SSSD LDAP user not getting pam_group applied in SDDM Plasma5 X11 session

artgravity · June 26, 2023, 1:04am

I have enjoyed a mostly painless online upgrade from 15.4 to 15.5. I am struggling with one major annoyance so far. My daily user account is an LDAP user. Authentication is handled by SSSD. It has been working without issue across all of the Leap 15.X versions. I assign local groups from /etc/security/group.conf via pam_group. They are still applying on text console login sessions and in SSH sessions. They are missing in my Plasma5 X11 session.

I noticed two changes to /etc/pam.d/sddm:

The file now begins with auth requisite pam_nologin.so
Every appearance of include has been replaced with substack

Replacing the file from 15.5 with the file from 15.4 made no change. I have restored the 15.5 file.

I have another issue that I think is related to changes in PAM defaults concerning pam_kwallet5, but I don’t expect that has anything to do with this pam_group problem. I can revisit it in a separate topic once I have my groups working properly again.

Does anyone know how I can better identify and isolate the root cause of this change in behavior?

arvidjaar · June 26, 2023, 5:08am

It is not present by default so you must have modified PAM configuration. Start with showing it.

artgravity · June 26, 2023, 10:53pm

My Leap 15.5 /etc/pam.d/common-auth-pc

auth    required        pam_env.so
auth    required        pam_group.so
auth    optional        pam_gnome_keyring.so
auth    optional        pam_kwallet5.so
auth    sufficient      pam_unix.so     try_first_pass 
auth    required        pam_ecryptfs.so unwrap
auth    required        pam_sss.so      use_first_pass

My Leap 15.4 /etc/pam.d/common-auth-pc

auth    required        pam_env.so
auth    required        pam_group.so
auth    optional        pam_gnome_keyring.so
auth    sufficient      pam_unix.so     try_first_pass 
auth    required        pam_sss.so      use_first_pass

The /etc/pam.d/common-auth-pc from a powered off openSUSE Tumbleweed 20220206 that has not had any PAM modifications.

auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so
auth    sufficient    pam_unix.so    try_first_pass
auth    sufficient    pam_sss.so    use_first_pass

If you want to see something else, just let me know, and I will accommodate any reasonable request.

arvidjaar · June 27, 2023, 5:39am

Are you using SDDM as display manager? Can you try another one (like lightdm)?

arvidjaar · June 27, 2023, 1:05pm

Apparently SSSD, LDAP and SDDM are all red herring. What happens - KDE switched to using systemd user instance to start session processes. While display manager is using PAM for authentication and sets supplementary groups before launching session, the actual processes in this session are not children of display manager and so do not inherit them. Just check process hierarchy.

So pam_groups is fundamentally incompatible with how graphical session is managed today. What is worse, there is no universal standard, some processes may be launched as before, some via systemd user instance and their credentials will be different.

I cannot find any way to tell systemd to apply supplementary groups to all processes started as part of session. Systemd has SupplementaryGroups= service property, but it has to be defined for each unit. Besides, pam_group is per session and different PAM handles may have different settings, so it must be defined on logind session management level.

You could try to revert to old way to start KDE session:

If it improves situation, your only option is to file issues for both systemd and Linux-PAM and hope someone will come up with solution.

artgravity · June 29, 2023, 6:56pm

I was able to get my Plasma session to start without plasma-plasmashell.service running.

kwriteconfig5 --file startkderc --group General --key systemdBoot false executed by my standard user accomplished that. Unfortunately it did not restore my pam_group additional group memberships. I will probably return to the new systemdBoot since it is broken either way.

It seems bizarre that a breaking change of this magnitude could have moved into production without a mitigating procedure being devised to serve as a replacement.

I don’t have any objections to a change in how local group membership is processed and applied, but I am currently unaware of a change that I can make that will obtain the required outcome.

The LDAP directory serves a heterogeneous mix of operating systems that includes OpenBSD, FreeBSD, Debian and even an Ubuntu node, in addition to my openSUSE desktops. This makes moving the groups to LDAP impractical.

How does one add an SSSD user to local groups in this new way of doing things?

arvidjaar · June 29, 2023, 7:33pm

It works for me on Tumbleweed

user@uefi:~> id -a
uid=1000(user) gid=100(users) groups=100(users),1001(testnm)
user@uefi:~> grep -vE '^#|^ *$' /etc/security/group.conf 
* ; * ; user ; Al0000-2400 ; testnm
user@uefi:~> cat .config/startkderc 
[General]
systemdBoot=false
user@uefi:~>

Are you sure the setting was applied? Did you check process tree?

