VMware Horizon Community
pariseeurosyste
Contributor
Contributor
‎01-30-2019 11:46 AM

SSO breaks on linux desktop pools

Hello,

I have setup Horizon View with 2 Desktop Pools, one is a Centos7 pool and the other one an Ubuntu 18.04 pool.

I already made a script that at the startup of the machines it joins every machine to the domain and enables sssd for authentication with the AD domain. It works smoothly on both distros.

SSO was not working on CentOS7 from the beginning.

On the other hand, on Ubuntu 18.04 it was working, but after an apt update and an apt upgrade SSO got broken.

I can find on viewagent-debug.log entries like

"Start session for user: mattia.parise, have SSO cred: false"

"[SessionHandler] SSO is disabled by broker"

what could be the cause?

Any best practice to make SSO work Windows-like?

Documentation lacks about the normal SSO and quotes everytime the TrueSSO feature, which I'm not interested in at the moment.


Many thanks

Best regards


Mattia Parise

0 Kudos
4 Replies
techguy129
Expert
Expert
‎01-31-2019 03:41 AM

Have you seen this in the release notes?

Single Sign On (SSO) does not work well on a RHEL/CentOS 7.2 desktop when you add a domain using System Security Services Daemon (SSSD).

Workaround: After you add a domain using SSSD, modify the /etc/pam.d/password-auth file using the information in the VMware Knowledge Base article 2150330 SSO configuration changes required when using SSSD to join AD on RHEL/CentOS 7.2 Desktops.

Release Notes for VMware Horizon 7 version 7.7

0 Kudos
pariseeurosyste
Contributor
Contributor
‎01-31-2019 03:58 AM

Hello, thanks for the answer! I did not find that but I will give a check, thank you very much, I must have missed that!
Regards

Mattia

0 Kudos
pariseeurosyste
Contributor
Contributor
‎02-07-2019 11:12 AM

Hello,

I would like to focus on CentOS at the moment...

in my CentOS 7 version these lines were already set.
There were, by the way, other lines : this is the content of the file

auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional       pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

And it's not working.
Any suggestions?

Thanks

0 Kudos
techguy129
Expert
Expert
‎02-08-2019 03:57 PM

This line:

auth sufficient pam_sss.so forward_pass

Should be this line:

auth sufficient pam_sss.so use_first_pass

0 Kudos