SSSD Login Failed

[Rudi9719]

Describe the bug
Unable to authenticate SDDM via SSSD

To Reproduce
Steps to reproduce the behavior:

1. services.sssd.enable = true;
2. Provide services.sssd.config
3. Enable security.pam.services.sddm.makeHomeDir = true;
4. Enable the X11 windowing system.
   services.xserver.enable = true;
   services.xserver.layout = "us";
   services.xserver.displayManager.sddm.enable = true;
   services.xserver.desktopManager.plasma5.enable = true;

Expected behavior
Users should now be able to log in via SSSD using SDDM

Screenshots
N/A

Additional context
Regular login via console, or ssh seems to be working

Notify maintainers
@flokli
@aanderse
@dasJ
@e-user
@arianvp

Metadata
these paths will be fetched (0.05 MiB download, 0.28 MiB unpacked):
/nix/store/d43v6bx7r6fcaq3fbbfd5mwh1f5s7rmg-bash-interactive-4.4-p23-dev
copying path '/nix/store/d43v6bx7r6fcaq3fbbfd5mwh1f5s7rmg-bash-interactive-4.4-p23-dev' from 'https://cache.nixos.org'...

• system: "x86_64-linux"
• host os: Linux 5.4.53, NixOS, 20.03.2668.7c85b915892 (Markhor)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3.6
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute: 
# a list of nixos modules affected by the problem
module:

[flokli]

This is missing some information on how your sssd is configured. Can you provide a minimal test case, maybe as a VM test to reproduce?

[Rudi9719]

@flokli I can not provide my exact sssd config as it has auth info (I do not allow unauthenticated binds). I can pull that out, but are you asking for that? Or are you asking for the configuration.nix I'm using to build?

[flokli]

I'm asking for a configuration to reproduce this. Ideally we could produce a tests for nixos/tests that describes the configuration, so we can easily test and fix this (and spot future regressions as well)

[Rudi9719]

I've uploaded the configuration that I've been using below, with passwords and hostnames redacted. GitHub also made me rename it from .nix to .txt
sssd.txt

[flokli]

@Rudi9719 thanks for the snippet. I fear we can't currently turn this into a VM test, as we'd need a LDAP server with some users.

Maybe it's time to revive nixosTests.ldap, which got removed in #87004, which could nicely add a test case for this.

@Mic92 @Ekleog, could you find some time for this?

[Mic92]

Sorry not an SSSD user.

[Rudi9719]

I'm not sure if this is useful, but I managed to get login working by editing the pam.d config by hand. Is there a way to make nixos automatically apply this as opposed to the default? This is the working sddm pam.d config:

account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] /nix/store/zwn260zqnggflk9bda6cbgcaqzzi3lbz-sssd-1.16.4/lib/security/pam_sss.so
account required pam_unix.so

# Authentication management.

auth sufficient /nix/store/zwn260zqnggflk9bda6cbgcaqzzi3lbz-sssd-1.16.4/lib/security/pam_sss.so forward_pass
auth required pam_unix.so nullok likeauth

auth optional /nix/store/5zaxxj53dby4x0x6d0sznfkmzr8hb1cy-kwallet-pam-5.17.5/lib/security/pam_kwallet5.so kwalletd=/nix/store/ipp44c1r2bi69zjyv8s7vcw3x16piml4-kwallet-5.66.0-bin/bin/kwalletd5

auth sufficient pam_unix.so nullok likeauth try_first_pass

auth required pam_deny.so

# Password management.
password sufficient /nix/store/zwn260zqnggflk9bda6cbgcaqzzi3lbz-sssd-1.16.4/lib/security/pam_sss.so use_authtok
password sufficient pam_unix.so nullok sha512

