Unable to login with Domain users After configuring with 802.1x (PEAP/TLS) machine mode

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Libera.chat.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1981290/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

Thanks for taking the time to file this bug and trying to make Ubuntu better.

This is a complex scenario and to act on this bug someone would need to set it up which takes time, to facilitate this process could you please share more details on how you set up the AD domain and also your VPN? If possible any non-default configuration and the commands you ran to reach this unexpected behavior.

I am setting the status of this bug to Imcomplete but once you provide more information please set it back to New and we will revisit it.

Steps to join Domain:

sudo apt update

sudo hostnamectl set-hostname devicename$
hostnamectl

Confirm DNS is configured correctly:
cat /etc/resolv.conf

Install packages required to join AD domain

sudo apt update sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

 sudo realm discover example.com

sudo realm join -U Administrator example.com
Password for Administrator:

realm list

sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900 Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF

sudo pam-auth-update
Select <OK>
Restart Machine
Login with Domain user
Configure 802.1x
 1) Go to AD server -> execute Adcli -> select computer name (Shows automatically after joining domain) as shown in attached Fig 1
 2) Select and reset password as 802.x security going to configure for Machine mode
Go to Ubuntu network manager -> select security and configure as given in attached Fig 2

Thanks for providing these steps. There is however something I'm missing: did this setup used to work with a different Ubuntu release (18.04, 22.04)?

If you didn't already, can you please try the same configuration using Ubuntu 22.04?

Basically what I'd like to understand is if this is actually a bug in Ubuntu, a regression in Ubuntu, or a local configuration issue. I'm marking this bug report as Incomplete for now.

Thanks!

Hi Paride Legovini,

We are using Ubuntu 20.04 and adding some dell customization.

During 18.04 we were not supporting 802.1x

Currently we have setup available only for 20.4

for 22.04 setup it might take some time, I will get back to you once we try it out.

Meanwhile can you please try on 20.04 and let us know if it works in your lab.

[Expired for strongswan (Ubuntu) because there has been no activity for 60 days.]

I'm setting this back to Incomplete. Did you had a chance to verify if 22.04 is still affected? Thanks.

[Expired for strongswan (Ubuntu) because there has been no activity for 60 days.]

Same issue is observed in 22.04

Hi Jai,

would you mind describing what these dell customizations you have in place are? For instance, are these custom packages from specific PPAs? Which are the packages and on which versions you have them?

Also, could you provide detailed logs for when the authentication step fails (both from the server and the client side)?

Hi Athos,

There is no customization added
we are using sssd, krb5 packages from the Ubuntu standard repo to join to Active directory

The same issue is seen in Base OS for Ubuntu 20.04 , 22.04

I will share logs for same.

I'll give this a try

Hi,

a few things:

a) in comment #3, where you say:

> 2) Select and reset password as 802.x security going to configure for Machine mode

That's not what I see when I try to reset the password of a computer, it just prompts me for the new password. It's my understanding this is a machine account, and passwords are randomly selected and rotated. This doesn't seem to be the right place to enable 802.1X authentication. Maybe it changed places? The windows AD server I'm using is 2019.

b) I don't understand how strongswan is involved in this bug. Didn't you mean sssd perhaps?

c) We will definitely need sssd logs, and a better description of how you are enabling 802.1X mode. It's my understanding 802.1X has some elements:
- a client, also known as supplicant
- a device that can authorize or not a client. A switch, for example (also called "authenticator")
- the device above asks an authentication server (typically a RADIUS server) if the user should be allowed or not

Perhaps windows AD server is fulfilling the role of the authenticator and authentication server, but I don't know how to set that up, and would welcome instructions or documentation. The simple step "(2)" from comment #3 is not enough.

What I see in the "reset password" ADSI menu action of the joined computer

[Expired for strongswan (Ubuntu) because there has been no activity for 60 days.]