-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login fails with "could not access user's groups: Insufficient privileges to complete the operation" #450
Comments
Hey! Thanks for the detailed bug report. Seeing |
Hello, that is the problem, before I created the issue, we triple-checked our configuration. I will try to request screenshots from our MS Admins. |
Yes, sounds good to me (and we can’t really check that client side apart from getting failure when listing groups, which is what we do). Please get some screenshots on those config, just in case. |
I see that your IS department also added the application type permission for I wonder if that would cause a clash for you. There are limited chances to be due to this, but maybe starting removing this would be a first good step. Also, do you know of other admin restrictions on group listing that your organization could have set? All the rest of the configuration seems correct to me. Also, when you are getting the authentication screen on your webbrowser, which are the permissions requests listed? |
I forwarded your suggestion and your question to our MS Admins. About your last question: I do not get any requested permissions? I get always a login screen with 6 steps, translated:
After that the GDM lock screen flashes once and reverts back to the user selection. |
You are right, contrary to other providers, MSEntraID doesn’t show the admin approved delegated permissions to the user. So, that doesn’t help us that much on the debugging front. You are using the stable version of the snap, correct? Do you mind switching to |
Facing exact same issue |
Well, the last tries and the logs I provided had been made with the |
We can’t reproduce the issue here. There is no additional debugging that could help after searching on the documentation. From the MS Entra ID documentation related to that issue, it seems that it’s really linked to permissions issues. Did you get any feedback from your IT department to ensure that the app permission is deleted and only the delegated ones are available? They should look if anything could prevent the application to list groups that the current user is member of. |
Can you reexport your logs? Sometimes, the issues are the same but the root cause different. Reporting either another bug that we duplicate or printing all requested logs here will help. Thank you so much! |
I got an answer from our MS Admins and they so only one suspicious log message:
|
Seeing a similar issue. Will grab logs and upload |
I also have this issue. Oddly, it works for some users and not others. Syslog is showing that it IS case sensitive. I am only seeing minor inconsistencies between users within Graph. Can confirm that no Conditional Access policies are stopping login. AuthD showing in syslog that it can't retrieve user info or groups. |
Hey guys, Same issue here I guess, below are my logs from gnome shell from terminal still getting same issue Gnome Shell Log
|
Quick update: We believe that this issue is fixed via ubuntu/authd-oidc-brokers#135. The fixed version is currently only available on the edge channel of the authd-msentraid snap. It would help us if you could try it out and report if it fixes the issue for you. If you do so, please switch back to the stable channel afterwards (because we use the edge channel for development and testing and can't guarantee that it's always compatible with the latest released version of authd). |
I was experiencing this same issue with the failure to read groups. and per the last comment, I updated to the edge-channel to test the new fix, which resulted in a new error stating that it cannot validate the user info (forgot to copy the exact error). I went back into EntraID and adjusted the permissions on the App Registration as follows; Which are CLEARLY excessive, BUT: Once I made these changes and Granted Consent, my next attempt at logging in resulted in the following;
Now that this is working, I went back and checked Logs for the EntraID broker and found this;
So, it looks like that one specific Permission was the missing one, not all those other ones I added. Hope this helps other people. |
@divgo: Please change the permissions to exactly those which are listed in https://github.com/ubuntu/authd/wiki/03---How%E2%80%90to-configure (i.e. |
I switched to the Edge-Channel, refreshed and restarted the snap. The logs do show only two new lines: |
@saltstack-admin: Thanks for reporting back!
So the access token that the authd broker receives after authentication doesn't have the |
@saltstack-admin: Did you also double check that the app in that screenshot is the one that's configured via the |
Hi,
Yes, we did. Today I had a meeting with our Micorosoft admins and we tried the excessive solution from divgo . We got now a new error and had been able to determine, that our security policy is blocking all logins from authd. Our Microsoft admins had the idea, to exclude the application registration from this policy, but this is impossible as long as "Allow public client workflows" is enabled. If no one has an idea, I will close this issue in a few days, if I don't forget it. |
@saltstack-admin: Thanks for reporting back!
That's interesting! Is that a Conditional Access policy? We plan to work on support for Microsoft Entra device registration, so I expect that you will be able to use authd with this policy at some point. |
Yes, our problem is created by a Conditonal Access policy. |
Is there an existing issue for this?
Describe the issue
Hello,
I installed on a new system Ubuntu 24.04 and followed the documentation here:
https://github.com/ubuntu/authd/wiki/01---Get-started-with-authd
I checked with our MS Admins multiple times the configuration, but nonetheless I get always this error:
could not get user info: could not fetch user info: could not get user groups: Insufficient privileges to complete the operation.
Where does the issue happens
Steps to reproduce it
could not get user info: could not fetch user info: could not get user groups: Insufficient privileges to complete the operation.
System information and logs
Environment
Log files
Authd entries:
MS Entra ID broker entries:
Application settings
???
Broker configuration:
Broker authd configuration:
Relevant information
No response
Double check your logs
The text was updated successfully, but these errors were encountered: