0

I have launched new Ubuntu 23.04 server and followed the steps mention in reference link(1). However it is not prompting for login credentials after updating tenant id and application id in the configuration file. . Then i have installed GNOME GUI in the server to test the azure authentication but not working.

can anyone confirm if this Azure AD integration is compatible/work with CLI/SSH version.

Reference links: (1)https://ubuntu.com/blog/azure-ad-authentication-comes-to-ubuntu-desktop-23-04 (2)https://github.com/ubuntu/aad-auth

guiverc
  • 30,396
Kranthi
  • 9
  • 1
  • Considering this is a paid, proprietary product, why aren't you raising a ticket with customer support? – muru Aug 08 '23 at 13:36
  • 1
    Your link already confirms your question... yes it is – Rinzwind Aug 08 '23 at 13:40
  • 2
    Telling us which remote procedure (RP) you "followed" doesn't help us help you for N reasons: 1) It's remote. Will the link exist tomorrow? 2) Reading the RP doesn't tell us how accurately you "followed" it. Did you suffer typos or missed lines? We have. 3) Reading the RP omits the error messages you got on your system. These error messages (and the commands that caused them) are key elements in any diagnosis. – waltinator Aug 08 '23 at 15:56
  • @guiverc.. There is no 23 and 23.04 LTS released. First i have launched the server with Ubuntu 22.04 LTS and then upgraded the server to 23.04. – Kranthi Aug 09 '23 at 11:21
  • Ubuntu 23.04 is a non-LTS (see https://fridge.ubuntu.com/2023/04/20/ubuntu-23-04-lunar-lobster-released/ where you'll note 9 months of supported life). Ubuntu has a two year full development cycle; the current cycle started after release of Ubuntu 22.04 LTS (end of April 2022), is split into 4 six month periods with snapshots showing the progress, first was 22.10, next & most recent being 23.04, next will be 23.10 which will be the closest to the final Ubuntu 24.04 LTS system which is released at the end of the current two year development cycle. Plan to upgrade after October 2023. – guiverc Aug 09 '23 at 11:27

1 Answers1

0

I noticed with pam_aad in my Ubuntu 24.04 server that you need to login via GDM before your aad account is added to /var/lib/aad/cache/passwd.db and after that, you can ssh to the aad-enabled server. Also, no aad groups are recognized, but you can add your aad accounts to the local /etc/groups file if you like. It seems (at least with my config) that sshd using pam_aad.so can't get the right credentials, while GDM can.

sshd[12625]: pam_aad(sshd:auth): aad auth debug enabled
sshd[12625]: pam_aad(sshd:auth): PAM AAD DEBUG enabled
sshd[12625]: pam_aad(sshd:auth): Loading configuration from /etc/aad.conf
sshd[12625]: pam_aad(sshd:auth): Connecting to "https://login.microsoftonline.com/(my tenant id)", with clientID "(my app_id)" for user "(my aad acccount)"
sshd[12625]: pam_aad(sshd:auth): Got response: Invalid credentials

The pam_aad logs for a successful GDM login show the same except after the "Connecting" line it says:

[gdm-password]: pam_aad(gdm-password:auth): Authentication successful even if requiring MFA

Also, in MS Entra admin center, I needed to:

  • app registrations -> (your app) -> advanced settings: Allow public client flows

and then a reboot just in case.

Gerben
  • 136