ubuntu
Issue: User from authd and EntraID can not use fingerprint reader
Is there an existing issue for this?
- [X] I have searched the existing issues and found none that matched mine
Describe the issue
Hello,
today I tried to use the fingerprint reader with my authd/EntraID user. The system is a T15p with Ubuntu 24.04 and Gnome. If I open the settings menu to configure my fingerprint, the option to add fingerprints does not appear in Settings->System->Users. As sanity check I logged out and switched to a local user. This user does get the option to configure fingerprints.
What am I doing wrong?
Steps to reproduce
- Install Ubuntu 24.04 on laptop with a fingerprint reader
- Login with authd/EntraID user
- Open Settings->System->Users
- Like in the screenshot, the option for fingerprints is completely missing
System information and logs
authd version
authd 0.3.7
authd-msentraid broker version
name: authd-msentraid
summary: MSEntra ID broker for authd
publisher: Canonical**
store-url: https://snapcraft.io/authd-msentraid
license: GPL-3.0
description: |
This is the MS Entra ID broker snap for authd to provide MS Entra ID OIDC
based authentication on Ubuntu with authd.
services:
authd-msentraid: simple, enabled, active
snap-id: vS3oJLMss6lgWwoFcPqYDUA2HB20I1Dc
tracking: 0.x/stable
refresh-date: heute um 10:11 UTC
channels:
0.x/stable: 0.1+267a15c.f272cc1 2024-12-10 (89) 18MB -
0.x/candidate: ^
0.x/beta: ^
0.x/edge: 0.1+2c437dc.133b4b7 2024-12-21 (103) 18MB -
installed: 0.1+267a15c.f272cc1 (89) 18MB -
gnome-shell version
gnome-shell:
Installiert: 46.3.1-1ubuntu1~24.04.1authd2
Installationskandidat: 46.3.1-1ubuntu1~24.04.1authd2
Versionstabelle:
*** 46.3.1-1ubuntu1~24.04.1authd2 500
500 https://ppa.launchpadcontent.net/ubuntu-enterprise-desktop/authd/ubuntu noble/main amd64 Packages
100 /var/lib/dpkg/status
46.0-0ubuntu6~24.04.5 500
500 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
46.0-0ubuntu6~24.04.3 500
500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
46.0-0ubuntu5 500
500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages
Distribution
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble
Logs
[ 14.454572] mySystem systemd[1]: Starting authd.service - Authd daemon service...
[ 14.505375] mySystem authd[2629]: 2024/12/30 10:04:06 WARN Broker configuration directory "/etc/authd/brokers.d/" does not exist, only local broker will be available
[ 14.516219] mySystem systemd[1]: Started authd.service - Authd daemon service.
[ 91.061893] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.062538] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.065084] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.065424] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.065637] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.086354] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.094331] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.097477] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.109871] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.110277] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.112430] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.112741] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.112866] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.131850] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.140215] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 91.143340] mySystem authd[2629]: 2024/12/30 10:05:22 WARN rpc error: code = NotFound desc =
[ 436.917723] mySystem authd[2629]: 2024/12/30 10:11:08 WARN rpc error: code = NotFound desc =
[ 436.924954] mySystem authd[2629]: 2024/12/30 10:11:08 WARN rpc error: code = NotFound desc =
[ 438.168472] mySystem systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[ 438.486970] mySystem authd-msentraid.authd-msentraid[11948]: time=2024-12-30T10:11:10.298Z level=ERROR msg="could not create broker: could not parse config: config file has invalid values, did you edit the file \"/var/snap/authd-msentraid/89/broker.conf\"?\nfound invalid character in section \"oidc\", key \"issuer\"\nfound invalid character in section \"oidc\", key \"client_id\""
[ 438.488227] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
[ 438.488344] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
[ 438.639860] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 1.
[ 438.649384] mySystem systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[ 438.667604] mySystem authd-msentraid.authd-msentraid[11989]: time=2024-12-30T10:11:10.480Z level=ERROR msg="could not create broker: could not parse config: config file has invalid values, did you edit the file \"/var/snap/authd-msentraid/89/broker.conf\"?\nfound invalid character in section \"oidc\", key \"issuer\"\nfound invalid character in section \"oidc\", key \"client_id\""
[ 438.668633] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
[ 438.668754] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
[ 438.890138] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 2.
[ 438.903398] mySystem systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[ 438.919642] mySystem authd-msentraid.authd-msentraid[12019]: time=2024-12-30T10:11:10.732Z level=ERROR msg="could not create broker: could not parse config: config file has invalid values, did you edit the file \"/var/snap/authd-msentraid/89/broker.conf\"?\nfound invalid character in section \"oidc\", key \"issuer\"\nfound invalid character in section \"oidc\", key \"client_id\""
[ 438.920074] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
[ 438.920137] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
[ 439.049718] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 3.
[ 439.062372] mySystem systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[ 439.081532] mySystem authd-msentraid.authd-msentraid[12050]: time=2024-12-30T10:11:10.893Z level=ERROR msg="could not create broker: could not parse config: config file has invalid values, did you edit the file \"/var/snap/authd-msentraid/89/broker.conf\"?\nfound invalid character in section \"oidc\", key \"issuer\"\nfound invalid character in section \"oidc\", key \"client_id\""
[ 439.082081] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
[ 439.082149] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
[ 439.193133] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 4.
[ 439.210376] mySystem systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[ 439.214948] mySystem authd[2629]: 2024/12/30 10:11:11 WARN rpc error: code = InvalidArgument desc = no user name provided
[ 439.228129] mySystem authd-msentraid.authd-msentraid[12112]: time=2024-12-30T10:11:11.040Z level=ERROR msg="could not create broker: could not parse config: config file has invalid values, did you edit the file \"/var/snap/authd-msentraid/89/broker.conf\"?\nfound invalid character in section \"oidc\", key \"issuer\"\nfound invalid character in section \"oidc\", key \"client_id\""
[ 439.230231] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
[ 439.230297] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
[ 439.242512] mySystem authd[2629]: 2024/12/30 10:11:11 WARN rpc error: code = InvalidArgument desc = no user name provided
[ 439.389639] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 5.
[ 439.389757] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Start request repeated too quickly.
[ 439.389792] mySystem systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
[ 439.389806] mySystem systemd[1]: Failed to start snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[ 489.895655] mySystem systemd[1]: Stopping authd.service - Authd daemon service...
[ 489.896918] mySystem systemd[1]: authd.service: Deactivated successfully.
[ 489.897062] mySystem systemd[1]: Stopped authd.service - Authd daemon service.
[ 489.911413] mySystem systemd[1]: Starting authd.service - Authd daemon service...
[ 489.934294] mySystem systemd[1]: Started authd.service - Authd daemon service.
[ 490.001280] mySystem systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[ 596.735224] mySystem authd[15983]: 2024/12/30 10:13:48 WARN rpc error: code = NotFound desc =
[ 596.746576] mySystem authd[15983]: 2024/12/30 10:13:48 WARN rpc error: code = NotFound desc =
[ 596.746846] mySystem gdm-authd][16078]: accountsservice: ActUserManager: user (null) has no username (uid: -1)
[ 596.747102] mySystem authd[15983]: 2024/12/30 10:13:48 WARN rpc error: code = NotFound desc =
[ 596.811812] mySystem authd[15983]: 2024/12/30 10:13:48 WARN rpc error: code = NotFound desc =
[ 596.942673] mySystem authd[15983]: 2024/12/30 10:13:48 WARN rpc error: code = NotFound desc =
[ 596.944400] mySystem authd[15983]: 2024/12/30 10:13:48 WARN rpc error: code = NotFound desc =
[ 596.945251] mySystem authd[15983]: 2024/12/30 10:13:48 WARN rpc error: code = InvalidArgument desc = no user name provided
[ 669.639209] mySystem authd[15983]: 2024/12/30 10:15:01 WARN rpc error: code = InvalidArgument desc = no user name provided
[ 690.198915] mySystem gpasswd[16169]: user [email protected] added by root to group sudo
[ 690.252362] mySystem gdm-authd][16078]: gkr-pam: no password is available for user
[ 690.287014] mySystem gdm-authd][16078]: accountsservice: act_user_set_session: assertion 'ACCOUNTS_IS_USER (user->accounts_proxy)' failed
[ 690.292177] mySystem authd[15983]: 2024/12/30 10:15:22 WARN rpc error: code = InvalidArgument desc = no user name provided
[ 690.317083] mySystem gdm-authd][16078]: pam_intune(gdm-authd:session): No authtok available; password policies will fail: Keine modulspezifischen Daten vorhanden
[ 690.318269] mySystem gdm-authd][16078]: pam_unix(gdm-authd:session): session opened for user [email protected](uid=1234567890) by [email protected](uid=0)
[ 690.421584] mySystem authd[15983]: 2024/12/30 10:15:22 WARN rpc error: code = InvalidArgument desc = no user name provided
[ 690.657928] mySystem gdm-authd][16078]: gkr-pam: couldn't unlock the login keyring.
[ 759.195294] mySystem authd[15983]: 2024/12/30 10:16:31 WARN rpc error: code = NotFound desc =
[ 761.274862] mySystem authd[15983]: 2024/12/30 10:16:33 WARN rpc error: code = NotFound desc =
[ 789.671628] mySystem authd[15983]: 2024/12/30 10:17:01 WARN rpc error: code = InvalidArgument desc = no user name provided
authd broker configuration
/etc/authd/brokers.d/msentraid.conf
# This section is used by authd to identify and communicate with the broker.
# It should not be edited.
[authd]
name = Microsoft Entra ID
brand_icon = /snap/authd-msentraid/current/broker_icon.png
dbus_name = com.ubuntu.authd.MSEntraID
dbus_object = /com/ubuntu/authd/MSEntraID
authd-msentraid configuration
[oidc]