# Session management.
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_env.so conffile=/nix/store/fq7b65jdlzwhsg2n29r7scagbbbz3vy6-pam-environment readenv=0

session required pam_unix.so
session optional pam_sss.so
session required pam_loginuid.so

session optional /nix/store/zwn260zqnggflk9bda6cbgcaqzzi3lbz-sssd-1.16.4/lib/security/pam_sss.so

session optional /nix/store/vac1gmzh1xmk3s7w9pbjvirxqsg1npn0-systemd-243.7/lib/security/pam_systemd.so

session optional /nix/store/5zaxxj53dby4x0x6d0sznfkmzr8hb1cy-kwallet-pam-5.17.5/lib/security/pam_kwallet5.so kwalletd=/nix/store/ipp44c1r2bi69zjyv8s7vcw3x16piml4-kwallet-5.66.0-bin/bin/kwalletd5```

Edited to replace multiple newlines with just one newline

[bbigras]

I'm taking a look at this. I don't know much about the pam.d part but I'm also interested in having graphical login work with active directory.

[aanderse]

@bbigras I'm interested in learning more about sssd in general (and specifically on NixOS) - if you're looking for graphical login via active directory the users.ldap module works well for this.

[bbigras]

@aanderse thanks. Is users.ldap not using sssd at all? I thought sssd was useful to make a computer part of the domain, has gpo support, can be used to log in while offline (the creds are cached I think).

I also want to use keytabs for kerberos with active directory. I'm pretty sure I can get one with sssd but I'm not sure if it's required since in one test we copied a keytab that was generated on a window sserver.

I was able to test sssd with active directory on NixOS in the past. I think login, sudo and ssh worked but not gdm. Possibly because of the pam.d stuff.

[aanderse]

No users.ldap is something else - less feature rich. I'm hoping to find some time to learn the details of sssd configuration and eventually migrate to it... but users.ldap works, so the motivation to switch isn't high enough yet.

[bbigras]

I just submitted a very basic test for sssd with ldap: #96885

Maybe it can help for testing with sddm.

I wonder if enumerate = true is needed for sddm. Maybe see: https://sssd.io/docs/users/faq.html#when-should-i-enable-enumeration-in-sssd-or-why-is-enumeration-disabled-by-default

As for pam.d, maybe we can modify the following code to add pam_sss conditionally if services.sssd is enabled.

nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix

Lines 209 to 242 in 7bc3a08

	security.pam.services = {
	sddm = {
	allowNullPassword = true;
	startSession = true;
	};
	sddm-greeter.text = ''
	auth required pam_succeed_if.so audit quiet_success user = sddm
	auth optional pam_permit.so
	account required pam_succeed_if.so audit quiet_success user = sddm
	account sufficient pam_unix.so
	password required pam_deny.so
	session required pam_succeed_if.so audit quiet_success user = sddm
	session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
	session optional ${pkgs.systemd}/lib/security/pam_systemd.so
	session optional pam_keyinit.so force revoke
	session optional pam_permit.so
	'';
	sddm-autologin.text = ''
	auth requisite pam_nologin.so
	auth required pam_succeed_if.so uid >= 1000 quiet
	auth required pam_permit.so
	account include sddm
	password include sddm
	session include sddm
	'';
	};

[bbigras]

The sssd-ldap test is now merged (with Mic92's help)
https://github.com/NixOS/nixpkgs/blob/1befbc65184f0608d83ffb5188700dedff250035/nixos/tests/sssd-ldap.nix

You can use it as a base for a SDDM test.

I'll try to find some time soon to take a look at it.

[ghost]

Thank you for working on this. I'm having same issue

[Rudi9719]

Popping back in, sshd/login are borked now from a fresh install using my previous config. Not sure why that is but I have a hunch based on the PR I made above. Hoping someone can take a look at it and make sense/explain what's going on with that. I'm not sure how to test your patch @bbigras, can I just reinstall using sddm and sssd and it will work or do I have to pull something differently?

[stale]

I marked this as stale due to inactivity. → More info

[bbigras]

@Rudi9719 did you figure it out since your last comment?

[aanderse]

Not sure if anyone is still suffering from this issue or not, but I believe adding this to your configuration might resolve the problem:

security.pam.services.systemd-user.makeHomeDir = true;

[wucke13]

May this be the same issue as in #128116 ?

[stale]

I marked this as stale due to inactivity. → More info