Public bug reported:
TITLE:
gdm3 50: greeter UID range 60578-60705 conflicts with FreeIPA domain UIDs,
bypassing login screen
========================================================================
DESCRIPTION:
========================================================================
After upgrading gdm3 from 49.2 to 50 on Ubuntu 26.04, the login screen
no longer works correctly on FreeIPA-joined systems. Depending on system
state, it either autologs into a desktop session as the greeter user
bypassing authentication entirely, or shows the login screen but with
"gdm-greeter" already logged in — ignoring the disable-user-list=true
dconf setting that should require users to type their username.
Package versions:
-----------------
$ dpkg -l gdm3 gnome-session-bin libgdm1
ii gdm3 50~beta-0ubuntu3 amd64
ii gnome-session-bin 50~beta-0ubuntu1 amd64
ii libgdm1 50~beta-0ubuntu3 amd64
Environment:
------------
- Ubuntu 26.04 (Resolute)
- FreeIPA-joined via SSSD
- disable-user-list=true configured in /etc/dconf/db/gdm.d/00-login-screen
- Previous working version: gdm3 49.2-1ubuntu4
What is happening:
------------------
GDM 50 introduced a dynamic user store (GdmDynamicUserStore) that
allocates a temporary UID for the greeter session, starting at 60578.
Our FreeIPA server has a custom Posix ID range of 50000-99999, which
overlaps with GDM's greeter range of 60578-60705. A FreeIPA domain user
named "gdm-greeter" exists at uid=60578 -- the exact start of GDM's
range.
This UID conflict causes the greeter session to fail. Depending on
system state, this manifests as either:
- The login screen appearing but showing "gdm-greeter" as the logged-in
user, ignoring the disable-user-list=true dconf setting that should
require users to type their username
- The system bypassing the login screen entirely and autologging into a
full desktop session as the FreeIPA gdm-greeter user
In both cases authentication is bypassed and normal login is impossible.
Key log entries:
----------------
$ journalctl -b | grep -i "gdm\|greeter"
gdm-launch-environment: pam_unix: session opened for user gdm-greeter(uid=995)
gdm-wayland-session: Unable to set up transient service directory:
XDG_RUNTIME_DIR "/run/user/60578" is owned by uid 60578, not our uid 995
gnome-session: unable to create directory '/run/user/60578/dconf': Permission
denied
gdm3: GdmDisplay: Session never registered, failing
gdm-launch-environment: pam_unix: session opened for user
gdm-greeter-2(uid=60579)
gnome-shell: Registering session with GDM [fallback succeeds as FreeIPA user]
Why this is a regression from 49.2:
------------------------------------
gdm3 49.2 had no /usr/share/gdm/greeter/wayland-sessions/ directory.
The greeter was launched directly without creating a full
systemd-logind Wayland session, so /run/user/<uid> was never involved
and the UID conflict could not occur.
gdm3 50 introduced:
/usr/share/gdm/greeter/wayland-sessions/gnome-greeter.desktop
This causes the greeter to be launched as a proper Wayland session with
full logind plumbing, which is what exposes the UID conflict.
Why the UID range cannot be overridden:
----------------------------------------
GDM's meson.build reads the greeter UID range from systemd pkg-config:
greeter_uid_min = systemd_dep.get_variable(
'greeter_uid_min', default_value: '60578')
greeter_uid_max = systemd_dep.get_variable(
'greeter_uid_max', default_value: '60705')
On Ubuntu, systemd does not expose these variables:
$ pkg-config systemd --variable=greeter_uid_min
(no output)
$ pkg-config systemd --variable=greeter_uid_max
(no output)
GDM therefore always falls back to the hardcoded defaults with no way
to override them.
FreeIPA ID range:
-----------------
$ ipa idrange-find
Range name: OFFICE.LAN_id_range
First Posix ID of the range: 50000
Number of IDs in the range: 50000
Note: this is a non-default FreeIPA configuration. The default FreeIPA
UID range starts around 1855600000 and would not conflict. This bug
affects deployments where FreeIPA was configured with a low custom UID
range overlapping 60578-60705.
Workaround:
-----------
Add to /etc/gdm3/custom.conf:
[daemon]
AutomaticLoginEnable = true
AutomaticLogin = yourusername
This bypasses the greeter entirely but removes password protection
on boot.
** Affects: gdm (Ubuntu)
Importance: Undecided
Status: New
** Tags: freeipa gdm3 resolute sssd
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2143165
Title:
gdm3 50: greeter UID range 60578-60705 conflicts with FreeIPA domain
UIDs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/2143165/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
