Hello.
The FreeIpa user has sudo rights on a Ubuntu 2204 desktop machine that is in the FreeIpa Linux domain. It can do sudo su, sudo apt install…
But when starting some services and basic installation of applications from the market (in general, when it comes to gui admin rights), it asks the local administrator password.
How can I fix this so the user’s password was requested from FreeIpa or not at all?
On Пят, 05 сту 2024, Dmitry Krasov via FreeIPA-users wrote:
Hello.
The FreeIpa user has sudo rights on a Ubuntu 2204 desktop machine that is in the FreeIpa Linux domain. It can do sudo su, sudo apt install…
But when starting some services and basic installation of applications from the market (in general, when it comes to gui admin rights), it asks the local administrator password.
How can I fix this so the user’s password was requested from FreeIpa or not at all? --
Please provide more details. A demonstration of what exactly is being done would definitely help, as well as journald logs (and sssd debug logs).
It is unclear what do you mean by 'installation of applicaiton from the market', for example. What is that? If this means using snap or flatpak, how those get integrated to the system?
I suspect what you see is that some of PAM services on your Ubuntu system have no pam_sss reference and thus don't even invoke SSSD to perform authorization/authentication.
https://youtu.be/kwQrBfuzEcg?si=aLOfs5j3xXYoiWjL
"desktop" user is freeipa user, and local sudo admin through sudo rule. "user special" is a local user, and local sudo admin. ----------------------- sssd.log:
(2024-01-09 14:27:28): [sssd] [server_setup] (0x1f7c0): Starting with debug level = 0x0070 (2024-01-09 15:03:43): [sssd] [monitor_quit_signal] (0x1f7c0): Monitor received Завершено: terminating childr> (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Returned with: 0 (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [pac][807] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [pac] exited gracefully (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [sudo][806] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [sudo] exited gracefully (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [ssh][805] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [ssh] exited gracefully (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [pam][804] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [pam] exited gracefully (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [nss][803] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [nss] exited gracefully (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [dom.loc][745] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [dom.loc] exited gracefully (2024-01-09 15:03:58): [sssd] [server_setup] (0x1f7c0): Starting with debug level = 0x0070 (2024-01-09 15:14:22): [sssd] [monitor_quit_signal] (0x1f7c0): Monitor received Завершено: terminating childr> (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Returned with: 0 (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [pac][809] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [pac] exited gracefully (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [sudo][808] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [sudo] exited gracefully (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [ssh][807] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [ssh] exited gracefully (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [pam][806] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [pam] exited gracefully (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [nss][805] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [nss] exited gracefully (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [dom.loc][748] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [dom.loc] exited gracefully (2024-01-09 15:14:38): [sssd] [server_setup] (0x1f7c0): Starting with debug level = 0x0070 (2024-01-09 15:20:12): [sssd] [monitor_quit_signal] (0x1f7c0): Monitor received Завершено: terminating childr> (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Returned with: 0 (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [pac][805] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [pac] exited gracefully (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [sudo][804] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [sudo] exited gracefully (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [ssh][803] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [ssh] exited gracefully (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [pam][802] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [pam] exited gracefully (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [nss][801] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [nss] exited gracefully (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [dom.loc][755] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [dom.loc] exited gracefully (2024-01-09 15:20:32): [sssd] [server_setup] (0x1f7c0): Starting with debug level = 0x0070 (2024-01-09 15:22:06): [sssd] [monitor_quit_signal] (0x1f7c0): Monitor received Завершено: terminating childr> (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Returned with: 0 (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Terminating [pac][806] (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Child [pac] exited gracefully (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Terminating [sudo][805] (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Child [sudo] exited gracefully (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Terminating [ssh][804] (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Child [ssh] exited gracefully (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Terminating [pam][803] (2024-01-09 15:22:07): [sssd] [monitor_quit] (0x1f7c0): Child [pam] exited gracefully (2024-01-09 15:22:07): [sssd] [monitor_quit] (0x1f7c0): Terminating [nss][802] (2024-01-09 15:22:07): [sssd] [monitor_quit] (0x1f7c0): Child [nss] exited gracefully (2024-01-09 15:22:07): [sssd] [monitor_quit] (0x1f7c0): Terminating [dom.loc][741] (2024-01-09 15:22:07): [sssd] [monitor_quit] (0x1f7c0): Child [dom.loc] exited gracefully (2024-01-09 15:22:30): [sssd] [server_setup] (0x1f7c0): Starting with debug level = 0x0070
On Аўт, 09 сту 2024, Dmitry Krasov via FreeIPA-users wrote:
https://youtu.be/kwQrBfuzEcg?si=aLOfs5j3xXYoiWjL
"desktop" user is freeipa user, and local sudo admin through sudo rule. "user special" is a local user, and local sudo admin.
sssd.log:
Please follow https://sssd.io/troubleshooting/basics.html on how to collect logs. You need sssd_*.log logs, in particular, sssd_dom.loc.log (for your domain dom.loc).
