Performing verification for gnome-shell in Focal. During this verification I will explain how VMware Horizon SSO works, and will prove that the gnome-shell in -proposed is equivalent to the custom gnome-shell package distributed by VMware. I will begin by walking through the SSO workflow, based around the custom gnome-shell package distributed by VMware. Firstly, start with a fresh Focal Desktop VM, all up to date. Visit the VMware website, specifically this link: https://my.vmware.com/en/web/vmware/evalcenter?p=horizon-eval-8 Sign up for a VMware account and reach the VMware Horizon 8 evaluation download page. The next step is to locate the "Linux Agent x86_64". The file is named VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz If you have difficulty in obtaining this file and want to reproduce, please message me. Download and copy to the Focal VM. $ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/ $ ssh ubuntu@target $ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz $ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770 Next, install the VMware Horizon Linux Agent by following the instructions at: https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops-setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html $ sudo apt install libpam-pkcs11 $ sudo apt install libnss3-tools $ sudo apt install open-vm-tools $ sudo ./install_viewagent.sh -T yes Now, this will install a custom patched gnome-shell library, which contains the following patches: https://paste.ubuntu.com/p/q4fkNrqHQT/ You can find this, and more in the VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770/sso directory. Reboot the VM. When it comes back up, run "ps aux". You will see: oot 1410 0.0 0.1 345920 10840 ? Sl 15:09 0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon root 1411 2.1 0.1 77128 9208 ? Sl 15:09 0:00 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer root 1463 0.0 0.0 107056 6812 ? Sl 15:09 0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13 root 1477 1.4 0.7 1129928 61244 ? Sl 15:09 0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resour root 1530 0.0 0.1 177392 9172 ? Sl 15:09 0:00 gdm-session-worker [pam/gdm-launch-environment] gdm 1535 0.0 0.0 5300 1108 ? Ss 15:09 0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart gdm 1536 0.2 0.0 7556 4672 ? S 15:09 0:00 dbus-daemon --nofork --print-address 4 --session gdm 1537 0.3 0.2 568700 16920 ? Sl 15:09 0:00 /usr/libexec/gnome-session-binary --systemd --autostart /usr/share/gdm/greeter/autostart Now, the SSO desktop for the VDI is on xorg display :100, and all of this is launched by /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon. The dbus-run-session runs a bunch of autostart scripts in /usr/share/gdm/greeter/autostart, one of which starts up SsoDBusNotify.py. Now, when /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py runs, it reads in a SSO token generated by desktopDaemon from stdin, and then makes sure the display matches what xorg is running on, and then sends a UserAuthenticated signal to DBUS on '/org/vmware/viewagent/Credentials' and 'org.vmware.viewagent.Credentials'. Lets do this manually, since we are in KVM and not on an actual VMware Horizon cluster. Execute: $ sudo /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py -t sso -d :100 When asked, input the token: "12345DISPLAY:100". The custom gnome-shell distributed by VMware listens on org.vmware.viewagent.Credentials.D100 (yes, that is a per-display dbus address) which then checks to see if the token is any good, and passes it to PAM for processing. PAM then calls the module gdm-vmwcred, which then talks to the SSSD and krb5 PAM modules to authenticate against an AD server. But in our repro environment, this won't work. But the main thing is, if you check: /var/log/auth.log: Mar 22 15:14:45 ubuntu gdm-vmwcred]: pam_vmw_cred(gdm-vmwcred:auth): Failed to acquire user's credentials and /var/log/vmware/pam_vmw_log: 2021:03:22 15:14:45 : Authentication begins 2021:03:22 15:14:45 : SSOChannel_AcquireUserCredentials called. 2021:03:22 15:14:45 : VMWARE Token is invaild. 