Backport Timeline

[sgregorioTC]

Do we have an anticpated timeline for backporting to 22.04 LTS? Will this require Ubuntu Pro to run on 22.04?

[PowerShellCrack]

I AM NOT A LINUX GURU, but I do mess with RPI alot. I also wanted to learn how to enroll a Linux device in my lab Intune environment and, in the Intune docs, it stated it only supported Ubuntu 20.04 and 22.04. I decided to install 22.04 on an old Dell Inspiron 3043 device and enroll it. Then I thought it would be neat if I could login using an AAD account. I found this repo but was disappointed it said only 23.04 is supported.

With very little Linux skills, I thought "why would it not work with 220.4...what's the difference?". I attempted the sudo apt install libpam-aad libnss-aad, and sure enough, it said it couldn't find the modules. hmmm...

The guess problem was these modules were not "backported" to the jammy repo. After some research on how I can compile the source code...I thought "why can't I just include the repos for Ubuntu's Lunar flavor?". Thats what I did, and, to my surprise, it WORKED!

Here are the steps I did:

WARNING: this is mostly like NOT supported

1. Added Lunar repos

sudo nano /etc/apt/sources.list.d/archive_uri-http_archive_ubuntu_com_ubuntu-jammy.list

Added these repos:

deb http://archive.ubuntu.com/ubuntu/ lunar-backports main restricted multiverse universe
# deb-src http://archive.ubuntu.com/ubuntu lunar-backports main restricted multiverse universe

deb http://archive.ubuntu.com/ubuntu/ lunar multiverse main universe restricted
# deb-src http://archive.ubuntu.com/ubuntu lunar multiverse main universe restricted

2. Update package list:

sudo apt update

3. Installed modules

I crossed my fingers and hoped it "just work"....

sudo apt install libpam-aad libnss-aad

...it worked and it changed all the config file for aad

4. Created enterprise application.

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

5. Exempted applications from conditional access (just in case)

6. Added tenant info to config

sudo nano /etc/aad.conf

tenant_id = <my tenant guid>
app_id = <my app guid>

7. Added debug to both nss and pam configs

I wanted to capture the logs incase if failed.

First login attempt (failed), debug:

...
Jul 30 18:54:43 DellInspiron3043 aad_auth[1181]: nss_aad: opening database connection from /var/lib/aad/cache
Jul 30 18:54:43 DellInspiron3043 aad_auth[1181]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Jul 30 18:54:43 DellInspiron3043 aad_auth[1181]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Jul 30 18:55:07 DellInspiron3043 aad_auth[828]: nss_aad: database error: unable to open database file: /var/lib/aad/cache/passwd.db
Jul 30 18:55:07 DellInspiron3043 aad_auth[828]: nss_aad: database error: unable to open database file: /var/lib/aad/cache/passwd.db
Jul 30 18:55:08 DellInspiron3043 aad_auth[828]: nss_aad: database error: unable to open database file: /var/lib/aad/cache/passwd.db
Jul 30 18:55:08 DellInspiron3043 aad_auth[828]: nss_aad: database error: unable to open database file: /var/lib/aad/cache/passwd.db
Jul 30 18:55:08 DellInspiron3043 aad_auth[828]: nss_aad: database error: unable to open database file: /var/lib/aad/cache/passwd.db
Jul 30 18:55:08 DellInspiron3043 aad_auth[828]: nss_aad: database error: unable to open database file: /var/lib/aad/cache/passwd.db
Jul 30 18:55:10 DellInspiron3043 aad_auth[828]: nss_aad: database error: unable to open database file: /var/lib/aad/cache/passwd.db
Jul 30 18:55:10 DellInspiron3043 aad_auth[828]: nss_aad: database error: unable to open database file: /var/lib/aad/cache/passwd.db
Jul 30 18:55:40 DellInspiron3043 gdm-password][1470]: pam_aad(gdm-password:auth): aad auth debug enabled
Jul 30 18:55:40 DellInspiron3043 gdm-password][1470]: pam_aad(gdm-password:auth): PAM AAD DEBUG enabled
Jul 30 18:55:40 DellInspiron3043 gdm-password][1470]: pam_aad(gdm-password:auth): Loading configuration from /etc/aad.conf
Jul 30 18:55:40 DellInspiron3043 gdm-password][1470]: pam_aad(gdm-password:auth): Connecting to "https://login.microsoftonline.com/<my tenant guid>", with clientID "<my app id>" for user "[email protected]"
Jul 30 18:56:11 DellInspiron3043 gdm-password][1470]: pam_aad(gdm-password:auth): acquiring token failed: problem getting mex doc from federated url(https://<my adfs wap>/adfs/services/trust/mex): server response error:
Jul 30 18:56:11 DellInspiron3043 gdm-password][1470]: pam_aad(gdm-password:auth): Cache initialization
...

troubleshooting....

I only showed the debug logs that caught my attention.

I was trying to login with a hybrid identity and since I am federated, I saw it trying to reach my AD FS endpoint. I then realized my "onprem VM's" were off, for the weekend, so I started them to include the AD FS and WAP.

Second login attempt (SUCCESS!), debug:

Jul 30 19:16:33 DellInspiron3043 aad_auth[3420]: nss_aad: database error: database is locked
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: Log output set to syslog
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: Log level set to Debug
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: get_entry_by_uid for passwd for uid: 2533459616
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: opening database connection from /var/lib/aad/cache
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: found record: Passwd { name: "[email protected]", passwd: "x", uid: 2533459616, gid: 2533459616, gecos: "", home: "/home/[email protected]", shell: "/bin/bash" }
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: get_all_entries for group
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: opening database connection from /var/lib/aad/cache
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: Checking file "/var/lib/aad/cache/passwd.db" permissions
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: Checking file "/var/lib/aad/cache/shadow.db" permissions
Jul 30 19:16:37 DellInspiron3043 aad_auth[3430]: nss_aad: found record: Group { name: "[email protected]", passwd: "x", gid: 2533459616, members: ["[email protected]"] }
Jul 30 19:16:37 DellInspiron3043 aad_auth[3434]: nss_aad: Log output set to syslog
Jul 30 19:16:37 DellInspiron3043 aad_auth[3434]: nss_aad: Log level set to Debug

Amazing huh?!?

However, I am getting this in my conditional access logs. It still logged me in though, which is interesting....

Saying one of my Grant controls failed MFA...

[sgregorioTC]

@PowerShellCrack I think the repos you added upgraded you to 23.04 when you attempted that. if you run lsb_release -a what release does it say you are on?

[PowerShellCrack]

From what I understand; Linux command sudo apt update doesn't do that. I didn't run a sudo apt upgrade. Here is a photo of my version.

You can see my command line says my Azure AAD account and device name.

[sgregorioTC]

Ah, I missed that you didn't run the upgrade. Thanks for confirming.

[flightnut]

BUMP: Anyword on a timeline

[velayudhamv]

Seems they have removed the official mention of the backporting now to LTS.

Azure AD User Authentication is only included in Ubuntu 23.04 and 23.10.