#3932 MAN: Document that PAM stack contains the systemd-user service in the account phase in recent distributions
Closed: Fixed 4 years ago by mzidek. Opened 4 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1669407

some distributions, like RHEL-8 add a new systemd-user service that is called by the systemd user session and includes system-auth. This means that the access control rules must also include the systemd-user service or else authentication fails.

We should probably document this at least for the purely client-side access control schemas like authorizedService. GPOs already include systemd-user as permit-by-default and IPA had changed its defaults to include this service as well.

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1669407

4 years ago

I would prefer if SSSD would always allowed systemd-user access in HBAC rules. We are going to remove a special HBAC rule for systemd-user because there is no variability in that one, it has simply to be allowed always.

OK, adding a 'special rule' if fine with me (I would just open a separate ticket). I'd also like to get your opinion on two things:

1) do you feel we should also add a 'subfilter' for the systemd-user service for e.g. the authorizedServices LDAP attribute? Here I would personally say no, the LDAP filters are too 'low-level' and free-form in my opinion that I think we should not presume anything and just let admin configure them

2) do you think this should be a RHEL-8.0 fix? IIRC you planned to fix systemd-user for 8.0, did that change?

I don't think (1) is needed to be done, indeed. I'd rather allow admins to have full control there.

For (2) -- it affects Fedora 29+ and RHEL 8 post-beta. We fixed RHEL 8 post-beta but I think now we want to remove that fix and also revert it upstream and instead rely on a fixed SSSD. The problem with an explicit HBAC rule is that it makes little sense for something which is a system-specific property which is pretty much not configurable. pam_systemd always launches systemd --user and the exact PAM service name is hardcoded in systemd source code:

src/login/pam_systemd.c:        if (streq_ptr(service, "systemd-user")) {

So I would consider this as a distribution specific detail as all systemd-based distributions will have it and the only difference is whether pam_systemd is included with required or optional line in PAM configuration, either forcing a failure or pampering over it.

OK, I'll open another ticket. Thanks for the opinions.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1
- Issue tagged with: docs

4 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.2 (was: SSSD 2.1)

4 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.3 (was: SSSD 2.2)

4 years ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

4 years ago

Metadata Update from @mzidek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4912

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.