#2556 add systemd-user to default gpo list
Closed: Fixed None Opened 4 years ago by preichl.

pam_systemd.so fails with enabled gpo. We believe that's because systemd-user isn't allowed service in sssd gpo (just sshd). In this case systemd-logind will not be able to properly create session.

pam_systemd.so is optional module for seesion. So it is not critical, but it would be good if it worked with gpo.

domain log:

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler]
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [be_req_set_domain] (0x0400): Changing request domain from [ad.test] to [ad.test]
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [be_pam_handler] (0x0100): Got request with the following data
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): domain: ad.test
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): user: denied_user
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): service: systemd-user
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): tty:
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): ruser:
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): rhost:
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): authtok type: 0
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): priv: 0
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): cli_pid: 991
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): logon name: not set
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sdap_access_send] (0x0400): Performing access check for user [denied_user]
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9db5b0

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9b7a20

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ldb] (0x4000): Running timer event 0x9db5b0 "ltdb_callback"

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ldb] (0x4000): Destroying timer event 0x9b7a20 "ltdb_timeout"

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ldb] (0x4000): Ending timer event 0x9db5b0 "ltdb_callback"

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [denied_user]
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sdap_account_expired_ad] (0x4000): User account control for user [denied_user] is [200].
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [denied_user] is [0].
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ad_gpo_access_send] (0x0400): using default right
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ad_gpo_access_send] (0x0400): service systemd-user maps to Denied
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [be_pam_handler_callback] (0x0100): Sending result [6][ad.test]

journald:

Jan 13 15:50:28 dev.local.test systemd-logind[386]: New user allowed_user@ad.test logged in.
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager membe
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager membe
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=signal sender=n/a destination=n/a object=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=UserNew cookie=307 reply_coo
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager membe
Jan 13 15:50:28 dev.local.test systemd-logind[386]: New session 12 of user allowed_user@ad.test.
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=signal sender=n/a destination=n/a object=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=SessionNew cookie=309 reply_
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=signal sender=n/a destination=n/a object=/org/freedesktop/login1/user/_1202201112 interface=org.freedesktop.DBus.Properties member=Properties
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved cookie=3304 r
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/unit/user_2d1202201112_2eslice interface=org.freedesktop.DBus.Properties m
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved cookie=3328 r
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/unit/user_401202201112_2eservice interface=org.freedesktop.DBus.Properties
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/unit/user_401202201112_2eservice interface=org.freedesktop.DBus.Properties
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesktop.DBus.Properties member
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesktop.DBus.Properties member
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/job/1889 interface=org.freedesktop.DBus.Properties member=PropertiesChange
Jan 13 15:50:28 dev.local.test systemd[1211]: pam_sss(systemd-user:account): Access denied for user allowed_user@ad.test: 6 (Permission denied)
Jan 13 15:50:28 dev.local.test systemd[1211]: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved cookie=3359 r
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sending reply about created session: id=12 object_path=/org/freedesktop/login1/session/_312 uid=1202201112 runtime_path=/run/user/1202201112 session_fd=22 seat
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_return sender=n/a destination=:1.73 object=n/a interface=n/a member=n/a cookie=317 reply_cookie=2 error=n/a
Jan 13 15:50:28 dev.local.test sshd[1208]: pam_unix(sshd:session): session opened for user allowed_user@ad.test by (uid=0)
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=org.freedesktop.DBus destination=n/a object=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameOwnerChanged cookie=
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=UnitRemoved cookie=3361

Fields changed

owner: somebody => preichl
patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.4
resolution: => fixed
status: new => closed

Fields changed

changelog: => pam_systemd.so no longer emits failures when GPO is in enforcing mode

Fields changed

rhbz: => 0

Metadata Update from @preichl:
- Issue assigned to preichl
- Issue set to the milestone: SSSD 1.12.4

2 years ago

Login to comment on this ticket.

Metadata