Issue: Could not create broker with provided issuer and client

[mwilcher-gp]

Is there an existing issue for this?

• I have searched the existing issues and found none that matched mine

Describe the issue

I'm receiving the following error can't select broker: rpc error: code = Unknown desc = can't start authentication transaction: The name com.ubuntu.authd.MSEntraID was not provided by any .service files when attempting to log in with a Microsoft ID. I followed the wiki installation instructions. I can't make heads or tails out of the error message.

Where does the issue happens

• I can reproduce the issue in the graphical display manager
• I can reproduce the issue on a terminal with "login"

Steps to reproduce it

Attempt to log in (through GUI or CLI) with authorized MS user account
Select the Microsoft EntraID broker
Receive error

System information and logs

Environment

• broker version: please run snap info authd-msentraid

name:      authd-msentraid
summary:   MSEntra ID broker for authd
publisher: Canonical✓
store-url: https://snapcraft.io/authd-msentraid
license:   GPL-3.0
description: |
  This is the MS Entra ID broker snap for authd  to provide MS Entra ID OIDC based authentication on
  Ubuntu with authd.
services:
  authd-msentraid: simple, enabled, inactive
snap-id:      vS3oJLMss6lgWwoFcPqYDUA2HB20I1Dc
tracking:     0.x/stable
refresh-date: today at 11:07 EDT
channels:
  0.x/stable:    0.1 2024-07-18 (10) 17MB -
  0.x/candidate: ↑                        
  0.x/beta:      ↑                        
  0.x/edge:      0.1 2024-08-21 (33) 17MB -
installed:       0.1            (10) 17MB -

• authd version: please run /usr/libexec/authd version
authd 0.3.1~ppa4
• gnome shell version: please run apt policy gnome-shell

gnome-shell:
  Installed: 46.3.1-1ubuntu1~24.04.1
  Candidate: 46.3.1-1ubuntu1~24.04.1
  Version table:
 *** 46.3.1-1ubuntu1~24.04.1 500
        500 https://ppa.launchpadcontent.net/ubuntu-enterprise-desktop/authd/ubuntu noble/main amd64 Packages
        100 /var/lib/dpkg/status
     46.0-0ubuntu6~24.04.3 500
        500 http://us.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
     46.0-0ubuntu5 500
        500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages

• Distribution: (NAME in /etc/os-release)
  Ubuntu
• Distribution version: (VERSION_ID on /etc/os-release):
  24.04

Log files

Please redact/remove sensitive information:

Authd entries:

