d).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 32 with keysym 32 (keycode b).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 39 with keysym 39 (keycode 12).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 37 with keysym 37 (keycode 10).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 34 with keysym 34 (keycode d).
Aug 26 13:20:29 test-Latitude-7400 gnome-shell[44007]: Window manager warning: Overwriting existing binding of keysym 36 with keysym 36 (keycode f).
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: GNOME Shell started at Mon Aug 26 2024 13:20:28 GMT+0200 (Central European Summer Time)
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: Registering session with GDM
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: Launching DING process
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[43142]: Connection to xwayland lost
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[43142]: Xwayland terminated, exiting since it was mandatory
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[43142]: Lost or failed to acquire name org.gnome.Mutter.ServiceChannel
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: Gio.UnixInputStream has been moved to a separate platform-specific library. Please update your code to use GioUnix.InputStream instead.
0 spawnv() ["file:///usr/share/gnome-shell/extensions/ding@rastersoft.com/extension.js":517:76]
1 launchDesktop() ["file:///usr/share/gnome-shell/extensions/ding@rastersoft.com/extension.js":435:37]
2 innerEnable/this.data.dbusConnectionId<() ["file:///usr/share/gnome-shell/extensions/ding@rastersoft.com/extension.js":251:17]
3 anonymous() ["resource:///org/gnome/shell/ui/init.js":21:19]
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: Detected async api for thumbnails
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: (gjs:44613): Gjs-WARNING **: 13:20:30.856: GLib.unix_signal_add has been moved to a separate platform-specific library. Please update your code to use GLibUnix.signal_add instead.
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: 0 DesktopManager() ["/usr/share/gnome-shell/extensions/ding@rastersoft.com/app/desktopManager.js":263:12]
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: 1 anonymous() ["/usr/share/gnome-shell/extensions/ding@rastersoft.com/app/ding.js":180:25]
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: 2 anonymous() ["/usr/share/gnome-shell/extensions/ding@rastersoft.com/app/ding.js":197:20]
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: 3 <TOP LEVEL> ["/usr/share/gnome-shell/extensions/ding@rastersoft.com/app/ding.js":206:12]
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: ** Message: 13:20:30.906: Connecting to org.freedesktop.Tracker3.Miner.Files
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: GNOME nautilus 46.2
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: DBus interface for Switcheroo control (net.hadess.SwitcherooControl) is now available.
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: DBus interface for Nautilus (org.gnome.Nautilus.FileOperations2) is now available.
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: DBus interface for Nautilus (org.freedesktop.FileManager1) is now available.
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: DING: DBus interface for Gvfs daemon (org.gtk.vfs.Metadata) is now available.
Aug 26 13:20:30 test-Latitude-7400 gnome-shell[44007]: Received notification for window. 0 notifications remaining.
Aug 26 13:20:33 test-Latitude-7400 gnome-shell[44007]: Received error from D-Bus search provider org.gnome.Terminal.desktop: Gio.IOErrorEnum: Cannot invoke method; proxy is for the well-known name org.gnome.Terminal without an owner, and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
Aug 26 13:20:33 test-Latitude-7400 gnome-shell[44007]: Received error from D-Bus search provider org.gnome.Terminal.desktop: Gio.IOErrorEnum: Cannot invoke method; proxy is for the well-known name org.gnome.Terminal without an owner, and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
Aug 26 13:20:33 test-Latitude-7400 gnome-shell[44007]: Received error from D-Bus search provider org.gnome.Terminal.desktop: Gio.IOErrorEnum: Cannot invoke method; proxy is for the well-known name org.gnome.Terminal without an owner, and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
Aug 26 13:20:34 test-Latitude-7400 gnome-shell[44007]: Received error from D-Bus search provider org.gnome.Terminal.desktop: Gio.IOErrorEnum: Cannot invoke method; proxy is for the well-known name org.gnome.Terminal without an owner, and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
Aug 26 13:20:34 test-Latitude-7400 gnome-shell[44007]: Received error from D-Bus search provider org.gnome.Terminal.desktop: Gio.IOErrorEnum: Cannot invoke method; proxy is for the well-known name org.gnome.Terminal without an owner, and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
Aug 26 13:20:47 test-Latitude-7400 gnome-shell[44007]: meta_window_set_stack_position_no_sync: assertion 'window->stack_position >= 0' failed
Aug 26 13:20:50 test-Latitude-7400 gnome-shell[44007]: Error in size change accounting.
Aug 26 13:21:03 test-Latitude-7400 gnome-shell[44007]: Error in size change accounting.
Quick update: We believe that this issue is fixed via https://github.com/ubuntu/authd-oidc-brokers/pull/135. The fixed version is currently only available on the edge channel of the authd-msentraid snap. It would help us if you could try it out and report if it fixes the issue for you. If you do so, please switch back to the stable channel afterwards (because we use the edge channel for development and testing and can't guarantee that it's always compatible with the latest released version of authd).
I was experiencing this same issue with the failure to read groups. and per the last comment, I updated to the edge-channel to test the new fix, which resulted in a new error stating that it cannot validate the user info (forgot to copy the exact error).
I went back into EntraID and adjusted the permissions on the App Registration as follows;
Which are CLEARLY excessive, BUT: Once I made these changes and Granted Consent, my next attempt at logging in resulted in the following;
| == Qr Code authentication (use 'r' to go back) ==
| 1 - Wait for the QR code scan result
| 2 - Request new login code
| Select action: 1
| Insert 'r' to cancel the request and go back
| Create a local password:
| Repeat the previously inserted password or insert 'r' to cancel the request a
> nd go back
| Create a local password:
End of keyboard-interactive prompts from server
Creating directory '/home/test@XXXXX.com'.
