I have enjoyed a mostly painless online upgrade from 15.4 to 15.5. I am struggling with one major annoyance so far. My daily user account is an LDAP user. Authentication is handled by SSSD. It has been working without issue across all of the Leap 15.X versions. I assign local groups from /etc/security/group.conf via pam_group. They are still applying on text console login sessions and in SSH sessions. They are missing in my Plasma5 X11 session.
I noticed two changes to /etc/pam.d/sddm:
The file now begins with auth requisite pam_nologin.so
Every appearance of include has been replaced with substack
Replacing the file from 15.5 with the file from 15.4 made no change. I have restored the 15.5 file.
I have another issue that I think is related to changes in PAM defaults concerning pam_kwallet5, but I don’t expect that has anything to do with this pam_group problem. I can revisit it in a separate topic once I have my groups working properly again.
Does anyone know how I can better identify and isolate the root cause of this change in behavior?
Apparently SSSD, LDAP and SDDM are all red herring. What happens - KDE switched to using systemd user instance to start session processes. While display manager is using PAM for authentication and sets supplementary groups before launching session, the actual processes in this session are not children of display manager and so do not inherit them. Just check process hierarchy.
So pam_groups is fundamentally incompatible with how graphical session is managed today. What is worse, there is no universal standard, some processes may be launched as before, some via systemd user instance and their credentials will be different.
I cannot find any way to tell systemd to apply supplementary groups to all processes started as part of session. Systemd has SupplementaryGroups= service property, but it has to be defined for each unit. Besides, pam_group is per session and different PAM handles may have different settings, so it must be defined on logind session management level.
You could try to revert to old way to start KDE session:
If it improves situation, your only option is to file issues for both systemd and Linux-PAM and hope someone will come up with solution.
I was able to get my Plasma session to start without plasma-plasmashell.service running.
kwriteconfig5 --file startkderc --group General --key systemdBoot false executed by my standard user accomplished that. Unfortunately it did not restore my pam_group additional group memberships. I will probably return to the new systemdBoot since it is broken either way.
It seems bizarre that a breaking change of this magnitude could have moved into production without a mitigating procedure being devised to serve as a replacement.
I don’t have any objections to a change in how local group membership is processed and applied, but I am currently unaware of a change that I can make that will obtain the required outcome.
The LDAP directory serves a heterogeneous mix of operating systems that includes OpenBSD, FreeBSD, Debian and even an Ubuntu node, in addition to my openSUSE desktops. This makes moving the groups to LDAP impractical.
How does one add an SSSD user to local groups in this new way of doing things?
I tested it on Leap and it works as long as a) KDE is using legacy session management and b) you are using PAM service that actually includes pam_group. And no, the fact that it is included in common-auth is not enough - not every PAM service includes common-auth. I did configure sssd with local users provider and added pam_sss to common-auth.
grep Groups /proc/2059/status
grep Groups /proc/2094/status
grep Groups /proc/2188/status
I appreciate your willingness to offer suggestions. I still am unable to use the local groups from my desktop session. I had restarted before I saw your question, so my PIDs have changed, but I cross-referenced the pstree values to perform the requested queries.
me@leap ~ id -a
uid=5001(me) gid=5001(me) groups=5001(me),6001(group)
As you clearly see, sddm correctly assigned supplementary groups, so pam_groupwas applied. If any process in your session is missing them, this is not PAM problem and you have to track down when these groups disappear. You know how to check process groups now, just start with the process where they are missing and go upward.
Very interesting. When I launch a Konsole from the Plasmashell menu I have the correct permissions. If I use the CTRL+ALT+T shortcut , which is my preferred method, the permissions are wrong. The instance with the wrong permissions is not started as a child of sddm. The one launched using the menu is.
I am not sure how to get the instance launched via KDE keyboard shortcut to spawn as a child of sddm. Do you have any idea if that is something can be remedied?