journalctl -u authd.service

-- Boot 71661143f6194116a61dec5835e5053f --
Aug 21 11:17:23 22-04-test-Lat-7390 systemd[1]: Starting authd.service - Authd daemon service...
Aug 21 11:17:23 22-04-test-Lat-7390 systemd[1]: Started authd.service - Authd daemon service.
Aug 21 11:31:03 22-04-test-Lat-7390 systemd[1]: Stopping authd.service - Authd daemon service...
Aug 21 11:31:03 22-04-test-Lat-7390 systemd[1]: authd.service: Deactivated successfully.
Aug 21 11:31:03 22-04-test-Lat-7390 systemd[1]: Stopped authd.service - Authd daemon service.
Aug 21 11:31:03 22-04-test-Lat-7390 systemd[1]: Starting authd.service - Authd daemon service...
Aug 21 11:31:04 22-04-test-Lat-7390 systemd[1]: Started authd.service - Authd daemon service.
Aug 21 12:44:03 22-04-test-Lat-7390 systemd[1]: Stopping authd.service - Authd daemon service...
Aug 21 12:44:03 22-04-test-Lat-7390 systemd[1]: authd.service: Deactivated successfully.
Aug 21 12:44:03 22-04-test-Lat-7390 systemd[1]: Stopped authd.service - Authd daemon service.
-- Boot aba271fa146046c9801a9d7a3e306357 --
Aug 21 12:44:30 22-04-test-Lat-7390 systemd[1]: Starting authd.service - Authd daemon service...
Aug 21 12:44:30 22-04-test-Lat-7390 systemd[1]: Started authd.service - Authd daemon service.
Aug 21 13:22:47 22-04-test-Lat-7390 systemd[1]: Stopping authd.service - Authd daemon service...
Aug 21 13:22:47 22-04-test-Lat-7390 systemd[1]: authd.service: Deactivated successfully.
Aug 21 13:22:47 22-04-test-Lat-7390 systemd[1]: Stopped authd.service - Authd daemon service.
Aug 21 13:22:47 22-04-test-Lat-7390 systemd[1]: Starting authd.service - Authd daemon service...
Aug 21 13:22:47 22-04-test-Lat-7390 systemd[1]: Started authd.service - Authd daemon service.
Aug 21 13:23:22 22-04-test-Lat-7390 systemd[1]: Stopping authd.service - Authd daemon service...
Aug 21 13:23:22 22-04-test-Lat-7390 systemd[1]: authd.service: Deactivated successfully.
Aug 21 13:23:22 22-04-test-Lat-7390 systemd[1]: Stopped authd.service - Authd daemon service.
-- Boot 03e553bf51b046e8acaf30477edbd8a2 --
Aug 21 13:23:49 22-04-test-Lat-7390 systemd[1]: Starting authd.service - Authd daemon service...
Aug 21 13:23:49 22-04-test-Lat-7390 systemd[1]: Started authd.service - Authd daemon service.
Aug 21 13:37:15 22-04-test-Lat-7390 systemd[1]: Stopping authd.service - Authd daemon service...
Aug 21 13:37:15 22-04-test-Lat-7390 systemd[1]: authd.service: Deactivated successfully.
Aug 21 13:37:15 22-04-test-Lat-7390 systemd[1]: Stopped authd.service - Authd daemon service.
Aug 21 13:37:15 22-04-test-Lat-7390 systemd[1]: Starting authd.service - Authd daemon service...
Aug 21 13:37:15 22-04-test-Lat-7390 systemd[1]: Started authd.service - Authd daemon service.
Aug 21 13:37:31 22-04-test-Lat-7390 systemd[1]: Stopping authd.service - Authd daemon service...
Aug 21 13:37:31 22-04-test-Lat-7390 systemd[1]: authd.service: Deactivated successfully.
Aug 21 13:37:31 22-04-test-Lat-7390 systemd[1]: Stopped authd.service - Authd daemon service.
-- Boot bcae2eaa03a845e58b3310886dcb3065 --
Aug 21 13:38:01 22-04-test-Lat-7390 systemd[1]: Starting authd.service - Authd daemon service...
Aug 21 13:38:01 22-04-test-Lat-7390 systemd[1]: Started authd.service - Authd daemon service.

MS Entra ID broker entries:

journalctl -u snap.authd-msentraid.authd-msentraid.service
-- Boot bcae2eaa03a845e58b3310886dcb3065 --
Aug 21 13:38:03 22-04-test-Lat-7390 systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 21 13:38:04 22-04-test-Lat-7390 authd-msentraid.authd-msentraid[1252]: time=2024-08-21T13:38:04.431-04:00 level=ERROR msg="could not create broker with provided issuer and client >
Aug 21 13:38:04 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
Aug 21 13:38:04 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 21 13:38:04 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 1.
Aug 21 13:38:04 22-04-test-Lat-7390 systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 21 13:38:04 22-04-test-Lat-7390 authd-msentraid.authd-msentraid[1602]: time=2024-08-21T13:38:04.644-04:00 level=ERROR msg="could not create broker with provided issuer and client >
Aug 21 13:38:04 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
Aug 21 13:38:04 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 21 13:38:04 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 2.
Aug 21 13:38:04 22-04-test-Lat-7390 systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 21 13:38:04 22-04-test-Lat-7390 authd-msentraid.authd-msentraid[1652]: time=2024-08-21T13:38:04.965-04:00 level=ERROR msg="could not create broker with provided issuer and client >
Aug 21 13:38:04 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
Aug 21 13:38:04 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 21 13:38:05 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 3.
Aug 21 13:38:05 22-04-test-Lat-7390 systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 21 13:38:05 22-04-test-Lat-7390 authd-msentraid.authd-msentraid[1704]: time=2024-08-21T13:38:05.612-04:00 level=ERROR msg="could not create broker with provided issuer and client >
Aug 21 13:38:05 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
Aug 21 13:38:05 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 21 13:38:05 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 4.
Aug 21 13:38:05 22-04-test-Lat-7390 systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 21 13:38:05 22-04-test-Lat-7390 authd-msentraid.authd-msentraid[2063]: time=2024-08-21T13:38:05.860-04:00 level=ERROR msg="could not create broker with provided issuer and client >
Aug 21 13:38:05 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
Aug 21 13:38:05 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 21 13:38:06 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 5.
Aug 21 13:38:06 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Start request repeated too quickly.
Aug 21 13:38:06 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 21 13:38:06 22-04-test-Lat-7390 systemd[1]: Failed to start snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.

