#2556 add systemd-user to default gpo list
Closed: Fixed None Opened 5 years ago by preichl.

pam_systemd.so fails with enabled gpo. We believe that's because systemd-user isn't allowed service in sssd gpo (just sshd). In this case systemd-logind will not be able to properly create session.

pam_systemd.so is optional module for seesion. So it is not critical, but it would be good if it worked with gpo.

domain log:

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler]
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [be_req_set_domain] (0x0400): Changing request domain from [ad.test] to [ad.test]
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [be_pam_handler] (0x0100): Got request with the following data
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): domain: ad.test
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): user: denied_user
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): service: systemd-user
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): tty:
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): ruser:
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): rhost:
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): authtok type: 0
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): priv: 0
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): cli_pid: 991
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [pam_print_data] (0x0100): logon name: not set
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sdap_access_send] (0x0400): Performing access check for user [denied_user]
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9db5b0

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9b7a20

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ldb] (0x4000): Running timer event 0x9db5b0 "ltdb_callback"

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ldb] (0x4000): Destroying timer event 0x9b7a20 "ltdb_timeout"

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ldb] (0x4000): Ending timer event 0x9db5b0 "ltdb_callback"

(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [denied_user]
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sdap_account_expired_ad] (0x4000): User account control for user [denied_user] is [200].
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [denied_user] is [0].
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ad_gpo_access_send] (0x0400): using default right
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ad_gpo_access_send] (0x0400): service systemd-user maps to Denied
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Tue Jan 13 14:53:55 2015) [sssd[be[ad.test]]] [be_pam_handler_callback] (0x0100): Sending result [6][ad.test]

journald:

Jan 13 15:50:28 dev.local.test systemd-logind[386]: New user allowed_user@ad.test logged in.
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager membe
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager membe
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=signal sender=n/a destination=n/a object=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=UserNew cookie=307 reply_coo
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager membe
Jan 13 15:50:28 dev.local.test systemd-logind[386]: New session 12 of user allowed_user@ad.test.
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=signal sender=n/a destination=n/a object=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=SessionNew cookie=309 reply_
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=signal sender=n/a destination=n/a object=/org/freedesktop/login1/user/_1202201112 interface=org.freedesktop.DBus.Properties member=Properties
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved cookie=3304 r
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/unit/user_2d1202201112_2eslice interface=org.freedesktop.DBus.Properties m
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved cookie=3328 r
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/unit/user_401202201112_2eservice interface=org.freedesktop.DBus.Properties
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/unit/user_401202201112_2eservice interface=org.freedesktop.DBus.Properties
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesktop.DBus.Properties member
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesktop.DBus.Properties member
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1/unit/session_2d12_2escope interface=org.freedesk
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1/job/1889 interface=org.freedesktop.DBus.Properties member=PropertiesChange
Jan 13 15:50:28 dev.local.test systemd[1211]: pam_sss(systemd-user:account): Access denied for user allowed_user@ad.test: 6 (Permission denied)
Jan 13 15:50:28 dev.local.test systemd[1211]: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved cookie=3359 r
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sending reply about created session: id=12 object_path=/org/freedesktop/login1/session/_312 uid=1202201112 runtime_path=/run/user/1202201112 session_fd=22 seat
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Sent message type=method_return sender=n/a destination=:1.73 object=n/a interface=n/a member=n/a cookie=317 reply_cookie=2 error=n/a
Jan 13 15:50:28 dev.local.test sshd[1208]: pam_unix(sshd:session): session opened for user allowed_user@ad.test by (uid=0)
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=org.freedesktop.DBus destination=n/a object=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameOwnerChanged cookie=
Jan 13 15:50:28 dev.local.test systemd-logind[386]: Got message type=signal sender=:1.0 destination=n/a object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=UnitRemoved cookie=3361

Fields changed

owner: somebody => preichl
patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.4
resolution: => fixed
status: new => closed

Fields changed

changelog: => pam_systemd.so no longer emits failures when GPO is in enforcing mode

Fields changed

rhbz: => 0

Metadata Update from @preichl:
- Issue assigned to preichl
- Issue set to the milestone: SSSD 1.12.4

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3598

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata