1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1105198: gdm3: PAM configuration makes it impossible to determine t

    From =?utf-8?B?RGF2aWQgSMOkcmRlbWFu?=@21:1/5 to All on Tue May 13 09:40:01 2025
    Package: gdm3
    Version: 48.0-1
    Severity: normal

    Dear Maintainer,

    I'm trying to setup gdm3 to allow logins using a smartcard (via Kerberos
    and SSSD).

    After I'd setup SSSD and verified that it was working as expected
    (using "sssctl cert-show/cert-map/cert-eval-rule"), I tried getting GDM
    to play along.

    I made sure that:
    /etc/pam.d/gdm-smartcard -> /etc/alternatives/gdm-smartcard /etc/alternatives/gdm-smartcard -> /etc/pam.d/gdm-smartcard-sssd-exclusive

    First stumbling block was: #1061444, fixing that allowed GDM to
    communicate with the smart card.

    The next stumbling block (and the subject of this bug report) is that
    GDM still required a username to be input when the smartcard (yubikey,
    in my case) was inserted, even though SSSD was correctly configured to determine the user on the basis of the cert.

    Adding debugging to sssd (sssd-pam) yielded nothing, it wasn't even
    called when the smartcard was inserted.

    After some more debugging, I realised that /etc/pam.d/gdm-smartcard-sssd-exclusive starts with these lines:
    #%PAM-1.0
    auth [success=ok user_unknown=ignore default=bad] pam_succeed_if.so user != root quiet_success
    auth [success=2 module_unknown=ignore default=die] pam_sss.so allow_missing_name require_cert_auth

    The problem with pam_succeed_if.so is that when the username is NULL, it
    won't generate "user_unknown", it'll generate a conversation error:

    $ journalctl -u gdm --since=08:00 | grep succeed_if
    May 13 08:38:15 test gdm-smartcard][16716]: pam_succeed_if(gdm-smartcard:auth): cannot determine user name: Conversation error

    That means that pam_sss.so won't be given a chance to provide the
    username and the user will instead be prompted for a username.

    I've tried adding various settings like conv_err=ignore to the pam_succeed_if.so line above, but it doesn't help (I've even tried
    "success=ok default=ignore"), as long as pam_succeed_if.so is included,
    the pam stack fails to figure out the user automatically.

    If I comment out the pam_succeed_if.so line, everything works
    automagically and I get a prompt for the smartcard PIN as soon as I plug
    in the yubikey, and I'm then logged in as the right user...

    Not sure what the proper PAM cfg should look like...

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)