Issue #8773: Add polkit rule to allow ipauser access to pcscd - freeipa

freeipa

#8773 Add polkit rule to allow ipauser access to pcscd

Opened 3 years ago by hcoin. Modified 2 years ago

To correct

Mar 24 21:23:34 registry1.1.quietfountain.com pcscd[639]: 99999999 auth.c:137:IsClientAuthorized() Process 21266 (user: 971) is NOT authorized for action: access_pcsc

and related with dirsrv and pkisuer

create

/etc/polkit-1/rules.d/00-rss_allowpkiuser.rules

with

polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" ||
action.id == "org.debian.pcsc-lite.access_card") {
if ((subject.user == "pkiuser") || (subject.user == "dirsrv") || (subject.user == "ipaapi")) {
return polkit.Result.YES;
}
polkit.log("action=" + action);
polkit.log("subject=" + subject);
}
});

Metadata Update from @pcech:
- Issue set to the milestone: DNSSEC

3 years ago

frenaud commented 2 years ago

Hi @hcoin
Can you give more information regarding this issue? I assume the message is seen in the journal but when does it happen?

I found an old email thread on freeipa-users with the same error, and it happened because inconsistent packages pki-* were installed, and resulted in a failure to start pki-tomcatd server.

Is it the same issue? Please provide the freeipa/pki versions installed and the OS.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

DNSSEC

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8773 Add polkit rule to allow ipauser access to pcscd Opened 3 years ago by hcoin. Modified 2 years ago

Close issue as:

Metadata

#8773 Add polkit rule to allow ipauser access to pcscd

Opened 3 years ago by hcoin. Modified 2 years ago