Issue: Home directory owned by incorrect user and group

[akertis]

Is there an existing issue for this?

• [X] I have searched the existing issues and found none that matched mine

Describe the issue

I was able to authenticate fine with authd and went back to the laptop recently and now I can't launch several apps. It seems the user can't access the snap directory so firefox and edge both crash. The snap directory for instance is owned by my user so i'm confused why it can't access it.

Steps to reproduce

Trying to run firefox in terminal you can see the permission denied message. I also confirmed that I can't change to the snap directory. However, if I reset permissions that are the same with chmod then I can access the directories.

System information and logs

authd version

authd   0.3.4~ppa3

authd-msentraid broker version

name:      authd-msentraid
summary:   MSEntra ID broker for authd
publisher: Canonical**
store-url: https://snapcraft.io/authd-msentraid
license:   GPL-3.0
description: |
  This is the MS Entra ID broker snap for authd  to provide MS Entra ID OIDC
  based authentication on Ubuntu with authd.
services:
  authd-msentraid: simple, enabled, active
snap-id:      vS3oJLMss6lgWwoFcPqYDUA2HB20I1Dc
tracking:     0.x/stable
refresh-date: 15 days ago, at 15:07 EDT
channels:
  0.x/stable:    0.1                 2024-09-16 (44) 17MB -
  0.x/candidate: ^                                        
  0.x/beta:      ^                                        
  0.x/edge:      0.1+4fe9826.0f76acc 2024-09-20 (51) 18MB -
installed:       0.1                            (44) 17MB -

gnome-shell version

gnome-shell:
  Installed: 46.3.1-1ubuntu1~24.04.1
  Candidate: 46.3.1-1ubuntu1~24.04.1
  Version table:
 *** 46.3.1-1ubuntu1~24.04.1 500
        500 https://ppa.launchpadcontent.net/ubuntu-enterprise-desktop/authd/ubuntu noble/main amd64 Packages
        100 /var/lib/dpkg/status
     46.0-0ubuntu6~24.04.5 500
        500 http://us.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
     46.0-0ubuntu6~24.04.3 500
        500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
     46.0-0ubuntu5 500
        500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages

Distribution

Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:    24.04
Codename:   noble