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-1014-azure x86_64)
Now that this is working, I went back and checked Logs for the EntraID broker and found this;
Sep 15 13:12:24 server-sftp01 authd-msentraid.authd-msentraid[12045]: time=2024-09-15T13:12:24.538Z level=INFO msg="Serving requests as com.ubuntu.authd.MSEntraID"
Sep 15 13:20:13 server-sftp01 authd-msentraid.authd-msentraid[12045]: time=2024-09-15T13:20:13.185Z level=WARN msg="**missing required scopes: User.Read**"
Sep 15 13:20:13 server-sftp01 authd-msentraid.authd-msentraid[12045]: time=2024-09-15T13:20:13.973Z level=ERROR msg="could not get user info: failed to get user groups: Insufficient privileges to complete the operation."
So, it looks like that one specific Permission was the missing one, not all those other ones I added.
Hope this helps other people.
@divgo: Please change the permissions to exactly those which are listed in https://github.com/ubuntu/authd/wiki/03---How%E2%80%90to-configure (i.e. User.Read
, GroupMember.Read.All
, and openid
- remove any other permissions) and try again. If that fails with a different error than "could not access user's groups: Insufficient privileges to complete the operation", please open a new issue and fill out the issue template with the logs. Thanks!
Quick update: We believe that this issue is fixed via ubuntu/authd-oidc-brokers#135. The fixed version is currently only available on the edge channel of the authd-msentraid snap. It would help us if you could try it out and report if it fixes the issue for you. If you do so, please switch back to the stable channel afterwards (because we use the edge channel for development and testing and can't guarantee that it's always compatible with the latest released version of authd).
I switched to the Edge-Channel, refreshed and restarted the snap. After clicking through all the windows I get still the error with the insufficient privileges.
The logs do show only two new lines: Sep 16 13:55:44 myhost.my.domain authd-msentraid.authd-msentraid[8004]: time=2024-09-16T13:55:44.327Z level=WARN msg="missing required scopes: GroupMember.Read.All, User.Read" Sep 16 13:35:44 myhost.my.domain authd-msentraid.authd-msentraid[8004]: time=2024-09-16T13:55:44.327Z level=ERROR msg="could not get user into: the Microsoft Entra ID app is missing the GroupMember.Read.All permission"
@saltstack-admin: Thanks for reporting back!
Sep 16 13:55:44 myhost.my.domain authd-msentraid.authd-msentraid[8004]: time=2024-09-16T13:55:44.327Z level=WARN msg="missing required scopes: GroupMember.Read.All, User.Read" Sep 16 13:35:44 myhost.my.domain authd-msentraid.authd-msentraid[8004]: time=2024-09-16T13:55:44.327Z level=ERROR msg="could not get user into: the Microsoft Entra ID app is missing the GroupMember.Read.All permission"
So the access token that the authd broker receives after authentication doesn't have the GroupMember.Read.All
and User.Read
permissions. Could you double check that the Microsoft Entra app that's configured in /var/snap/authd-msentraid/current/broker.conf
has those permissions and the admin consent was granted?
I asked my colleagues, they said yes and provided me this screenshot:
@saltstack-admin: Did you also double check that the app in that screenshot is the one that's configured via the client_id
option in /var/snap/authd-msentraid/current/broker.conf
?
Hi,
@saltstack-admin: Did you also double check that the app in that screenshot is the one that's configured via the
client_id
option in/var/snap/authd-msentraid/current/broker.conf
?
Yes, we did.
Today I had a meeting with our Micorosoft admins and we tried the excessive solution from divgo .
We got now a new error and had been able to determine, that our security policy is blocking all logins from authd. One of our policy enforces, that only compliant and known devices are allowed to use the application registration. Well, no Linux device can fulfill these requirements and Microsoft denies the login.
Our Microsoft admins had the idea, to exclude the application registration from this policy, but this is impossible as long as "Allow public client workflows" is enabled. According to the documentation of authd this option must be enabled and a dead lock is created.
If no one has an idea, I will close this issue in a few days, if I don't forget it.
@saltstack-admin: Thanks for reporting back!
One of our policy enforces, that only compliant and known devices are allowed to use the application registration.
That's interesting! Is that a Conditional Access policy? We plan to work on support for Microsoft Entra device registration, so I expect that you will be able to use authd with this policy at some point.
Yes, our problem is created by a Conditonal Access policy.
Is there an existing issue for this?
Describe the issue
Hello,
I installed on a new system Ubuntu 24.04 and followed the documentation here: https://github.com/ubuntu/authd/wiki/01---Get-started-with-authd
I checked with our MS Admins multiple times the configuration, but nonetheless I get always this error:
could not get user info: could not fetch user info: could not get user groups: Insufficient privileges to complete the operation.
Where does the issue happens
Steps to reproduce it
1) Install Ubuntu 24.04 2) Follow the documentation: https://github.com/ubuntu/authd/wiki/01---Get-started-with-authd
3) Login through GDM or login, a QR code and an Auth code is displayed 4) Navigate to microsoft.com/devicelogin , enter the Auth code, log in with MS Entra ID user and press lastly on "register" 5) After press on register the website microsoft.com/devicelogin tells me a successful login 6) On GDM the window with the QR code closes itself and goes back to user selection screen, the command "login" shows the error:
could not get user info: could not fetch user info: could not get user groups: Insufficient privileges to complete the operation.
System information and logs
Environment
Log files
Authd entries:
MS Entra ID broker entries:
Application settings
???
Broker configuration:
Broker authd configuration:
Relevant information
No response
Double check your logs