** Description changed: ## Summary - After upgrading to Ubuntu 26.04 (Noble Numbat), GDM Active Directory login + After upgrading to Ubuntu 26.04, GDM Active Directory login via SSSD fails consistently after boot. The gdm-password worker process retains a stale error state from the initial (failed) SSSD connection attempt and never recovers. All subsequent AD login attempts through the same worker process fail with "Access denied" (pam_sss error 4). Local login is not affected. ## Steps to Reproduce 1. Configure Ubuntu 26.04 with SSSD joined to an Active Directory domain 2. Reboot the system 3. Attempt to log in with an AD domain user via GDM greeter 4. Login fails with "Systemfehler" / system error ## Actual Result - AD login fails repeatedly, regardless of how many times retried - pam_sss reports: "Access denied for user <domainuser>: 4 (System error)" - The gdm-password worker process (same PID) handles all attempts - Local user login works fine - After manually killing the gdm-password worker process (or restarting gdm), - AD login succeeds immediately + AD login succeeds immediately ## Expected Result - Each login attempt should establish a fresh PAM session - If SSSD becomes available after an initial failure, subsequent login - attempts should succeed without requiring a worker restart + attempts should succeed without requiring a worker restart - The gdm-password worker should not cache a failed SSSD connection state ## Diagnosis The issue was isolated through the following steps: 1. After failed AD login, switched to TTY (Ctrl+Alt+F3) 2. Logged in locally 3. Identified the gdm-password worker PID: - $ ps aux | grep gdm-password + $ ps aux | grep gdm-password 4. Killed only the worker process: - $ sudo kill <WORKER_PID> + $ sudo kill <WORKER_PID> 5. Switched back to GDM (Ctrl+Alt+F1) 6. AD login succeeded immediately This confirms the worker process retains a stale error state from the initial SSSD connection failure and does not re-establish the connection on subsequent login attempts. ## Relevant Log Output ### Failed attempt (initial worker after boot, PID 9647): Apr 27 09:42:59 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: username is 'domainuser' Apr 27 09:42:59 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: old-username='domainuser' new-username='domainuser' Apr 27 09:42:59 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: attempting to change state to AUTHORIZED Apr 27 09:42:59 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session Apr 27 09:43:05 ubuntu-desktop gdm-password][9647]: pam_sss(gdm-password:account): Access denied for user domainuser: 4 (Systemfehler) Apr 27 09:43:05 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: user is not authorized to log in: Systemfehler Apr 27 09:43:05 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: uninitializing PAM Apr 27 09:43:05 ubuntu-desktop gdm-password][9647]: Gdm: GdmSessionWorker: state NONE ### Successful attempt (new worker after kill/restart, PID 42269): Apr 27 09:47:20 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: state AUTHENTICATED Apr 27 09:47:20 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: username is 'domainuser' Apr 27 09:47:20 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: old-username='domainuser' new-username='domainuser' Apr 27 09:47:20 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: attempting to change state to AUTHORIZED Apr 27 09:47:20 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session Apr 27 09:47:24 ubuntu-desktop gdm-password][42269]: Gdm: GdmSessionWorker: state AUTHORIZED ## Workaround Adding a systemd override to delay GDM start until SSSD can resolve AD users: $ sudo systemctl edit gdm [Unit] After=sssd.service Requires=sssd.service [Service] ExecStartPre=/bin/bash -c 'for i in $(seq 1 30); do getent passwd domainuser > /dev/null 2>&1 && exit 0; sleep 1; done; exit 0' ## System Information - Ubuntu: 26.04 (fresh upgrade from 24.04/24.10) - GDM: gdm3 50.0-0ubuntu1 amd64 GNOME Display Manager - SSSD: sssd 2.12.0-1ubuntu5 amd64 System Security Services Daemon -- metapackage - Kernel: 7.0.0-14-generic - Desktop: GNOME (Wayland/X11) - Auth: SSSD with Active Directory backend ## Affected Packages - gdm3 - (possibly) libpam-sss / sssd ProblemType: Bug DistroRelease: Ubuntu 26.04 Package: gdm3 50.0-0ubuntu1 ProcVersionSignature: Ubuntu 7.0.0-14.14-generic 7.0.0 Uname: Linux 7.0.0-14-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.34.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Mon Apr 27 16:15:12 2026 ProcEnviron: - LANG=de_DE.UTF-8 - PATH=(custom, no user) - SHELL=/bin/zsh - TERM=xterm-256color - XDG_RUNTIME_DIR=<set> + LANG=de_DE.UTF-8 + PATH=(custom, no user) + SHELL=/bin/zsh + TERM=xterm-256color + XDG_RUNTIME_DIR=<set> SourcePackage: gdm3 UpgradeStatus: Upgraded to resolute on 2026-04-24 (3 days ago) mtime.conffile..etc.gdm3.custom.conf: 2026-04-26T21:41:59.023255
-- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/2150460 Title: [gdm] AD login fails after boot due to stale PAM worker state - requires worker restart To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/2150460/+subscriptions -- desktop-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
