Describe the bug
Hi, on a support case I was told to open an issue here. Seeing that I can only create bug reports, I'm going to file one although I believe this should actually be a feature request. Also, I don't think this actually concerns an Azure CLI extension.. well.
We are heavily relying on Entra ID authentication for VMs (https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-linux). We are looking at migrating from RHEL 9 to RHEL 10. The link provided clearly states that RHEL 10 isn't supported. If one still tries to run the extension on a RHEL 10 VM, login with a certificate isn't possible.
Apr 17 06:52:45 vm-rhel-10-01 aad_certhandler[11534]: Version: 1.0.033370002; user: <redacted-entra-account-email>
Apr 17 06:52:45 vm-rhel-10-01 aad_certhandler[11534]: This is an Azure machine
Apr 17 06:52:45 vm-rhel-10-01 sshd-session[11530]: Certificate extension "displayname@sshservice.azure.net" is not supported
Apr 17 06:52:45 vm-rhel-10-01 sshd-session[11530]: Certificate extension "oid@sshservice.azure.net" is not supported
Apr 17 06:52:45 vm-rhel-10-01 sshd-session[11530]: Certificate extension "tid@sshservice.azure.net" is not supported
Apr 17 06:52:45 vm-rhel-10-01 sshd-session[11530]: pam_aad(sshd:account): AadAuthorize, Version: 1.0.033370002; CorrelationId: bf890f0b-36a2-4787-b324-1ffee5e38ae1
Apr 17 06:52:45 vm-rhel-10-01 sshd-session[11530]: pam_aad(sshd:account): This is an Azure machine
Apr 17 06:52:45 vm-rhel-10-01 sshd-session[11530]: pam_aad(sshd:account): Login granted for <redacted-entra-account-email> as an admin.
Apr 17 06:52:45 vm-rhel-10-01 sshd-session[11530]: pam_aad(sshd:account): First call for <redacted-entra-account-email>. Provisioning user data.
Apr 17 06:52:45 vm-rhel-10-01 sshd-session[11530]: pam_aad(sshd:account): aaduseradd: cannot accuire lock; try again later.
Apr 17 06:52:45 vm-rhel-10-01 sshd-session[11530]: pam_aad(sshd:account): User provisioning failed with error code 256
Apr 17 06:52:45 vm-rhel-10-01 sshd-session[11530]: fatal: Access denied for user <redacted-entra-account-email> by PAM account configuration [preauth]
Apr 17 06:54:17 vm-rhel-10-01 sshd-session[13101]: Accepted publickey for testuser from 10.0.6.28 port 35794 ssh2: RSA SHA256:<REDACTED>
Apr 17 06:54:17 vm-rhel-10-01 (systemd)[13106]: pam_unix(systemd-user:session): session opened for user testuser(uid=1000) by testuser(uid=0)
Apr 17 06:54:17 vm-rhel-10-01 sshd-session[13101]: pam_unix(sshd:session): session opened for user testuser(uid=1000) by testuser(uid=0)
Apr 17 06:54:21 vm-rhel-10-01 sudo[13151]: testuser : TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su -
Apr 17 06:54:21 vm-rhel-10-01 sudo[13151]: pam_unix(sudo:session): session opened for user root(uid=0) by testuser(uid=1000)
Apr 17 06:54:21 vm-rhel-10-01 su[13154]: pam_unix(su-l:session): session opened for user root(uid=0) by testuser(uid=0)
There is some error with aaduseradd which I can't further verify because I believe the source code isn't published anywhere.
It would be great if RHEL 10 was supported soon so we can continue migrating to it.
Related command
Login via an SSH certificate generated through az ssh cert
Errors
pam_aad(sshd:account): aaduseradd: cannot accuire lock; try again later.
Issue script & Debug output
The above output is from /var/log/secure
Expected behavior
Login to a RHEL 10 VM should work
Environment Summary
I can't enter an az --version output because Azure CLI is not involved in the failing part. Locally, Azure CLI works as expected to generate the SSH certificate.
Additional context
No response
Describe the bug
Hi, on a support case I was told to open an issue here. Seeing that I can only create bug reports, I'm going to file one although I believe this should actually be a feature request. Also, I don't think this actually concerns an Azure CLI extension.. well.
We are heavily relying on Entra ID authentication for VMs (https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-linux). We are looking at migrating from RHEL 9 to RHEL 10. The link provided clearly states that RHEL 10 isn't supported. If one still tries to run the extension on a RHEL 10 VM, login with a certificate isn't possible.
There is some error with
aaduseraddwhich I can't further verify because I believe the source code isn't published anywhere.It would be great if RHEL 10 was supported soon so we can continue migrating to it.
Related command
Login via an SSH certificate generated through
az ssh certErrors
pam_aad(sshd:account): aaduseradd: cannot accuire lock; try again later.Issue script & Debug output
The above output is from
/var/log/secureExpected behavior
Login to a RHEL 10 VM should work
Environment Summary
I can't enter an az --version output because Azure CLI is not involved in the failing part. Locally, Azure CLI works as expected to generate the SSH certificate.
Additional context
No response