Logs

[  676.202757]  systemd[1]: Starting authd.service - Authd daemon service...
[  676.228839]  authd[8223]: WARNING Broker configuration directory "/etc/authd/brokers.d/" does not exist, only local broker will be available
[  676.238007]  systemd[1]: Started authd.service - Authd daemon service.
[  705.718404]  systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[ 1159.609718]  authd[8223]: 2024/09/13 10:15:48 WARN rpc error: code = NotFound desc =
[ 1287.990671]  systemd[1]: Stopping authd.service - Authd daemon service...
[ 1287.992312]  systemd[1]: authd.service: Deactivated successfully.
[ 1287.992492]  systemd[1]: Stopped authd.service - Authd daemon service.
[ 1288.007619]  systemd[1]: Starting authd.service - Authd daemon service...
[ 1288.062052]  systemd[1]: Started authd.service - Authd daemon service.
[ 1299.996038]  systemd[1]: Stopping snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid...
[ 1299.997414]  systemd[1]: snap.authd-msentraid.authd-msentraid.service: Deactivated successfully.
[ 1299.997591]  systemd[1]: Stopped snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[ 1300.021436]  systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[ 1395.148712]  systemd[1]: Stopping authd.service - Authd daemon service...
[ 1395.153368]  systemd[1]: Stopping snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid...
[ 1395.182711]  systemd[1]: authd.service: Deactivated successfully.
[ 1395.182903]  systemd[1]: Stopped authd.service - Authd daemon service.
[ 1395.186387]  systemd[1]: snap.authd-msentraid.authd-msentraid.service: Deactivated successfully.
[ 1395.186601]  systemd[1]: Stopped snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
-- Boot 9caf225097fd41edbf30892ae7b8436d --
[    8.306146]  systemd[1]: Starting authd.service - Authd daemon service...
[    8.403731]  systemd[1]: Started authd.service - Authd daemon service.
[    9.399972]  systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[   37.135894]  authd[1268]: 2024/09/13 10:20:49 WARN rpc error: code = NotFound desc =
[   37.158216]  authd[1268]: 2024/09/13 10:20:49 WARN rpc error: code = NotFound desc =
[   37.158620]  gdm-authd][3109]: accountsservice: ActUserManager: user (null) has no username (uid: -1)
[   37.266056]  authd[1268]: 2024/09/13 10:20:49 WARN rpc error: code = NotFound desc =
[  152.599035]  gdm-session-wor[3109]: GDM Stage changed to authModeSelection
[  152.627664]  authd[1268]: 2024/09/13 10:22:44 WARN can't check authentication: invalid access authentication key:
[  152.695977]  gdm-session-wor[3109]: GDM Stage changed to authModeSelection
[  157.857714]  authd[1268]: 2024/09/13 10:22:50 WARN can't check authentication: invalid access authentication key:
[  259.072948]  gdm-session-wor[3109]: GDM Stage changed to authModeSelection
[  259.100240]  authd[1268]: 2024/09/13 10:24:31 WARN can't check authentication: invalid access authentication key:
[  259.151551]  gdm-session-wor[3109]: GDM Stage changed to authModeSelection
[  262.735222]  gdm-session-wor[3109]: GDM Stage changed to brokerSelection
[  383.421801]  gdm-authd][3109]: gkr-pam: no password is available for user
[  383.456031]  gdm-authd][3109]: accountsservice: act_user_set_session: assertion 'ACCOUNTS_IS_USER (user->accounts_proxy)' failed
[  383.580394]  gdm-authd][3109]: pam_unix(gdm-authd:session): session opened for user(uid=66569) by (uid=0)
[  383.929615]  gdm-authd][3109]: gkr-pam: couldn't unlock the login keyring.
[  451.647237]  authd[1268]: 2024/09/13 10:27:43 WARN rpc error: code = NotFound desc =
[  452.753745]  authd[1268]: 2024/09/13 10:27:44 WARN rpc error: code = NotFound desc =
[  597.434487]  authd[1268]: 2024/09/13 10:30:09 WARN rpc error: code = NotFound desc =
[  597.434919]  authd[1268]: 2024/09/13 10:30:09 WARN rpc error: code = NotFound desc =
[  601.693718]  gdm-authd][3109]: pam_unix(gdm-authd:session): session closed for user 
[  601.706163]  systemd[1]: Stopping authd.service - Authd daemon service...
[  601.712460]  systemd[1]: Stopping snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid...
[  601.737176]  systemd[1]: authd.service: Deactivated successfully.
[  601.737337]  systemd[1]: Stopped authd.service - Authd daemon service.
[  601.741759]  systemd[1]: snap.authd-msentraid.authd-msentraid.service: Deactivated successfully.
[  601.741984]  systemd[1]: Stopped snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[  601.742214]  systemd[1]: snap.authd-msentraid.authd-msentraid.service: Consumed 1.563s CPU time, 107.8M memory peak, 0B memory swap peak.
-- Boot a977e09c923e42be8bb46ce88d0fb279 --
[    8.412716]  systemd[1]: Starting authd.service - Authd daemon service...
[    8.419854]  systemd[1]: Started authd.service - Authd daemon service.
[    9.476302]  systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[   30.380321]  gdm-authd][3106]: gkr-pam: no password is available for user
[   30.453050]  gdm-authd][3106]: pam_unix(gdm-authd:session): session opened for user (uid=66569) by (uid=0)
[   30.932693]  gdm-authd][3106]: gkr-pam: couldn't unlock the login keyring.
[   95.649072]  authd[1226]: 2024/09/13 10:32:18 WARN rpc error: code = NotFound desc =