user@uefi:~> pstree -Alp 1212
sddm(1212)-+-Xorg.bin(3994)-+-{Xorg.bin}(3995)
           |                |-{Xorg.bin}(3996)
           |                `-{Xorg.bin}(4000)
           |-sddm-helper(4041)---startplasma-x11(4046)-+-gpg-agent(4112)
           |                                           |-plasma_session(4126)-+-agent(4280)-+-{agent}(4283)
           |                                           |                      |             |-{agent}(4284)
           |                                           |                      |             `-{agent}(4287)
           |                                           |                      |-baloo_file(4255)-+-{baloo_file}(4384)
           |                                           |                      |                  `-{baloo_file}(4443)
           |                                           |                      |-gmenudbusmenupr(4273)-+-{gmenudbusmenupr}(4323)
           |                                           |                      |                       `-{gmenudbusmenupr}(4327)
           |                                           |                      |-kaccess(4259)-+-{kaccess}(4290)
           |                                           |                      |               |-{kaccess}(4292)
           |                                           |                      |               `-{kaccess}(4391)
           |                                           |                      |-kalendarac(4279)-+-{kalendarac}(4386)
           |                                           |                      |                  |-{kalendarac}(4387)
           |                                           |                      |                  |-{kalendarac}(4429)
           |                                           |                      |                  |-{kalendarac}(4431)
           |                                           |                      |                  `-{kalendarac}(4434)
           |                                           |                      |-kdeconnectd(4270)-+-{kdeconnectd}(4333)
           |                                           |                      |                   |-{kdeconnectd}(4334)
           |                                           |                      |                   |-{kdeconnectd}(4412)
           |                                           |                      |                   `-{kdeconnectd}(4428)
           |                                           |                      |-kded5(4193)-+-{kded5}(4197)
           |                                           |                      |             |-{kded5}(4203)
           |                                           |                      |             |-{kded5}(4214)
           |                                           |                      |             |-{kded5}(4221)
           |                                           |                      |             |-{kded5}(4222)
           |                                           |                      |             |-{kded5}(4223)
           |                                           |                      |             |-{kded5}(4225)
           |                                           |                      |             |-{kded5}(4226)
           |                                           |                      |             |-{kded5}(4261)
           |                                           |                      |             |-{kded5}(4571)
           |                                           |                      |             `-{kded5}(4572)
           |                                           |                      |-ksmserver(4239)-+-{ksmserver}(4243)
           |                                           |                      |                 |-{ksmserver}(4244)
           |                                           |                      |                 `-{ksmserver}(4250)
           |                                           |                      |-kwin_x11(4215)-+-{kwin_x11}(4219)
           |                                           |                      |                |-{kwin_x11}(4220)
           |                                           |                      |                |-{kwin_x11}(4228)
           |                                           |                      |                `-{kwin_x11}(4252)
           |                                           |                      |-org_kde_powerde(4265)-+-{org_kde_powerde}(4335)
           |                                           |                      |                       |-{org_kde_powerde}(4336)
           |                                           |                      |                       |-{org_kde_powerde}(4338)
           |                                           |                      |                       |-{org_kde_powerde}(4339)
           |                                           |                      |                       |-{org_kde_powerde}(4340)
           |                                           |                      |                       `-{org_kde_powerde}(4382)
           |                                           |                      |-plasmashell(4262)-+-konsole(4526)-+-bash(4538)---pstree(6326)
           |                                           |                      |                   |               |-{konsole}(4527)
           |                                           |                      |                   |               |-{konsole}(4528)
           |                                           |                      |                   |               `-{konsole}(4529)
           |                                           |                      |                   |-konsole(4573)-+-bash(4582)
           |                                           |                      |                   |               |-{konsole}(4574)
           |                                           |                      |                   |               |-{konsole}(4575)
           |                                           |                      |                   |               `-{konsole}(4576)
           |                                           |                      |                   |-{plasmashell}(4341)
           |                                           |                      |                   |-{plasmashell}(4350)
           |                                           |                      |                   |-{plasmashell}(4393)
           |                                           |                      |                   |-{plasmashell}(4437)
           |                                           |                      |                   |-{plasmashell}(4453)
           |                                           |                      |                   |-{plasmashell}(4462)
           |                                           |                      |                   |-{plasmashell}(4476)
           |                                           |                      |                   `-{plasmashell}(6304)
           |                                           |                      |-polkit-kde-auth(4264)-+-{polkit-kde-auth}(4322)
           |                                           |                      |                       |-{polkit-kde-auth}(4325)
           |                                           |                      |                       |-{polkit-kde-auth}(4389)
           |                                           |                      |                       |-{polkit-kde-auth}(4413)
           |                                           |                      |                       |-{polkit-kde-auth}(4414)
           |                                           |                      |                       `-{polkit-kde-auth}(4415)
           |                                           |                      |-xembedsniproxy(4260)-+-{xembedsniproxy}(4274)
           |                                           |                      |                      `-{xembedsniproxy}(4282)
           |                                           |                      `-{plasma_session}(4127)
           |                                           |-ssh-agent(4111)
           |                                           `-{startplasma-x11}(4116)
           `-{sddm}(1217)
user@uefi:~>

I do not have any Leap with KDE.

artgravity · June 29, 2023, 8:05pm

Thanks for the reply.

