Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1669407
some distributions, like RHEL-8 add a new systemd-user service that is called by the systemd user session and includes system-auth. This means that the access control rules must also include the systemd-user service or else authentication fails.
We should probably document this at least for the purely client-side access control schemas like authorizedService. GPOs already include systemd-user as permit-by-default and IPA had changed its defaults to include this service as well.
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1669407
I would prefer if SSSD would always allowed systemd-user access in HBAC rules. We are going to remove a special HBAC rule for systemd-user because there is no variability in that one, it has simply to be allowed always.
systemd-user
OK, adding a 'special rule' if fine with me (I would just open a separate ticket). I'd also like to get your opinion on two things:
1) do you feel we should also add a 'subfilter' for the systemd-user service for e.g. the authorizedServices LDAP attribute? Here I would personally say no, the LDAP filters are too 'low-level' and free-form in my opinion that I think we should not presume anything and just let admin configure them
2) do you think this should be a RHEL-8.0 fix? IIRC you planned to fix systemd-user for 8.0, did that change?
I don't think (1) is needed to be done, indeed. I'd rather allow admins to have full control there.
For (2) -- it affects Fedora 29+ and RHEL 8 post-beta. We fixed RHEL 8 post-beta but I think now we want to remove that fix and also revert it upstream and instead rely on a fixed SSSD. The problem with an explicit HBAC rule is that it makes little sense for something which is a system-specific property which is pretty much not configurable. pam_systemd always launches systemd --user and the exact PAM service name is hardcoded in systemd source code:
pam_systemd
systemd --user
systemd
src/login/pam_systemd.c: if (streq_ptr(service, "systemd-user")) {
So I would consider this as a distribution specific detail as all systemd-based distributions will have it and the only difference is whether pam_systemd is included with required or optional line in PAM configuration, either forcing a failure or pampering over it.
required
optional
OK, I'll open another ticket. Thanks for the opinions.
Issue #3933 created.
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.1 - Issue tagged with: docs
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.2 (was: SSSD 2.1)
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.3 (was: SSSD 2.2)
Metadata Update from @jhrozek: - Issue assigned to jhrozek
PR: https://github.com/SSSD/sssd/pull/845
master: 820151f
Metadata Update from @mzidek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4912
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.