[   96.757354]  authd[1226]: 2024/09/13 10:32:19 WARN rpc error: code = NotFound desc =
[  105.565932]  gdm-authd][3106]: pam_unix(gdm-authd:session): session closed for user 
[  114.111599]  gdm-session-wor[5154]: GDM Stage changed to authModeSelection
[  114.165809]  gdm-session-wor[5154]: GDM Stage changed to authModeSelection
[  159.401561]  gpasswd[5213]: user  added by root to group sudo
[  159.458983]  gdm-authd][5154]: gkr-pam: no password is available for user
[  159.563764]  gdm-authd][5154]: pam_unix(gdm-authd:session): session opened for user (uid=66569) by (uid=0)
[  160.015311]  gdm-authd][5154]: gkr-pam: couldn't unlock the login keyring.
[  224.646831]  authd[1226]: 2024/09/13 10:34:27 WARN rpc error: code = NotFound desc =
[  226.748726]  authd[1226]: 2024/09/13 10:34:29 WARN rpc error: code = NotFound desc =
[ 3105.937460]  gdm-authd][6759]: gkr-pam: no password is available for user
[ 3188.767514]  authd[1226]: 2024/09/13 11:23:51 WARN rpc error: code = NotFound desc =
[ 3444.624846]  authd[1226]: 2024/09/13 11:28:07 WARN rpc error: code = NotFound desc =
[173090.818950]  authd[1226]: 2024/09/16 09:21:52 WARN rpc error: code = NotFound desc =
[193813.010402]  systemd[1]: Stopping snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid...
[193813.011775]  systemd[1]: snap.authd-msentraid.authd-msentraid.service: Deactivated successfully.
[193813.011930]  systemd[1]: Stopped snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[193813.012202]  systemd[1]: snap.authd-msentraid.authd-msentraid.service: Consumed 8.922s CPU time, 106.8M memory peak, 0B memory swap peak.
[193814.746524]  systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[422832.507995]  authd[1226]: 2024/09/19 06:44:14 WARN rpc error: code = NotFound desc =
[422832.508465]  authd[1226]: 2024/09/19 06:44:14 WARN rpc error: code = NotFound desc =
[692543.985965]  gdm-authd][89081]: gkr-pam: no password is available for user
[692586.447747]  authd[1226]: 2024/09/23 09:47:09 WARN permission denied: this action is only allowed for root users. Current user is 66569
[692587.004849]  authd[1226]: 2024/09/23 09:47:10 WARN permission denied: this action is only allowed for root users. Current user is 66569
[692590.437486]  systemd[1]: Stopping authd.service - Authd daemon service...
[692590.450354]  systemd[1]: authd.service: Deactivated successfully.
[692590.451402]  systemd[1]: Stopped authd.service - Authd daemon service.
[692590.451731]  systemd[1]: authd.service: Consumed 45.287s CPU time, 27.6M memory peak, 0B memory swap peak.
[692590.477941]  systemd[1]: Starting authd.service - Authd daemon service...
[692595.144055]  gdm-authd][5154]: pam_unix(gdm-authd:session): session closed for user 
[692595.239499]  systemd[1]: Stopping snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid...
[692595.399782]  systemd[1]: snap.authd-msentraid.authd-msentraid.service: Deactivated successfully.
[692595.400730]  systemd[1]: Stopped snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[692595.401337]  systemd[1]: snap.authd-msentraid.authd-msentraid.service: Consumed 1.591s CPU time, 54.2M memory peak, 0B memory swap peak.
[692595.641227]  authd[89626]: 2024/09/23 09:47:18 WARN Could not map active user ID to an actual user: user: lookup userid 66569: no such file or directory
[692600.726398]  authd[89626]: 2024/09/23 09:47:23 WARN Could not map active user ID to an actual user: user: lookup userid 66569: no such file or directory
[692605.732240]  authd[89626]: 2024/09/23 09:47:28 WARN Could not map active user ID to an actual user: user: lookup userid 66569: no such file or directory
[692605.759615]  authd[89626]: ERROR error while serving: grpc error: grpc: the server has been stopped
[692605.763943]  systemd[1]: authd.service: Main process exited, code=exited, status=1/FAILURE
[692605.764743]  systemd[1]: authd.service: Failed with result 'exit-code'.
[692605.764913]  systemd[1]: Stopped authd.service - Authd daemon service.
-- Boot 2d52415524434a6cb1a442aade2e06f7 --
[    9.517568]  systemd[1]: Starting authd.service - Authd daemon service...
[    9.568901]  systemd[1]: Started authd.service - Authd daemon service.
[   11.413194]  systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[   26.771495]  systemd[1]: Stopping authd.service - Authd daemon service...
[   26.773953]  systemd[1]: authd.service: Deactivated successfully.
[   26.774250]  systemd[1]: Stopped authd.service - Authd daemon service.
[   26.789404]  systemd[1]: Starting authd.service - Authd daemon service...
[   26.833669]  systemd[1]: Started authd.service - Authd daemon service.
[   34.338277]  gdm-authd][3595]: pam_unix(gdm-authd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=videonlocal
[   34.338813]  gdm-authd][3595]: gkr-pam: unable to locate daemon control file
[   34.338872]  gdm-authd][3595]: gkr-pam: stashed password to try later in open session
[   47.502511]  gdm-authd][3661]: gkr-pam: unable to locate daemon control file
[   47.502787]  gdm-authd][3661]: gkr-pam: stashed password to try later in open session
[   47.522344]  gdm-authd][3661]: pam_unix(gdm-authd:session): session opened for user videonlocal(uid=1000) by videonlocal(uid=0)
