x2go session hangs if logging in using PBIS Open (Likewise Open)

Question

I have x2go server installed on CentOS 7. I can create an x2go client session without any problems using a local system user account. The server also allows Active Directory logins via PBIS Open and I can ssh to the server using an Active Directory account. However, if I try to start an x2go session using an AD account the session just hangs.

Here is the contents of /var/log/secure:

Jun 11 12:11:57 my-server sshd[20288]: Connection from x.x.x.x port 37844 on y.y.y.y port 22
Jun 11 12:11:57 my-server sshd[20288]: Postponed keyboard-interactive for <username> from x.x.x.x port 37844 ssh2 [preauth]
Jun 11 12:11:57 my-server sshd[20478]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=<username>
Jun 11 12:11:58 my-server sshd[20288]: Postponed keyboard-interactive/pam for <username> from x.x.x.x port 37844 ssh2 [preauth]
Jun 11 12:11:58 my-server sshd[20288]: Accepted keyboard-interactive/pam for <username> from x.x.x.x port 37844 ssh2
Jun 11 12:11:58 my-server sshd[20288]: pam_unix(sshd:session): session opened for user <username> by (uid=0)
Jun 11 12:11:58 my-server sshd[20288]: User child is on pid 21148
Jun 11 12:11:58 my-server sshd[21148]: Starting session: command for <username> from x.x.x.x port 37844
Jun 11 12:11:59 my-server sshd[21148]: Starting session: command for <username> from x.x.x.x port 37844

Here's my /etc/pam.d/sshd:

auth       required     pam_sepermit.so
auth       substack     password-    auth
auth       include  postlogin
# Used with polkit to re    authorize users in remote     sessions
-auth      optional     pam_re    authorize.so prepare
account    required     pam_nologin.so
account    include  password-    auth
password   include  password-    auth
# pam_selinux.so close should be the first     session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by     sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include  password-    auth
session    include  postlogin
# Used with polkit to re    authorize users in remote     sessions
-session   optional     pam_re    authorize.so prepare
session    sufficient     pam_lsass.so

Here's my /etc/pam.d/system-auth-ac:

auth        required      pam_env.so
auth        requisite    pam_lsass.so    smartcard_prompt    try_first_pass
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient      pam_lsass.so      try_first_pass
auth        required      pam_deny.so

account     required      pam_lsass.so      unknown_ok
account     sufficient      pam_lsass.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3     authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_    authtok
password    sufficient      pam_lsass.so      try_first_pass     use_    authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

I think this is any issue with my PAM setup because of the authentication failure line in /var/log/secure but can't for the life of me work out what's happening because the session then appears to start but then fails. Any advice would be much appreciated!

Answer 1

Okay, so the PAM authentication failure was actually a red herring as the session was still authenticating okay. The problem turned out to be caused by the fact that we use numeric AD usernames which were being sanitized out by x2go when creating the session, hence it would hang.

As per the advice from Martyn Welch here, I edited line 67 of the sanitizer sub in/usr/lib64/x2go/x2gosqlitewrapper.pl and changed it from

if ($string =~ /^([a-zA-Z\_][a-zA-Z0-9\_\-\.\@]{0,47}[\$]?)\-([\d]{2,4})\-([\d]{9,12})\_[a-zA-Z0-9\_\-\.]*\_dp[\d]{1,2}$/) {

to

if ($string =~ /^([a-zA-Z0-9\_][a-zA-Z0-9\_\-\.\@]{0,47}[\$]?)\-([\d]{2,4})\-([\d]{9,12})\_[a-zA-Z0-9\_\-\.]*\_dp[\d]{1,2}$/) {

There's an extra "0-9" at the start of the regex. Thank you Martyn Welch, you saved me from more days of heartache!