ubuntu / authd

Authentication daemon for external Brokers
GNU Lesser General Public License v3.0
109 stars 9 forks source link

User not able to be added to local groups #576

Open namato1 opened 2 weeks ago

namato1 commented 2 weeks ago

Is there an existing issue for this?

Describe the issue

Users is not able to be added to any local groups. They are removed after reboot/logout.

Steps to reproduce

Login with local account Create a group Add the Entra user to the group Check to see user is in the group Reboot Login with authd Check users groups User is not in the local group

System information and logs

No response

Double check your logs

adombeck commented 2 weeks ago

Thank you for the report. We need some more information to debug the issue.

/usr/libexec/authd version
dtx257 commented 2 weeks ago

Hello I think you missed some steps

Login with local account Create a local group mygroup Create a group linux-mygroup in Entra Add Entra user in Entra Group linux-mygroup login with authd

I tested this with a user who has 6 entra groups, including linux-sudo and linux-docker. The user is properly added to the local sudo and docker groups after login. If you have more than 100 entra groups, it don't work : https://github.com/ubuntu/authd/issues/549

namato1 commented 2 weeks ago

Hello

I think you missed some steps

Login with local account

Create a local group mygroup

Create a group linux-mygroup in Entra

Add Entra user in Entra Group linux-mygroup

login with authd

I tested this with a user who has 6 entra groups, including linux-sudo and linux-docker. The user is properly added to the local sudo and docker groups after login.

If you have more than 100 entra groups, it don't work : https://github.com/ubuntu/authd/issues/549

We are not trying to add these local groups to Entra. The goal is to only add local groups. Having to create groups in Entra adds to the issue that the groups were not being pulled down. Most our users are in 400-500 entra groups. This presented us with the issue that only 100 groups were being pulled. Having actual local groups can be very useful.

The other issue we started to see is that the login keychain is not created for the user. This could be related to this issue.

Appreciate the response and if there is a solution that already exists please let me know. Thank you

dtx257 commented 2 weeks ago

I think the group sync of authd at logon purges your local group if it doesn't find it in entra (linux-mylocalgroup). In my opinion no solution for the moment as long as there is the limit of 100 groups

namato1 commented 2 weeks ago

I think the group sync of authd at logon purges your local group if it doesn't find it in entra (linux-mylocalgroup).

In my opinion no solution for the moment as long as there is the limit of 100 groups

Yea, this is where other issues arise for us as well since we can't just name an entry group linux-mygroup. We have to use specific naming schemes for our groups and we have not been able to get exceptions for that. This is the reason for wanting local groups to just work without Entra

rapiertg commented 2 weeks ago

I double that - in our case we just need to use some local groups that are managed by another system but now it seems they are cleared on each login.

Another case is if we add linux-sudo to user then user get's sudo on all computers which may not be something we want.

augustmultiply commented 2 weeks ago

I double that - in our case we just need to use some local groups that are managed by another system but now it seems they are cleared on each login.

Another case is if we add linux-sudo to user then user get's sudo on all computers which may not be something we want.

We as well would like be happy to add Entra authd users to local Linux groups without needing to have a group in Entra and I agree with this message.

For our specific usecase, we want to add the Entra users to the local microk8s group to let a Entra user to manage it on a specific machine.

sudo usermod -a -G microk8s august@example.org
sudo chown -R august@example.org ~/.kube