[   47.879301]  gdm-authd][3661]: gkr-pam: unlocked login keyring
[  112.949943]  authd[3388]: 2024/09/23 09:52:29 WARN rpc error: code = NotFound desc =
[  115.071952]  authd[3388]: 2024/09/23 09:52:31 WARN rpc error: code = NotFound desc =
[  115.202507]  authd[3388]: 2024/09/23 09:52:31 WARN rpc error: code = NotFound desc =
[  225.166946]  authd[3388]: 2024/09/23 09:54:21 WARN permission denied: this action is only allowed for root users. Current user is 1000
[  227.576290]  authd[3388]: 2024/09/23 09:54:24 WARN permission denied: this action is only allowed for root users. Current user is 1000
[  239.247217]  authd[3388]: 2024/09/23 09:54:35 WARN permission denied: this action is only allowed for root users. Current user is 1000
[  242.606704]  authd[3388]: 2024/09/23 09:54:39 WARN permission denied: this action is only allowed for root users. Current user is 1000
-- Boot 8a0b783fdc7f4f6ab7ea2161ada9ef8b --
[   13.180410]  systemd[1]: Starting authd.service - Authd daemon service...
[   13.319251]  systemd[1]: Started authd.service - Authd daemon service.
[   15.058082]  systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[   29.495634]  authd[1396]: 2024/10/01 11:09:06 WARN rpc error: code = NotFound desc =
[   29.496017]  authd[1396]: 2024/10/01 11:09:06 WARN rpc error: code = NotFound desc =
[  228.679532]  authd-msentraid.authd-msentraid[1650]: time=2024-10-01T11:12:23.881-04:00 level=ERROR msg="could not deserialize token: cipher: message authentication failed"
[  234.763817]  gdm-authd][4771]: gkr-pam: no password is available for user
[  234.882240]  gdm-authd][4771]: pam_unix(gdm-authd:session): session opened for user (uid=1543222259) by (uid=0)
[  235.344893]  gdm-authd][4771]: gkr-pam: couldn't unlock the login keyring.
[  300.916720]  authd[1396]: 2024/10/01 11:13:36 WARN rpc error: code = NotFound desc =
[  304.060887]  authd[1396]: 2024/10/01 11:13:39 WARN rpc error: code = NotFound desc =
[  304.196812]  authd[1396]: 2024/10/01 11:13:39 WARN rpc error: code = NotFound desc =
[  331.726556]  authd[1396]: 2024/10/01 11:14:06 WARN permission denied: this action is only allowed for root users. Current user is 1543222259
[  334.179700]  authd[1396]: 2024/10/01 11:14:09 WARN permission denied: this action is only allowed for root users. Current user is 1543222259
[  352.414768]  authd[1396]: 2024/10/01 11:14:27 WARN permission denied: this action is only allowed for root users. Current user is 1543222259
[  358.874720]  authd[1396]: 2024/10/01 11:14:34 WARN permission denied: this action is only allowed for root users. Current user is 1543222259
[  481.227302]  authd[1396]: 2024/10/01 11:16:36 WARN rpc error: code = NotFound desc =
[  481.344798]  authd[1396]: 2024/10/01 11:16:36 WARN rpc error: code = NotFound desc =
[  660.089978]  authd[1396]: 2024/10/01 11:19:35 WARN rpc error: code = NotFound desc =
[  748.000877]  gdm-authd][4771]: pam_unix(gdm-authd:session): session closed for user 
[  748.023070]  systemd[1]: Stopping authd.service - Authd daemon service...
[  748.029117]  systemd[1]: Stopping snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid...
[  748.058513]  systemd[1]: authd.service: Deactivated successfully.
[  748.058764]  systemd[1]: Stopped authd.service - Authd daemon service.
[  748.058962]  systemd[1]: authd.service: Consumed 2.172s CPU time, 24.9M memory peak, 0B memory swap peak.
[  748.062867]  systemd[1]: snap.authd-msentraid.authd-msentraid.service: Deactivated successfully.
[  748.063142]  systemd[1]: Stopped snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[  748.063560]  systemd[1]: snap.authd-msentraid.authd-msentraid.service: Consumed 1.402s CPU time, 108.2M memory peak, 0B memory swap peak.
-- Boot 73696a4aaac645b0bada47dc1a52d9c4 --
[    9.342262]  systemd[1]: Starting authd.service - Authd daemon service...
[    9.347005]  systemd[1]: Started authd.service - Authd daemon service.
[   17.888969]  systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[   65.520651]  gdm-authd][2927]: gkr-pam: no password is available for user
[   65.567913]  gdm-authd][2927]: accountsservice: SetLanguage for language en_US failed: GDBus.Error:org.freedesktop.Accounts.Error.Failed: not access to HOME yet so language not saved
[   65.607806]  gdm-authd][2927]: pam_unix(gdm-authd:session): session opened for user (uid=1543222259) by (uid=0)
[   66.113771]  gdm-authd][2927]: gkr-pam: couldn't unlock the login keyring.
[  130.917231]  authd[1344]: 2024/10/01 11:23:58 WARN rpc error: code = NotFound desc =
[  133.031065]  authd[1344]: 2024/10/01 11:24:00 WARN rpc error: code = NotFound desc =
[  792.068112]  gdm-authd][11861]: gkr-pam: unable to locate daemon control file
[  792.068463]  gdm-authd][11861]: gkr-pam: stashed password to try later in open session
[  792.092242]  gdm-authd][11861]: pam_unix(gdm-authd:session): session opened for user videonlocal(uid=1000) by videonlocal(uid=0)
[  792.474956]  gdm-authd][11861]: gkr-pam: unlocked login keyring
[  856.945621]  authd[1344]: 2024/10/01 11:36:04 WARN rpc error: code = NotFound desc =
[  859.073663]  authd[1344]: 2024/10/01 11:36:06 WARN rpc error: code = NotFound desc =

