You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have searched the existing issues and found none that matched mine
Describe the issue
Our AD users have far to many groups and it seems to be random which groups get pulled down for each user. Users cannot have sudo access because there is no way to confirm if all there groups are pulled down. We confirmed ALL groups have GID's
We then tried to add the user to a local group and realized that AD users are not part of any local groups. Nor can we add them to a local group as they will be removed on logout
We tested the edge channel as well
Steps to reproduce
option 1: AD Groups
run sudo login
connect as user
run groups
notice multiple AD groups are missing
option 2: Local Group
login with authd account
run groups command
notice all missing local groups
System information and logs
authd version
authd 0.3.4~ppa3
authd-msentraid broker version
name: authd-msentraid
summary: MSEntra ID broker for authd
publisher: Canonical**
store-url: https://snapcraft.io/authd-msentraid
license: GPL-3.0
description: |
This is the MS Entra ID broker snap for authd to provide MS Entra ID OIDC
based authentication on Ubuntu with authd.
services:
authd-msentraid: simple, enabled, active
snap-id: vS3oJLMss6lgWwoFcPqYDUA2HB20I1Dc
tracking: 0.x/stable
refresh-date: today at 17:07 UTC
channels:
0.x/stable: 0.1 2024-09-16 (44) 17MB -
0.x/candidate: ^
0.x/beta: ^
0.x/edge: 0.1+4fe9826.0f76acc 2024-09-20 (51) 18MB -
installed: 0.1 (44) 17MB -
# This section is used by authd to identify and communicate with the broker.
# It should not be edited.
[authd]
name = Microsoft Entra ID
brand_icon = /snap/authd-msentraid/current/broker_icon.png
dbus_name = com.ubuntu.authd.MSEntraID
dbus_object = /com/ubuntu/authd/MSEntraID
authd-msentraid configuration
[oidc]
issuer = https://login.microsoftonline.com/<UUID redacted>/v2.0
client_id = <UUID redacted>
[users]
# The directory where the home directory will be created for new users.
# Existing users will keep their current directory.
# The user home directory will be created in the format of {home_base_dir}/{username}
# home_base_dir = /home
# The username suffixes that are allowed to login via ssh without existing previously in the system.
# The suffixes must be separated by commas.
# ssh_allowed_suffixes = @example.com,@anotherexample.com
Double check your logs
I have redacted any sensitive information from the logs
The text was updated successfully, but these errors were encountered:
Hey, @namato1! Thanks for reporting this issue. Would you mind following the steps to enable the debug logs on the broker also? This can help us understand if something is going wrong on that side.
Seeing that you can authenticate with the remote user, I suspect this group listing issue could be an inconsistency/limitation of msgraph. We'll investigate the issue further!
Meanwhile, we have an updated version of authd in the authd-edge PPA, so would you mind updating to the newest version and also enabling the broker logs as I've mentioned above? Thanks again for your help!
Is there an existing issue for this?
Describe the issue
Our AD users have far to many groups and it seems to be random which groups get pulled down for each user. Users cannot have sudo access because there is no way to confirm if all there groups are pulled down. We confirmed ALL groups have GID's
We then tried to add the user to a local group and realized that AD users are not part of any local groups. Nor can we add them to a local group as they will be removed on logout
We tested the edge channel as well
Steps to reproduce
option 1: AD Groups
run sudo login
connect as user
run groups
notice multiple AD groups are missing
option 2: Local Group
login with authd account
run groups command
notice all missing local groups
System information and logs
authd version
authd-msentraid broker version
gnome-shell version
Distribution
Logs
authd broker configuration
/etc/authd/brokers.d/msentraid.conf
authd-msentraid configuration
Double check your logs
The text was updated successfully, but these errors were encountered: