[Bug 2150460] [NEW] [gdm] AD login fails after boot due to stale PAM worker state - requires worker restart

Mon, 27 Apr 2026 07:30:34 -0700 

Public bug reported:

## Summary

After upgrading to Ubuntu 26.04 (Noble Numbat), GDM Active Directory login
via SSSD fails consistently after boot. The gdm-password worker process
retains a stale error state from the initial (failed) SSSD connection attempt
and never recovers. All subsequent AD login attempts through the same worker
process fail with "Access denied" (pam_sss error 4).

Local login is not affected.

## Steps to Reproduce

1. Configure Ubuntu 26.04 with SSSD joined to an Active Directory domain
2. Reboot the system
3. Attempt to log in with an AD domain user via GDM greeter
4. Login fails with "Systemfehler" / system error

## Actual Result

- AD login fails repeatedly, regardless of how many times retried
- pam_sss reports: "Access denied for user <domainuser>: 4 (System error)"
- The gdm-password worker process (same PID) handles all attempts
- Local user login works fine
- After manually killing the gdm-password worker process (or restarting gdm),
  AD login succeeds immediately

## Expected Result

- Each login attempt should establish a fresh PAM session
- If SSSD becomes available after an initial failure, subsequent login
  attempts should succeed without requiring a worker restart
- The gdm-password worker should not cache a failed SSSD connection state

## Diagnosis

The issue was isolated through the following steps:

1. After failed AD login, switched to TTY (Ctrl+Alt+F3)
2. Logged in locally
3. Identified the gdm-password worker PID:
   $ ps aux | grep gdm-password
4. Killed only the worker process:
   $ sudo kill <WORKER_PID>
5. Switched back to GDM (Ctrl+Alt+F1)
6. AD login succeeded immediately

This confirms the worker process retains a stale error state from the
initial SSSD connection failure and does not re-establish the connection
on subsequent login attempts.

## Relevant Log Output

### Failed attempt (initial worker after boot, PID 9647):

Apr 27 09:42:59 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: 
username is 'domainuser'
Apr 27 09:42:59 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: 
old-username='domainuser' new-username='domainuser'
Apr 27 09:42:59 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: 
attempting to change state to AUTHORIZED
Apr 27 09:42:59 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: 
determining if authenticated user (password required:0) is authorized to session
Apr 27 09:43:05 ubuntu-desktop gdm-password][9647]: 
pam_sss(gdm-password:account): Access denied for user domainuser: 4 
(Systemfehler)
Apr 27 09:43:05 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: user 
is not authorized to log in: Systemfehler
Apr 27 09:43:05 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: 
uninitializing PAM
Apr 27 09:43:05 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: 
state NONE

### Successful attempt (new worker after kill/restart, PID 42269):

Apr 27 09:47:20 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: 
state AUTHENTICATED
Apr 27 09:47:20 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: 
username is 'domainuser'
Apr 27 09:47:20 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: 
old-username='domainuser' new-username='domainuser'
Apr 27 09:47:20 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: 
attempting to change state to AUTHORIZED
Apr 27 09:47:20 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: 
determining if authenticated user (password required:0) is authorized to session
Apr 27 09:47:24 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: 
state AUTHORIZED

## Workaround

Adding a systemd override to delay GDM start until SSSD can resolve
AD users:

$ sudo systemctl edit gdm

[Unit]
After=sssd.service
Requires=sssd.service

[Service]
ExecStartPre=/bin/bash -c 'for i in $(seq 1 30); do getent passwd domainuser > 
/dev/null 2>&1 && exit 0; sleep 1; done; exit 0'

## System Information

- Ubuntu: 26.04 (fresh upgrade from 24.04/24.10)
- GDM: gdm3           50.0-0ubuntu1 amd64        GNOME Display Manager
- SSSD: sssd           2.12.0-1ubuntu5 amd64        System Security Services 
Daemon -- metapackage
- Kernel: 7.0.0-14-generic
- Desktop: GNOME (Wayland/X11)
- Auth: SSSD with Active Directory backend

## Affected Packages

- gdm3
- (possibly) libpam-sss / sssd

ProblemType: Bug
DistroRelease: Ubuntu 26.04
Package: gdm3 50.0-0ubuntu1
ProcVersionSignature: Ubuntu 7.0.0-14.14-generic 7.0.0
Uname: Linux 7.0.0-14-generic x86_64
NonfreeKernelModules: zfs
ApportVersion: 2.34.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Mon Apr 27 16:15:12 2026
ProcEnviron:
 LANG=de_DE.UTF-8
 PATH=(custom, no user)
 SHELL=/bin/zsh
 TERM=xterm-256color
 XDG_RUNTIME_DIR=<set>
SourcePackage: gdm3
UpgradeStatus: Upgraded to resolute on 2026-04-24 (3 days ago)
mtime.conffile..etc.gdm3.custom.conf: 2026-04-26T21:41:59.023255

** Affects: gdm3 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug resolute wayland-session

-- 
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gdm3 in Ubuntu.
https://bugs.launchpad.net/bugs/2150460

Title:
  [gdm] AD login fails after boot due to stale PAM worker state -
  requires worker restart

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/2150460/+subscriptions


-- 
desktop-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs

Reply via email to