It does not for me on Leap 15.5

me@leap ~ id -a
uid=5001(me) gid=5001(me) groups=5001(me),6001(group)
me@leap ~ grep -vE '^#|^ *$' /etc/security/group.conf
*; *; me; Al; adbusers audio cdrom dialout disk libvirt lp users vboxusers video wheel wireshark
me@leap  ~ cat .config/startkderc
[General]
systemdBoot=false

Yes:

me@leap  ~ pstree -Alp 1861

sddm(1861)-+-X(1870)-+-{X}(1873)
           |         `-{X}(1896)
           |-sddm-helper(2059)---startplasma-x11(2094)-+-gpg-agent(2144)
           |                                           |-plasma_session(2188)-+-agent(2341)-+-{agent}(2354)
           |                                           |                      |             `-{agent}(2370)
           |                                           |                      |-baloo_file(2318)-+-{baloo_file}(2396)
           |                                           |                      |                  |-{baloo_file}(2558)
           |                                           |                      |                  `-{baloo_file}(28041)
...portions redacted for privacy and brevity...
           |                                           |                      |-plasmashell(2323)-+-{plasmashell}(2487)
           |                                           |                      |                   |-{plasmashell}(2490)
           |                                           |                      |                   |-{plasmashell}(2611)
           |                                           |                      |                   |-{plasmashell}(2627)
           |                                           |                      |                   |-{plasmashell}(2736)
           |                                           |                      |                   |-{plasmashell}(2748)
           |                                           |                      |                   |-{plasmashell}(3318)
           |                                           |                      |                   |-{plasmashell}(3336)
           |                                           |                      |                   |-{plasmashell}(3406)
           |                                           |                      |                   `-{plasmashell}(3544)
...portions redacted for privacy and brevity...
           |                                           |                      `-{plasma_session}(2189)
           |                                           |-ssh-agent(2143)
           |                                           `-{startplasma-x11}(2149)
           `-{sddm}(1869)

I only have Leap with KDE.

arvidjaar · June 30, 2023, 7:27am

I tested it on Leap and it works as long as a) KDE is using legacy session management and b) you are using PAM service that actually includes pam_group. And no, the fact that it is included in common-auth is not enough - not every PAM service includes common-auth. I did configure sssd with local users provider and added pam_sss to common-auth.

artgravity:

sddm(1861)-+-X(1870)-+-{X}(1873)
           |         `-{X}(1896)
           |-sddm-helper(2059)---startplasma-x11(2094)-+-gpg-agent(2144)
           |                                           |-plasma_session(2188)-+-agent(2341)-+-{agent}(2354)

What shows

grep Groups /proc/2059/status
grep Groups /proc/2094/status
grep Groups /proc/2188/status

artgravity · July 3, 2023, 12:40am

I appreciate your willingness to offer suggestions. I still am unable to use the local groups from my desktop session. I had restarted before I saw your question, so my PIDs have changed, but I cross-referenced the pstree values to perform the requested queries.

me@leap ~ id -a
uid=5001(me) gid=5001(me) groups=5001(me),6001(group)

sddm(1847)-+-X(1851)-+-{X}(1853)
           |         `-{X}(1878)
           |-sddm-helper(2095)---startplasma-x11(2135)-+-gpg-agent(2185)
           |                                           |-plasma_session(2227)-+-agent(2396)-+-{agent}(2405)

me@leap ~ grep Groups /proc/2095/status; \
grep Groups /proc/2135/status; grep Groups /proc/2227/status
Groups: 100 441 449 459 460 484 486 489 490 491 492 496 
Groups: 100 441 449 459 460 484 486 489 490 491 492 496 5001 6001 
Groups: 100 441 449 459 460 484 486 489 490 491 492 496 5001 6001

I don’t know what you mean by :

My file is linked to the pam config file.
/etc/pam.d/common-auth -> common-auth-pc

My /etc/pam.d/common-auth-pc contains:
auth required pam_sss.so use_first_pass

I’m open to more testing if there may be a way to achieve a functional workaround, as this is a rather disruptive unforseen change. It is currently a breaking change with no known resolution for me.

arvidjaar · July 3, 2023, 5:20am

artgravity:

me@leap ~ grep Groups /proc/2095/status; \
grep Groups /proc/2135/status; grep Groups /proc/2227/status
Groups: 100 441 449 459 460 484 486 489 490 491 492 496 
Groups: 100 441 449 459 460 484 486 489 490 491 492 496 5001 6001 
Groups: 100 441 449 459 460 484 486 489 490 491 492 496 5001 6001

As you clearly see, sddm correctly assigned supplementary groups, so pam_group was applied. If any process in your session is missing them, this is not PAM problem and you have to track down when these groups disappear. You know how to check process groups now, just start with the process where they are missing and go upward.

artgravity · July 3, 2023, 7:37pm

Very interesting. When I launch a Konsole from the Plasmashell menu I have the correct permissions. If I use the CTRL+ALT+T shortcut , which is my preferred method, the permissions are wrong. The instance with the wrong permissions is not started as a child of sddm. The one launched using the menu is.

I am not sure how to get the instance launched via KDE keyboard shortcut to spawn as a child of sddm. Do you have any idea if that is something can be remedied?