-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue: EntraID groups that are renamed result in auth failures because GID conflicts #620
Comments
Experiencing the same issue via GDM. In my case, the issue is easily reproducible when 2 conditions are met: EDIT: I see the author is using edge - just for awareness, I am using stable. |
Thanks a lot for the report. We're able to reproduce this and will look into solutions. |
@didrocks @denisonbarbosa:This bug is caused by this check. If we merge https://github.com/canonical/authd-private/pull/9 as is (we should move that to the public repo btw), there won't be a failure anymore but instead the renamed group will receive a new GID. That's also incorrect behavior, because files created by the old group won't be accessible to users of the renamed group. For groups which are managed in Microsoft Entra, I think we actually want to rename the group in the authd database if we notice that it has been renamed in Microsoft Entra. That would require that we store a "remoteID" field in the database, which contains the ID of the group in Microsoft Entra. Then when we add the user to groups during login, we check if there is another group with the same remoteID, and if so, rename that group to the new name. What do you think? |
That makes sense to me. Also, we can probably derive the GID from this remoteID? (there is still the issue with backward compatibility and potential collisions), but at least, we won’t have to explicitly track it ourself that way in an extra metadata column, wdyt? |
The collision issue is a problem which I still think we should fix (either via https://github.com/canonical/authd-private/pull/9 or by storing the GIDs and UIDs in Microsoft Entra), so for that reason I don't think it would be good to derive the GID from the remote ID. |
Please, refresh my memory: we do already pass the ugid (what you call remote id) in the userinfo, right? |
(Moving here from ubuntu/authd-oidc-brokers#172 (comment)) @shiv-tyagi Quick summary of the problem: We currently store groups with their name and the GID we generate for it in the authd database:
That results in the issue that when a group is renamed in the identity provider (Microsoft Entra), then we treat it as a different group because it has a different name, but we generate the same UID for it (because the UGID did not change), so the login fails at this check: authd/internal/users/cache/update.go Lines 94 to 98 in faeecc8
I think the best solution is to also store the UGID in our database and use that to check if a group already exists in authd/internal/users/cache/update.go Lines 89 to 92 in faeecc8
If a group with the same UGID already exists but has a different name, we should rename it to the new name. |
Instead of storing the UGID, can we store a field which identifies who created this group? That way if MS Entra tries to create a group with UID conflicting with another group (that can only happen if the UGID is same), we can rename the group and if someone else (like some other broker) tries to create a group with conflicting UID, we deny the request. |
That assumption is incorrect, it can happen that different UGIDs result in the same GID. That's the issue tracked in #509. How likely it is for these collisions to occur depends on the GID range configured in |
@adombeck Thanks for the explanation. I'll start working on it as suggested by you in previous comments. |
Is there an existing issue for this?
Describe the issue
Authd appears to cache the name of each group a user is a member of, as supplied by the OIDC claim, with a randomly generated GID. However, group names can be changed at any time within EntraID. I'm not sure what is actually included in the claim, but if I explicitly rename a group, after having previously logged in to a server, the new group name immediately starts causing a conflict. This only impacts password authentication -- I can still SSH using a key -- but there is no way a user can resolve this without admin intervention.
User experience looks like this:
The log files show the following entries:
This work-around seems to work:
Steps to reproduce
System information and logs
authd version
authd-msentraid broker version
gnome-shell version
Distribution
Logs
authd broker configuration
/etc/authd/brokers.d/msentraid.conf
authd-msentraid configuration
Double check your logs
The text was updated successfully, but these errors were encountered: