FreeIPA: Show Remote Users on login screen on a Kubuntu Client

How-To: FreeIPA / Kubuntu

27th July 2023.

When you login to a default Kubuntu 22.04 machine, it uses the SDDM login screen.

LDAP users are not listed here by default. You have to click on “Other User” and then type your username and password. This is very tedious when you expect the last user to always be shown first.

I thought this would be easy to fix, but I was shocked at how poorly this was documented. So here is a How-To on how to configure your main LDAP account to always be shown first when logging in.

Assumptions

FreeIPA Client is already installed and LDAP login works.

Summary

Here is a summary of all required tasks

1. Change the range of displayed UIDs to 1000 - 2000000000

2. Hide user “nobody”

3. Edit sssd.conf file

4. Change default sddm theme.

Detailed Configuration

Change the range of allowed UID’s

By default, FreeIPA uses UID ranges from 1902600000 - 1902800000, while SDDM login screen only shows users in the 1000 - 60000 range. You could change the default range in FreeIPA, but that might conflict with other systems. Therefore it’s better to adjust it on the client.

Verify UID

To verify the configured UID range in FreeIPA, in case it has been modified:

Login on the IPA WebGUI and go to IPA Server > ID Ranges > YOUR.DOMAIN_id_range

You can check the specified UID for a user either under Identity > Users > Active Users…

… or by typing this in the command prompt:

The Local User:

user@sauna-client:~$ getent passwd ${USER}
user:x:1000:1000:user,,,:/home/user:/bin/bash

The LDAP User:

sysadm@sauna-client:~$ getent passwd ${USER} sysadm:*:1902600005:1902600005:System Admin:/home/sysadm:/bin/bash

To verify the configured allowed range in SDDM:

Go to System Settings > Startup And Shutdown > Behavior…

Unfortunately, it is not possible to set the Maximim user UID above 99 999 from here. We need to set it in the Command Line.

Configure the UID range

Step 1: Open a Terminal and create the folder “sddm.conf.d” under /etc:

sudo mkdir /etc/sddm.conf.d

Step 2: create a file with any filename, uid.conf for example, and paste in following settings:

sudo nano /etc/sddm.conf.d/uid.conf

[Users]
MaximumUid=2000000000
MinimumUid=1000

Now restart the system.

Hide unnecessary users

You will now notice that a user called nobody with UID 65534 is visible:

user@sauna-client:~$ getent passwd nobody nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

You can hide it by adding the “HideUsers” parameter in the file created in the last step.

sudo nano /etc/sddm.conf.d/uid.conf

[Users]
HideUsers=nobody
MaximumUid=2000000000
MinimumUid=1000

Note: Alternatively you could set the MinimumUid to match the range of FreeIPA. Then, only LDAP users will be visible (and it won’t be necessary to hide nobody). Local users can still login, but you have to enter a specific username.

Then restart machine again.

Edit sssd file

We still don’t see any LDAP accounts, even if they have a home directory. We need to add “enumerate = True” under domain configuration of the sssd.conf file to get the list of available LDAP users.

sudo nano /etc/sssd/sssd.conf

[domain/bastuklubben.online]

id_provider = ipa
ipa_server = _srv_, sauna-ipa.bastuklubben.online
ipa_domain = bastuklubben.online
ipa_hostname = sauna-client.bastuklubben.online
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
enumerate = True

Then restart the Machine Again. Now all LDAP users should be visible and your last logged in user should be the first one to use:

“System Admin” is the full name of one of my LDAP users.

What is not so nice though, is the fact that all users from the FreeIPA domain are listed I don’t like to scroll through potentially hundreds of users to find mine. To fix that, well, I cheated a bit…

Change the Default SDDM Theme

The best workaround I could think of was to change the default SDDM theme to something that doesn’t show a list of users, only the last one logged in. I found this one called dark-openSUSE-SDDM which, in my opinion, looks pretty cool.

You can find a list with themes here and search for one that suits you:
https://store.kde.org/browse?cat=101&ord=rating

Change the Default SDDM Theme in Kubuntu

Step 1: Go to System Settings > Startup And Shutdown > Get New SDDM Themes and search or browse for any other similar theme you like and then press install.

Step 2: Choose the new theme and press Apply

Note: You need a user with root privileges to change login screen

Theme Name: Dark-OpenSUSE-SDDM

New Configurations files

One thing I noticed when changing the theme is that an empty file called “sddm.conf” got created under /etc, and another file called “kde_settings.conf” got created under /etc/sddm.conf.d/.

sysadm@sauna-client:/etc/sddm$ ls /etc/sddm.conf 
/etc/sddm.conf 
sysadm@sauna-client:/etc/sddm$ ls /etc/sddm.conf.d/ 
kde_settings.conf  uid.conf 

cat /etc/sddm.conf.d/kde_settings.conf

[Autologin]
Relogin=false
Session=
User=

[General]
HaltCommand=
RebootCommand=

[Theme]
Current=Dark-openSUSE-SDDM

[Users]
MaximumUid=2000000000
MinimumUid=1000

There are now two configuration files inside /etc/sddm.conf.d/ but it doesn’t matter. You could migrate your settings over to this new file if you want, but SDDM will load all settings from all files in this folder anyway.

And we’re done. At least it’s good enough for me anyway.

Appendix

Reverse order

When you have done this once to get the idea, you might figure out it’s way faster if you do it in the reverse order:

1. Change the default SDDM Theme

2. Add Enumerate = True to /etc/sssd/sssd.conf

3. Add MaximumUid=2000000000 to /etc/sddm.conf.d/kde_settings.conf

4. Optionally also enter HideUsers=nobody (it’s not visible when changing theme anyway).

5. Reboot