Application settings

Please redact/remove sensitive information:

Broker configuration:

cat /var/snap/authd-msentraid/current/broker.conf

[oidc]
issuer = https://login.microsoftonline.com/<tenant ID>/v2.0
client_id = <application id>

[users]
 home_base_dir = /home

Broker authd configuration:

cat /etc/authd/brokers.d/msentraid.conf

# This section is used by authd to identify and communicate with the broker.
# It should not be edited.
[authd]
name = Microsoft Entra ID
brand_icon = /snap/authd-msentraid/current/broker_icon.png
dbus_name = com.ubuntu.authd.MSEntraID
dbus_object = /com/ubuntu/authd/MSEntraID

Relevant information

No response

Double check your logs

• I have redacted any sensitive information from the logs

[denisonbarbosa]

Hey, @mwilcher-gp! Thanks for reporting this issue. Sadly, the logs are a little bit incomplete.

The error: level=ERROR msg="could not create broker with provided issuer and client ... (there's more info here, but the logs you pasted only show up until that) happens when we can't create the broker service due to configuration errors. Would you mind double-checking the configuration file for the broker (keys, sections, filename, and so on)? I think there might be something off there.

I noticed that there's a blank space before home_base_dir in the broker.conf file. We tried that to see if it would fail the parsing, but it seems like it doesn't interfere with it, but you can also try to remove it (just in case).

[mwilcher-gp]

To be clear which configuration file you're requesting information. Which of the two below are you looking for more information on?

/etc/authd/brokers.d/msentraid.conf

or

/var/snap/authd-msentraid/current/broker.conf

For both of those files, what I included is what is in them. I followed the installation instructions and triple checked for more specific details on broker configuration and could not find it.

[denisonbarbosa]

I was talking about /var/snap/authd-msentraid/current/broker.conf. If everything looks ok in the file, can you paste the entire error message (the one I mentioned that's incomplete)?

[mwilcher-gp]

Sure! I'll work to get you those logs. Just to make sure though, are there only supposed to be these two lines in the broker configuration file?

[oidc]
issuer = https://login.microsoftonline.com/<tenant ID>/v2.0
client_id = <application id>

[denisonbarbosa]

Yes, those are the only required lines for the broker to work. The home_base_dir and ssh_allowed_suffixes are optional values.

[mwilcher-gp]

Aug 21 13:38:05 22-04-test-Lat-7390 systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 21 13:38:05 22-04-test-Lat-7390 authd-msentraid.authd-msentraid[2063]: time=2024-08-21T13:38:05.860-04:00 level=ERROR msg="could not create broker with provided issuer and client ID: Get \"https://login.microsoftonline.com/tenant/v2.0/.well-known/openid-configuration\": dial tcp: lookup login.microsoftonline.com on 127.0.0.53:53: server misbehaving"
Aug 21 13:38:05 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
Aug 21 13:38:05 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 21 13:38:06 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 5.
Aug 21 13:38:06 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Start request repeated too quickly.
Aug 21 13:38:06 22-04-test-Lat-7390 systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 21 13:38:06 22-04-test-Lat-7390 systemd[1]: Failed to start snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.

[denisonbarbosa]

Thanks for reporting back! It seems like the broker can't find your provider. Can you take a look at https://github.com/ubuntu/authd/wiki/03---Configuration#entra-id-configuration and make sure everything is configured as it should?

[mwilcher-gp]

Oddly enough, the configuration file was fine. I restarted the authd-msentraid service and was able to hit the CLI login for testing. Although, after a reboot, it returned the same error until the service was restarted.

I'm up to a point of insufficient group permissions which I can resolve within Entra.

Quick question though, it appears to only refer to the users full email address. Typically we use UPN value. Also it appears to be case sensitive. Are the ways to fix these issues?

[mwilcher-gp]

Now I appear to be having this issue:

#450