authd broker configuration

/etc/authd/brokers.d/msentraid.conf

# This section is used by authd to identify and communicate with the broker.
# It should not be edited.
[authd]
name = Microsoft Entra ID
brand_icon = /snap/authd-msentraid/current/broker_icon.png
dbus_name = com.ubuntu.authd.MSEntraID
dbus_object = /com/ubuntu/authd/MSEntraID

authd-msentraid configuration

[oidc]
issuer = https://login.microsoftonline.com/<UUID redacted>/v2.0
client_id = <UUID redacted>

[users]
# The directory where the home directory will be created for new users.
# Existing users will keep their current directory.
# The user home directory will be created in the format of {home_base_dir}/{username}
# home_base_dir = /home

# The username suffixes that are allowed to login via ssh without existing previously in the system.
# The suffixes must be separated by commas.
# ssh_allowed_suffixes = @example.com,@anotherexample.com

Double check your logs

• [ ] I have redacted any sensitive information from the logs

[adombeck]

Thank you for the report!

However, if I reset permissions that are the same with chmod then I can access the directories.

What's the path of the directory you changed the file permissions of? Which permissions were set on it before and what did you set it to?

[akertis]

Thank you for the report!

However, if I reset permissions that are the same with chmod then I can access the directories.

What's the path of the directory you changed the file permissions of? Which permissions were set on it before and what did you set it to?

my user directory. In this case /home/user@domain.com and the permissions when looking with ls -al showed it my user was in the user and group ownership. So the only thing I can think of is someway it wasn't matching the correct id? Anyway I did chown -R user@domain.com:user@domain.com /home/user@domain.com

Then it started working.

[adombeck]

Thanks for reporting back!

We can reproduce the issue with these steps:

1. Install authd version < 0.3.4
2. Log in with user@example.com
3. Update authd to version >= 0.3.4
4. Log in with user@example.com again

The home directory is then indeed owned by an incorrect UID, because the UID generated for the user has changed in 0.3.4. We plan to fix that in the next authd release.