GDM asks for password when broker is disabled

[adombeck]

GDM asks me for a password when selecting an existing authd user when no authd brokers are configured:

Any password I enter results in "Sorry that didn't work. Please try again.", also if I enter the correct local password of that user.

I'm able to reproduce this on Noble and Resolute.

Steps to reproduce:

1. Configure a broker (I used authd-msentraid)
2. Authenticate with the broker
3. sudo rm /etc/authd/brokers.d/*
4. sudo systemctl restart authd
5. In GDM, select the existing authd user.

Relevant logs (from Noble):

Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Connecting to unix:///run/authd.sock
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Sending to GDM: {"type":"hello"}
Mar 23 15:34:06 ubuntu gnome-shell[3139]: authd: Starting authd protocol
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Got from GDM: {"type":"hello","hello":{"version":1}}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Gdm Reply is type:hello  hello:{version:1}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.initHealthCheck{}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Sending to GDM: {"type":"request", "request":{"type":"uiLayoutCapabilities", "uiLayoutCapabilities":{}}}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Got from GDM: {"type":"response","response":{"type":"uiLayoutCapabilities","uiLayoutCapabilities":{"supportedUiLayouts":[{"type":"form","label":"required","wait":"optional:true,false","entry":"optional:chars,chars_password,digits,digits_password"},{"type":"newpassword","label":"required","entry":"optional:chars,chars_password,digits,digits_password"},{"type":"qrcode","label":"required","button":"optional","wait":"required:true,false","content":"required","code":"optional"}]}}}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.supportedUILayoutsReceived{layouts:[]*authd.UILayout{(*authd.UILayout)(0xc0001909a0), (*authd.UILayout)(0xc000190c40), (*authd.UILayout)(0xc000190cb0)}}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.brokersListReceived{brokers:[]*authd.ABResponse_BrokerInfo{(*authd.ABResponse_BrokerInfo)(0xc000326be0)}}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.BrokerListReceived{}, brokers: []*authd.ABResponse_BrokerInfo{(*authd.ABResponse_BrokerInfo)(0xc000326be0)}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Sending to GDM: {"type":"event", "event":{"type":"brokersReceived", "brokersReceived":{"brokersInfos":[{"id":"local", "name":"local", "brandIcon":""}]}}}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.userSelected{username:"test@ubudev1.onmicrosoft.com"}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Sending to GDM: {"type":"event", "event":{"type":"userSelected", "userSelected":{"userId":"test@ubudev1.onmicrosoft.com"}}}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.UsernameSelected{}, user: "test@ubudev1.onmicrosoft.com"
Mar 23 15:34:06 ubuntu authd[2279]: Last used broker "2102147668" is not available for user "test@ubudev1.onmicrosoft.com", letting the user select a new one
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.brokerSelectionRequired{}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.ChangeStage{Stage:"brokerSelection"}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: *adapter.authModeSelectionModel: Reset
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.List: Focus
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Got from GDM: {"type":"eventAck"}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: EventSend&{brokersInfos:{id:"local"  name:"local"  brand_icon:""}}result<nil>
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.listFocused{id:0x1}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.StageChanged{Stage:"brokerSelection"}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Sending to GDM: {"type":"request", "request":{"type":"changeStage", "changeStage":{"stage":"brokerSelection"}}}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Got from GDM: {"type":"eventAck"}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: EventSend&{userId:"test@ubudev1.onmicrosoft.com"}result<nil>
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Got from GDM: {"type":"response","response":{"type":"changeStage","ack":{}}}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Gdm stage change to brokerSelection sent
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Got from GDM: {"type":"pollResponse","pollResponse":[{"type":"brokerSelected","brokerSelected":{"brokerId":"local"}}]}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: GDM poll response: type:brokerSelected  brokerSelected:{brokerId:"local"}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.brokerSelected{brokerID:"local"}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.BrokerSelected{BrokerID:"local"}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Sending to GDM: {"type":"event", "event":{"type":"brokerSelected", "brokerSelected":{"brokerId":"local"}}}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: adapter.pamError{status:25, msg:""}
Mar 23 15:34:06 ubuntu gnome-shell[3139]: authd: Broker selected local
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: Got from GDM: {"type":"eventAck"}
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: EventSend&{brokerId:"local"}result<nil>
Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: LOGIN: exiting with error The return value should be ignored by PAM dispatch: 
Mar 23 15:34:06 ubuntu authd-pam[4965]: GDM service running without JSON extension, skipping...
Mar 23 15:34:06 ubuntu authd-pam[4965]: LOGIN: exiting with error The return value should be ignored by PAM dispatch
Mar 23 15:34:10 ubuntu gdm-authd][4948]: pam_unix(gdm-authd:auth): The password hash "x" is unknown to libcrypt.
Mar 23 15:34:10 ubuntu gdm-authd][4948]: pam_unix(gdm-authd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=test@ubudev1.onmicrosoft.com
Mar 23 15:34:10 ubuntu gdm-authd][4948]: gkr-pam: unable to locate daemon control file
Mar 23 15:34:10 ubuntu gdm-authd][4948]: gkr-pam: stashed password to try later in open session
Mar 23 15:34:12 ubuntu gnome-shell[3139]: authd: Got a problem: Sorry, that didn’t work. Please try again.
Mar 23 15:34:12 ubuntu gnome-shell[3139]: authd: Cancelling authentication

[adombeck]

What happens is that authd auto-selects the "local" broker which then asks for a unix password, even though there is no unix password for this user.

I think this actually works as intended. If there are no brokers configured, the only available broker is the "local" broker, which is then autoselected. The UX is very bad though, so I still consider it a bug.

[3v1n0]

Yeah not a bug imho.

We cannot hide that the user doesn't exist, so we just fallback to the local user.

[adombeck]

The user does exist, you just can't authenticate as it if its broker isn't configured. Related is that we plan to bind authd users to the broker they logged in with. If that broker is unavailable or not enabled anymore, er should display a meaningful error message instead of asking for a password which doesn't exist, and which to the user looks like we're just asking for their local password.

[3v1n0]

Is this affecting GDM only? as per the PAM log we'd just exit with IGNORE in any case.

Which I feel that's the "problem", but the thing is that authd only tells us that we have just one broker as per Mar 23 15:34:06 ubuntu gdm-session-wor[4948]: EventSend&{brokersInfos:{id:"local" name:"local" brand_icon:""}}result<nil>, and so we auto-select that (but it would happen also without gdm).

So I feel it's up to authd to rather return an error instead of just providing the local borker as a possibility. No?

[adombeck]

So I feel it's up to authd to rather return an error instead of just providing the local borker as a possibility. No?

Yes, I don't really see any reason to offer authentication with the local broker for an authd user. It's possible to manually add entries for an authd user to /etc/passwd and /etc/shadow and set a unix password for it, and then authenticating with the local broker actually works. I don't see a reason we should support that though.