0.9.3 - ERROR PAM_IGNORE, unexpected resolver response err=Error

[vitich]

Sorry... I'm glad you responded so quickly, but unfortunately the error is the same on 0.9.3 - both services work...
If you log in to gdm3, it just keeps asking for a password... Tried both on Debian 12 and Ubuntu 24.04.
Version 0.8.7 works fine.
Thank You.

[dmulder]

Please provide debug logs.

[theageman]

Hello dmulder,

I have the same configuration (Ubuntu 24.04, gdm3) and I get the same error.
The log looks like this:

hlog.txt

Please note, that I am not the admin. I am trying to help our admin to save a few hundred Notebooks from filling the landscape.

In the log-file you will find a username '[email protected]'. Sometimes this name gets exchanged by '[email protected]'.

Hope it helps.
Thank you very much.
Olli.

[vitich]

Hope it helps. Thank you very much. Olli.

Thank You. I don't have enough time to investigate the problem with himmelblau.
Unfortunately, our company decided to set up authd-msentraid + landscape

[dmulder]

Thank You. I don't have enough time to investigate the problem with himmelblau. Unfortunately, our company decided to set up authd-msentraid + landscape

I'm investigating from the logs provided by @theageman. Be aware that authd is lacking in both features and security considerations.

[dmulder]

@theageman could you share your himmelblau.conf? Your log shows a single successful SFA auth, followed by 2 attempts for '[email protected]' and '[email protected]' that bail out. It appears that PAM quits communicating with the daemon and never attempted to provide a credential.

[theageman]

Sure:

himmelblau.conf.txt

[dmulder]

@theageman pam_allow_groups is for Entra Id groups:

See man himmelblau.conf:

       pam_allow_groups
       A comma-separated list of Users and Groups permitted to access the system. Groups must be specified using their Object ID (not UPN) due to Azure's restrictions on reading group names.

       pam_allow_groups = f3c9a7e4-7d5a-47e8-832f-3d2d92abcd12,d98c8e1d-7f8a-4597-babc-9d3b781ef456

You set the allowed groups to a non-existant Entra Id group id/name, so Himmelblau is denying every user.

[theageman]

Ok, thanks.

I will talk to our admin tomorrow. Can you tell me where I can look up these Objekt IDs?

Thanks again,
Olli.

[theageman]

Forget my last post. I found the Microsoft article. ;)

I will check that tomorrow.

Best wishes,
Olli.

[dmulder]

I will talk to our admin tomorrow. Can you tell me where I can look up these Objekt IDs?

These are present in the azure portal.
Also, the himmelblau.conf man page is a little misleading (and needs corrected). You can also specify group names now (as of 0.9.0).

[theageman]

Cool, thanks.

[theageman]

Okay, I have tested a new himmelblau.conf and it works a treat.

Thank you very much.
Olli.

[dmulder]

Good. @vitich you're welcome to reopen this bug if this doesn't resolve your issue.