authd icon indicating copy to clipboard operation
authd copied to clipboard
verified publisher icon ubuntu

Feature: short user and primary group names

Open aussielunix opened this issue 1 year ago • 4 comments

Is there an existing request for this feature?

  • [X] I have searched the existing issues and found none that matched mine

Describe the feature

Having the full email mapped to uid / gid results in a lot of wasted screen realestate.

[email protected]@authd-01:~$ id
uid=67290([email protected]) gid=67290([email protected]) 

drwxr-xr-x  2 [email protected] [email protected] 4.0K Aug 30 06:36 Desktop
drwxr-xr-x  2 [email protected] [email protected] 4.0K Aug 30 06:36 Documents
drwxr-xr-x  2 [email protected] [email protected] 4.0K Aug 30 06:36 Downloads
drwxr-xr-x  2 [email protected] [email protected] 4.0K Aug 30 06:36 Music
drwxr-xr-x  2 [email protected] [email protected] 4.0K Aug 30 06:36 Pictures
drwxr-xr-x  2 [email protected] [email protected] 4.0K Aug 30 06:36 Public
drwxr-xr-x  2 [email protected] [email protected] 4.0K Aug 30 06:36 Templates
drwxr-xr-x  2 [email protected] [email protected] 4.0K Aug 30 06:36 Videos

Describe the ideal solution

I am not sure of how this could be implemented but a couple of thoughts:

  • adding a way to allow to strip the domain part for the uid/gid number to name mapping OR
  • adding an 'alias' field to the broker and use that when displaying username - mick.pollard@brokeralias

Alternatives and current workarounds

I have no work around or alternative to offer at this stage.

System information and logs

Environment

  • broker version: 0.1
  • authd version: authd 0.3.3
  • gnome shell version: 46.3.1-1ubuntu1~24.04.1
  • Distribution: Ubuntu
  • Distribution version: 24.04

Log files

n/a

Authd entries:

journalctl -u authd.service

MS Entra ID broker entries:

journalctl -u snap.authd-msentraid.authd-msentraid.service

Application settings

Broker configuration:

# /var/snap/authd-msentraid/current/broker.conf
[oidc]
issuer = "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0"
client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

[users]
home_base_dir = "/home"
ssh_allowed_suffixes = "@example.com"

Broker authd configuration:

# /etc/authd/brokers.d/msentraid.conf
[authd]
name = Microsoft Entra ID
brand_icon = /snap/authd-msentraid/current/broker_icon.png
dbus_name = com.ubuntu.authd.MSEntraID
dbus_object = /com/ubuntu/authd/MSEntraID

Relevant information

No response

Double check your logs

  • [X] I have redacted any sensitive information from the logs

aussielunix avatar Sep 02 '24 08:09 aussielunix

Recent systemd versions support aliases in the JSON User Records: https://github.com/systemd/systemd/blob/main/docs/USER_RECORD.md#fields-in-the-regular-section

We could use that field when we implement systemd's user/group record lookup varlink API.

Then users could configure aliases in authd which authd would expose to systemd-userdbd.

That would allow users to log in with a shorter alias, but AFAICT it would not save screen space, because the actual username would still be the email address.

adombeck avatar May 21 '25 14:05 adombeck

We could also do what libhimmelblau does: Support configuring a "domain" which will automatically be appended to the user name (prefixed with an @) when talking to the IdP. So if the domain is configured as "canonical.com", I can log in as "firstname.lastname", and a user of that name is created in the authd database. There are a few things to consider if we want to do that:

  1. Should we support more than one domain?
  2. What if a user logs in with a different broker but the same "firstname.lastname"? I suspect we don't want to allow the user to log in if a user with the same name but a different domain already exists (which means we need to store the domain in the user record in the authd database).

adombeck avatar May 21 '25 14:05 adombeck

The domain solution is really good! By decision of our IT Security team, we are trying to use the user's UPN as a folder name without the domain suffix and using only lower-case letters. It will be like [email protected] to name_surname for the user folder. This helps to save space in the terminal and standardizes the username for security checks. So, if we authenticate via Entra ID broker, and the domain suffix is configured, it will work as needed. Here, we just need to avoid conflicts when the user decides to create a local user with the same name. If we are speaking about a clean OS installation, then the blocking of the local account creation with the same name will be enough. But if we are speaking about a situation where the local user folder/account with the same name that we are trying to register for Entra ID already exists, then the user must see a warning that, since there is a conflict, the new user's folder will be created with an additional digit "name_surname1", "name_surname2"...

SimbiotVenom avatar May 22 '25 07:05 SimbiotVenom

Maybe related: It would be great for users to be able to specify a different home directory at registration, instead of the "default" ([email protected]). There are quite a few tools that just refuse to work when the home directory and/or username contains special characters, like @.

Kumm-Kai avatar Jul 16 '25 08:07 Kumm-Kai