Bug#1105198: gdm3: PAM configuration makes it impossible to determine the username for a smartcard login

David Härdeman david at hardeman.nu
Tue May 13 08:34:08 BST 2025 

Package: gdm3
Version: 48.0-1
Severity: normal

Dear Maintainer,

I'm trying to setup gdm3 to allow logins using a smartcard (via Kerberos
and SSSD).

After I'd setup SSSD and verified that it was working as expected
(using "sssctl cert-show/cert-map/cert-eval-rule"), I tried getting GDM
to play along.

I made sure that:
/etc/pam.d/gdm-smartcard -> /etc/alternatives/gdm-smartcard
/etc/alternatives/gdm-smartcard -> /etc/pam.d/gdm-smartcard-sssd-exclusive

First stumbling block was: #1061444, fixing that allowed GDM to
communicate with the smart card.

The next stumbling block (and the subject of this bug report) is that
GDM still required a username to be input when the smartcard (yubikey,
in my case) was inserted, even though SSSD was correctly configured to
determine the user on the basis of the cert.

Adding debugging to sssd (sssd-pam) yielded nothing, it wasn't even
called when the smartcard was inserted.

After some more debugging, I realised that
/etc/pam.d/gdm-smartcard-sssd-exclusive starts with these lines:
#%PAM-1.0
auth    [success=ok user_unknown=ignore default=bad] pam_succeed_if.so user != root quiet_success
auth    [success=2 module_unknown=ignore default=die] pam_sss.so allow_missing_name require_cert_auth

The problem with pam_succeed_if.so is that when the username is NULL, it
won't generate "user_unknown", it'll generate a conversation error:

$ journalctl -u gdm --since=08:00 | grep succeed_if
May 13 08:38:15 test gdm-smartcard][16716]: pam_succeed_if(gdm-smartcard:auth): cannot determine user name: Conversation error

That means that pam_sss.so won't be given a chance to provide the
username and the user will instead be prompted for a username.

I've tried adding various settings like conv_err=ignore to the
pam_succeed_if.so line above, but it doesn't help (I've even tried
"success=ok default=ignore"), as long as pam_succeed_if.so is included,
the pam stack fails to figure out the user automatically.

If I comment out the pam_succeed_if.so line, everything works
automagically and I get a prompt for the smartcard PIN as soon as I plug
in the yubikey, and I'm then logged in as the right user...

Not sure what the proper PAM cfg should look like...

More information about the pkg-gnome-maintainers mailing list