@mimizone Thanks for the feedback! We are currently investigating and will update you shortly.

@mimizone are you using a local instance of Azure CLI or using the Cloud Shell? I attempted this in the cloud shell and it succeeded as expected.

I have the same issue, both when running a local instance of Azure CLI and when using the Cloud Shell.

Same issue in CLI or cloud shell.
Is there something to configure on the Active Directory side?

@iainfoulds any thoughts on this? I ran through the doc and did not have any issues logging in using AAD connected to MSFT.

@mimizone and @radka-j Is there a difference between your AAD domain and logon domain? The commands simply use the user email from your Azure subscription account. You'll receive a '400 client error' message if there's a mismatch when you assign the role permissions.

The following example retrieves the object ID from Azure Active Directory, and uses that object ID to set the role permissions. Does this work correctly?

# Retrieve e-mail address for Azure subscription, then associated object ID from Azure AD
username=$(az account show --query user.name --output tsv)
userId=$(az ad user list --upn $username --query '[].objectId' --output tsv)

# Same step to retrieve resource ID of VM
vm=$(az vm show --resource-group myResourceGroup --name myVM --query id -o tsv)

# Assign role using --assignee-object-id rather than just the e-mail address
az role assignment create \
    --role "Virtual Machine Administrator Login" \
    --assignee-object-id $userId \
    --scope $vm

If the doc was updated to always retrieve object ID like this, does this look more complicated or is it still fine and make sense?

the userId is empty in my case if I filter with a upn equal to my username.

My username is my email. [email protected]

the UPN (user Principal Name I assume?) is pretty different in my case.
UPN: jeremy.huylebroeck_orange.com#EXT#@jeremyhuylebroeckorange.onmicrosoft.com

If I use the userId retrieved properly from the az ad user list, the az role assignment create command doesn't return the error anymore.

SSH prompts me properly now for authentication via the browser.
but once I go through that process, the SSH server closes the connection.

Connection to xxxxxxxxxxxxx.cloudapp.azure.com closed by remote host.
Connection to xxxxxxxxxxxxx.cloudapp.azure.com closed.

@mimizone try restarting the server and logging in again to see if it persists.

restarting the VM via the Web UI didn't solve the problem with the SSH server closing the connection.

I'm also having exactly same issue. @MicahMcKittrick-MSFT and @iainfoulds any idea what to do?

@iainfoulds I am starting to see the same thing. Can you walk through a repro as well?

@mimizone @KloudEzy @jurjenoskam I am working with Iain offline to get this addressed.

I am referencing all issues to this one

9418

9497

9532

I will be closing the other two and we can all work off of this one to simplify the process.

I will update everyone once we have more information.

Hi, I am experiencing the same issue on Ubuntu 17.10. I can login with local accounts but no AAD accounts. One thing to note is this still works for several VMs I deployed before this week. However any new deployment fails to work. I've compared both side by side and can't see a difference in the extension version, SSHD config or PAM.D config. Below is a snippet from my /var/log/auth.log file:

Jun 1 21:33:22 servername sshd[127593]: pam_aad(sshd:auth): Version: 1.0.005150001; CorrelationId: a5c1e221-ffdc-40b3-bd2a-ac99f3e16592
Jun 1 21:33:45 servername sshd[127593]: pam_aad(sshd:auth): Login granted for as an admin.
Jun 1 21:33:45 servername sshd[127593]: pam_aad(sshd:auth): First call for . Creating a local admin user object.
Jun 1 21:33:45 servername sshd[127584]: Accepted keyboard-interactive/pam for from 10.29.16.4 port 41810 ssh2
Jun 1 21:33:45 servername sshd[127584]: pam_unix(sshd:session): session opened for user by (uid=0)
Jun 1 21:33:45 servername sshd[127584]: pam_systemd(sshd:session): Failed to create session: No such file or directory
Jun 1 21:33:46 servername sshd[127584]: fatal: login_get_lastlog: Cannot find account for uid 4359382
Jun 1 21:33:46 servername sshd[127584]: pam_unix(sshd:session): session closed for user
Jun 1 21:33:46 servername sshd[127584]: syslogin_perform_logout: logout() returned an error

Also, as a side note, we attempted to check this on a different distribution (RHEL 7) and the deployment of the extension failed after 30 to 40 minutes.

Thanks @henryallsworth. I will make sure this information also gets in front of the right people and will provide updates as they come in.

Hi,

I can't login using AAD extension too.
Could you tell me how to solve this problem?
Is this same problem?

Client(Cloud Shell)

ssh -l [email protected] 40.74.69.51
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code GU4CTVBMM to authenticate. Press ENTER when ready.
Connection to 40.74.69.51 closed by remote host.
Connection to 40.74.69.51 closed.

Server( journalctl -f -u sshd)

Jun 04 10:46:23 AADSSHVM sshd[31465]: pam_aad(sshd:auth): Login granted for [email protected] as an admin.
Jun 04 10:46:23 AADSSHVM sshd[31465]: pam_aad(sshd:auth): First call for [email protected]. Creating a local admin user object.
Jun 04 10:46:23 AADSSHVM sshd[31438]: Accepted keyboard-interactive/pam for [email protected] from 40.112.211.188 port 22208 ssh2
Jun 04 10:46:24 AADSSHVM sshd[31438]: pam_systemd(sshd:session): Failed to create session: No such file or directory
Jun 04 10:46:24 AADSSHVM sshd[31438]: pam_unix(sshd:session): session opened for user [email protected] by (uid=0)
Jun 04 10:46:24 AADSSHVM sshd[31438]: fatal: login_get_lastlog: Cannot find account for uid 14262593
Jun 04 10:46:24 AADSSHVM sshd[31438]: pam_unix(sshd:session): session closed for user [email protected]
Jun 04 10:46:24 AADSSHVM sshd[31438]: syslogin_perform_logout: logout() returned an error

Hi,
I tried this feature for the first time this morning.
With a new Ubuntu VM (18.04), I got the same error (connection closed), but with a new Red Hat VM (7.3), it worked.

The painful thing is that every time we need to re-enter the password for sudo session, we have to navigate to the devicelogin portal and enter a new code.
Tedious but essential for security ...

Thanks all for continuing to reach out. We are still working on this internally to figure it out. I will update everyone once we have more details on a fix.

We have addressed the issue and the problem should now be resolved.

Prior to the fix if you upgrade the aadlogin package to the latest version it should work
The bug that was identified was within the aaduseradd utility and it not updating the aadpasswd file

Please retry the AAD login process by following the doc and let me know if there are additional issues.

I will keep this open a few more days in case people still have issues.

Thanks Micah. I have updated my systems and can confirm that it is working as expected now. I appreciate the rapid response to this considering it's a preview feature. My customer really like this feature and never wants to go back to old way.

Thanks

Thank you @MicahMcKittrick-MSFT, it's working now! Will do more test and let you know if any issues.

Great! I will close this for now but if anyone has issues with this and are getting the same error please let me know and I can reopen. Else, if you see any other issues please open a new issue and we will investigate :)

It is solved on my end as well. Indeed the /etc/aadpasswd file is no longer empty, and users are added as they successfully log in. Thanks!