2021:03:22 15:14:45 : Failed to acquire user's credentials 2021:03:22 15:14:45 : Authentication ends We see gnome-shell does infact call PAM. On vanilla installs of gnome-shell, i.e. gnome-shell 3.36.4-1ubuntu1~20.04.2 and earlier, if you attempted to do this, gnome-shell would not talk to PAM as it does not understand the per-display dbus logic. Now, on the customer environment, SSO works fine with the custom gnome-shell library, as they are correctly configured for SSSD / krb5 to their AD server. Now, let's repeat the process, but this time, we are going to use the new gnome-shell package in -proposed. Start with a clean Focal Desktop VM. Copy the VMware Horizon Linux agent over. $ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/ $ ssh ubuntu@target $ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz $ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770 Next, install the VMware Horizon Linux Agent by following the instructions at: https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops-setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html $ sudo apt install libpam-pkcs11 $ sudo apt install libnss3-tools $ sudo apt install open-vm-tools Now, this step is VERY VERY VERY important. Install the viewagent with the additional flag "-G yes": $ sudo ./install_viewagent.sh -G yes -T yes The "-G yes" flag tells the installer to not overwrite gnome-shell, and to instead switch to upstream SSO patch support mode. Then enable -proposed, and install gnome-shell version 3.36.7-0ubuntu0.20.04.1 $ cat << EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list # Enable Ubuntu proposed archive deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed main universe EOF $ sudo apt update $ sudo apt install gnome-shell gnome-shell-common $ sudo apt-cache policy gnome-shell | grep Installed Installed: 3.36.7-0ubuntu0.20.04.1 Reboot. $ sudo reboot Now, when the system comes up, again verify the following processes: root 1440 0.0 0.1 345920 10928 ? Sl 15:27 0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon root 1442 2.2 0.1 77128 9032 ? Sl 15:27 0:00 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer root 1473 0.0 0.0 107056 6736 ? Sl 15:27 0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13 root 1482 0.8 0.7 1129924 60924 ? Sl 15:27 0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resour root 1534 0.0 0.1 177392 9136 ? Sl 15:27 0:00 gdm-session-worker [pam/gdm-launch-environment] gdm 1539 0.0 0.0 5300 1108 ? Ss 15:27 0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart gdm 1540 0.1 0.0 7524 4572 ? S 15:27 0:00 dbus-daemon --nofork --print-address 4 --session gdm 1541 0.2 0.2 494964 17008 ? Sl 15:27 0:00 /usr/libexec/gnome-session-binary --systemd --autostart /usr/share/gdm/greeter/autostart This time, since we used the special "-G yes" flag when installing the Horizon Agent, we get an additional process, SsoDispatcher.py: gdm 1784 0.1 0.2 47504 19504 ? S 15:27 0:00 /usr/bin/python3 /usr/lib/vmware/viewagent/sso/SsoDispatcher.py This is executed from /usr/share/gdm/greeter/autostart/vmware-sso-dispatcher.desktop file called by dbus-run-session. Now, what SsoDispatcher.py does is listen on the per-display dbus credientals interface org.vmware.viewagent.Credentials.D100, if it sees a UserAuthenticated signal, it forwards it to the new dbus interface that the upstream gnome-shell patches listen on, which is org.vmware.viewagent.Credentials. So SsoDispatcher.py acts as a bridge between old VMware implementation, and what is implemented in the gnome-shell packages in -proposed. Now, if we issue the call to SsoDBusNotify.py: $ sudo /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py -t sso -d :100 When asked, input the token: "12345DISPLAY:100". SsoDbusNotify.py sends the token to SsoDispatcher.py which sends the token to gnome-shell, which then forwards the token to PAM for processing. Again, if we check the logs: /var/log/auth.log Mar 22 15:33:22 ubuntu gdm-vmwcred]: pam_vmw_cred(gdm-vmwcred:auth): Failed to acquire user's credentials and also in /var/log/vmware/pam_vmw_log: 2021:03:22 15:33:22 : Authentication begins 2021:03:22 15:33:22 : SSOChannel_AcquireUserCredentials called. 2021:03:22 15:33:22 : VMWARE Token is invaild. 2021:03:22 15:33:22 : Failed to acquire user's credentials 2021:03:22 15:33:22 : Authentication ends Thus, gnome-shell correctly received the token and passed it to PAM for processing. We have tested this pretty in depth on the customers actual VMware Horizon environment, and it took us a lot of time, but we can see that the gnome-shell package in -proposed works, and properly authenticates with PAM and SSO functions as intended. I can't share any logs from the customer's environment showing PAM working, sorry. But it does. We have tested against the following VMware Horizon Linux Agents: VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz VMware-horizonagent-linux-x86_64-7.13.0-17123958.tar.gz VMware-horizonagent-linux-x86_64-7.13.0-16944161.tar.gz All work. The customer is finally ready and happy to sign off on the packages in -proposed. I am happy to sign off and mark the gnome-shell version 3.36.7-0ubuntu0.20.04.1 as verified. If you have any questions on the above verification, please contact me, or Marco.