New issue
Advanced search Search tips

Issue 828836 link

Starred by 2 users
Status: Verified
Owner:
rsorokin@chromium.org
Closed: May 2018
Cc:
ljusten@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug

Blocked on:
issue 839352


Sign in to add a comment

Chromad: Ephemeral users are not removed from local state

Project Member Reported by rsorokin@chromium.org, Apr 4 2018 
Chrome Version: 67.0.3383.0
Chromeos

What steps will reproduce the problem?
(1) Enroll device into Active Directory
(2) Enable DeviceEphemeralUsersEnabled
(3) Login/logout

What is the expected result?
No user pods

What happens instead?
User pod with the user, but it does not work

Comment 1 by ljusten@chromium.org, Apr 18 2018 

Workaround: Set device policy "Show usernames on login screen" to Disabled.

Comment 2 by rsorokin@chromium.org, Apr 18 2018

Labels: -Pri-2 -M-69 M-68 Pri-1

Comment 3 by rsorokin@chromium.org, Apr 19 2018

Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 19 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/716380f9cef4f523157b8923d294aaac8de91bcd

commit 716380f9cef4f523157b8923d294aaac8de91bcd
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Thu Apr 19 10:10:45 2018

Chromad: Do not load public key for device settings.

Public key is missing on Active Directory managed devices.
This issue makes device settings untrusted on Active Directory devices.
So ephemeral users was not wiped properly.

BUG= chromium:828836 
TEST=manual on linux build and on a device.

Change-Id: I75424d8c9826bbd229f646421e08a0023ae6abd6
Reviewed-on: https://chromium-review.googlesource.com/1018942
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551974}
[modify] https://crrev.com/716380f9cef4f523157b8923d294aaac8de91bcd/chrome/browser/chromeos/settings/session_manager_operation.cc

Comment 5 by rsorokin@chromium.org, Apr 19 2018

Status: Fixed (was: Started)

Comment 6 by ibezmenov@chromium.org, Apr 23 2018 

When attempted to verify this issue I have observed the following:

1. Ephemeral mode is enabled, but no user policies (screenshot 1).
2. Errors in authpolicyd.log (attached):

2018-04-23T20:54:03.714201+00:00 ERR authpolicyd[3009]: Failed to call method: org.chromium.SessionManagerInterface.StoreUnsignedPolicyEx: object_path= /org/chromium/SessionManager: org.chromium.SessionManagerInterface.kGetServiceFail: Cannot get policy service for account type 1
2018-04-23T20:54:03.714229+00:00 ERR authpolicyd[3009]: Call to StoreUnsignedPolicyEx failed. No response or error.

3. User pod is not present after logout, however there is an option "(TEMP) Show webui login;.." (screenshot 2), only after clicking this option, Sign-in dialog is appeared.

rsorokin@, could you please take a look?

Chrome OS: 10610.0.0
Chrome: 68.0.3404.0
Device: Santa
Screenshot 2018-04-23 at 1.55.34 PM.png
85.4 KB View Download
Screenshot 2018-04-23 at 1.56.54 PM.png
1.5 MB View Download
authpolicy.log
4.4 KB View Download

Comment 7 by ljusten@chromium.org, Apr 24 2018

Status: Assigned (was: Fixed)

Comment 8 by rsorokin@chromium.org, May 2 2018

Status: Started (was: Assigned)

Comment 9 by rsorokin@chromium.org, May 3 2018

Blockedon: 839352
Status: Fixed (was: Started)
It's actually a separate issue. I filed a bug for that: https://bugs.chromium.org/p/chromium/issues/detail?id=839352

Let's verify after the bug would be fixed

Comment 10 by ibezmenov@chromium.org, Jun 7 2018

Status: Verified (was: Fixed)
Marking this as "Verified", no user pod when ephemeral mode is enabled. However, there is another issue related to ephemeral user:  crbug.com/850324 

Chrome Version: 69.0.3451.0
Chrome OS: 10757.0.0
Device: Santa

Sign in to add a comment