issuer = https://login.microsoftonline.com/<UUID redacted>/v2.0
client_id = <UUID redacted>
# Client secret is needed for some specific auth flows depending on the provider.
# Only enable it if this is needed for your particular configuration.
# client_secret = <CLIENT_SECRET>
[users]
# The directory where the home directory will be created for new users.
# Existing users will keep their current directory.
# The user home directory will be created in the format of {home_base_dir}/{username}
# home_base_dir = /home
# The username suffixes that are allowed to login via ssh without existing previously in the system.
# The suffixes must be separated by commas.
# ssh_allowed_suffixes = @example.com,@anotherexample.com
Double check your logs
- [X] I have redacted any sensitive information from the logs
Hello, I have the same issue, the fingerprint option is missing for the uathd user account (a member of linux-sudo group), but at the same time, it works for the local account. OS - Ubuntu 24.04.1 LTS
So... I need to double check but it could be that the control center do not allows it for users that are externally managed (e.g. from authd and other similar tools).
Technically if the user can authenticate through polkit, should be able to enroll fingerprints, but I feel that then the main problem would be authenticating with them, as the shell may not initialize the fingerprint authentication.
But then if it does, we likely have another problem since authd broker wouldn't be anymore in charge of authorizing an user or not, so basically the broker and system admin policies would be ignored, potentially lading to unauthorized access.
Now just to debug it, you can try to use fprintd-enroll as user to try to enroll your fingerprints and see if that leads to anything during unlock / auth phase
I just tested enrolling fingerprint via fprintd-enroll . Yes, it works, I can unlock the PC via fingerprint, but there is no info about the availability of this option on the login screen or in the Gnome Setting. Instead of entering the password, I just put my finger on the sensor on the login screen. So, yes, we have a workaround, but this is something like cheating, this method is not intuitive and unmanaged.
I was today finally able to try this out and got the same experience as @SimbiotVenom :
- It is really weird
- It is not intuitiv
- You must understand the output of fprintd-enroll, various users are already scared, if they see a terminal window
- I will probably trigger bad feelings in some people, but at this I have to take the side of the users: On Windows it just works, even if you use EntraID- or ActiveDirectory-Users.
The experience of using fingerprints this way is abysmal.
I think we need to wait until new TPM support in Ubuntu 25.04 since it will be better to save Fingerprints and PIN in TPM and not use any local password in case of Entra ID passwordless configuration.
I think we need to wait until new TPM support in Ubuntu 25.04 since it will be better to save Fingerprints and PIN in TPM
Fingeprints aren't ever saved in TPM, they're always saved inside the sensors (at least for the new ones), the only thing we save is a reference of that fingerprint template. And using TPM is relevant to have proper FDE so that even those can't be stealed, but per sé that isn't a security issue unless you get access to a root-owned part of the disk and you modify it in order to give someone else access via fingerprint.
I just tested enrolling fingerprint via fprintd-enroll . Yes, it works, I can unlock the PC via fingerprint, but there is no info about the availability of this option on the login screen or in the Gnome Setting. Instead of entering the password, I just put my finger on the sensor on the login screen. So, yes, we have a workaround, but this is something like cheating, this method is not intuitive and unmanaged.
The reason that settings aren't enabled for this is because an authd-managed user shouldn't be technically be manageable at all, so the fact that fprintd-enroll works is likely even a security concern.
Fact is that IMHO the ability to use the fingerprint reader should be explicitly allowed by the system administrator, and likely it should be disabled by default in an authd setup (gdm-auth-config can be used for this).
Mostly because we should still be able to check that the user is allowed to login by the broker even in the fingerprint case (to ensure that the account has not been disabled or something).
Fact is that IMHO the ability to use the fingerprint reader should be explicitly allowed by the system administrator, and likely it should be disabled by default in an authd setup (gdm-auth-config can be used for this).
Company policy: fingerprint readers are explicitly allowed, because passwords are less secure. I know about the pretty old report, that fingerprints are not safe, but that report ist 20~ years old and even the report said, the lack of better technology with better resolution capabilities of sensors and what not caused these issues.
Mostly because we should still be able to check that the user is allowed to login by the broker even in the fingerprint case (to ensure that the account has not been disabled or something).
I agree, but users want to use fingerprints and companies too. I don't know how Windows does it, but it is somehow possible.
I want to support, in our company 90% of 40,000 laptops are equipped with a fingerprint scanner and face recognition, and in my opinion this is more reliable than a PIN.
I know about the pretty old report, that fingerprints are not safe, but that report is 20~ years old and even the report said
Well, fingerprint may still be unsafe (and I'm saying that with the linux fingerprint stack maintainer hat, sadly) since it's still technically possible to build a fake fingerprint device that simulates to be the device one and that acts like that, returning the fingeprint ID of the logged-in user.
Probably unlikely to happen, but we've not yet fully safe enroll and verification in linux (it's coming but it will take a while for being implemented by most drivers).
That said, my concern here is more related to the user verification, as we should avoid that a disabled or removed user (in authd) should still be able to login via fingerprint.
So we've to put in place such extra-verification to ensure that once the user has been logged in using another method, that's still valid for the broker.
Thus, we'll think about this, but while relying in the already-existing gdm fingerprint feature it's nice and easy, it would be probably better if this option would be controlled and handled by the broker.