Other things to check: if you have disabled HBAC rule 'allow_all', then you need to create explicit HBAC rules for each PAM service involved. Assuming you have HBAC rule for 'sudo', do you have one for other PAM services used by those tools?
You can find what services were attempted by looking into the system journal with journalctl.
(2024-01-09 14:27:28): [sssd] [server_setup] (0x1f7c0): Starting with debug level = 0x0070 (2024-01-09 15:03:43): [sssd] [monitor_quit_signal] (0x1f7c0): Monitor received Завершено: terminating childr> (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Returned with: 0 (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [pac][807] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [pac] exited gracefully (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [sudo][806] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [sudo] exited gracefully (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [ssh][805] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [ssh] exited gracefully (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [pam][804] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [pam] exited gracefully (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [nss][803] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [nss] exited gracefully (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Terminating [dom.loc][745] (2024-01-09 15:03:43): [sssd] [monitor_quit] (0x1f7c0): Child [dom.loc] exited gracefully (2024-01-09 15:03:58): [sssd] [server_setup] (0x1f7c0): Starting with debug level = 0x0070 (2024-01-09 15:14:22): [sssd] [monitor_quit_signal] (0x1f7c0): Monitor received Завершено: terminating childr> (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Returned with: 0 (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [pac][809] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [pac] exited gracefully (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [sudo][808] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [sudo] exited gracefully (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [ssh][807] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [ssh] exited gracefully (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [pam][806] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [pam] exited gracefully (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [nss][805] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [nss] exited gracefully (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Terminating [dom.loc][748] (2024-01-09 15:14:22): [sssd] [monitor_quit] (0x1f7c0): Child [dom.loc] exited gracefully (2024-01-09 15:14:38): [sssd] [server_setup] (0x1f7c0): Starting with debug level = 0x0070 (2024-01-09 15:20:12): [sssd] [monitor_quit_signal] (0x1f7c0): Monitor received Завершено: terminating childr> (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Returned with: 0 (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [pac][805] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [pac] exited gracefully (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [sudo][804] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [sudo] exited gracefully (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [ssh][803] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [ssh] exited gracefully (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [pam][802] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [pam] exited gracefully (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [nss][801] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [nss] exited gracefully (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Terminating [dom.loc][755] (2024-01-09 15:20:12): [sssd] [monitor_quit] (0x1f7c0): Child [dom.loc] exited gracefully (2024-01-09 15:20:32): [sssd] [server_setup] (0x1f7c0): Starting with debug level = 0x0070 (2024-01-09 15:22:06): [sssd] [monitor_quit_signal] (0x1f7c0): Monitor received Завершено: terminating childr> (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Returned with: 0 (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Terminating [pac][806] (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Child [pac] exited gracefully (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Terminating [sudo][805] (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Child [sudo] exited gracefully (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Terminating [ssh][804] (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Child [ssh] exited gracefully (2024-01-09 15:22:06): [sssd] [monitor_quit] (0x1f7c0): Terminating [pam][803] (2024-01-09 15:22:07): [sssd] [monitor_quit] (0x1f7c0): Child [pam] exited gracefully (2024-01-09 15:22:07): [sssd] [monitor_quit] (0x1f7c0): Terminating [nss][802] (2024-01-09 15:22:07): [sssd] [monitor_quit] (0x1f7c0): Child [nss] exited gracefully (2024-01-09 15:22:07): [sssd] [monitor_quit] (0x1f7c0): Terminating [dom.loc][741] (2024-01-09 15:22:07): [sssd] [monitor_quit] (0x1f7c0): Child [dom.loc] exited gracefully (2024-01-09 15:22:30): [sssd] [server_setup] (0x1f7c0): Starting with debug level = 0x0070 -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
HBAC allow_all enabled. I think everything default, only sudo rule from video.
I did debug level 3...
sssd_dom.loc.log:
(2024-01-10 16:14:08): [be[dom.loc]] [sdap_dyndns_dns_addrs_done] (0x0040): [RID#62] Could not receive list of current addresses [5]: Input/output error (2024-01-10 16:14:08): [be[dom.loc]] [ipa_dyndns_sdap_update_done] (0x0040): [RID#62] Dynamic DNS update failed [5]: Input/output error
(2024-01-10 16:14:08): [be[dom.loc]] [be_ptask_done] (0x0040): [RID#62] Task [Dyndns update]: failed with [5]: Input/output error ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2024-01-10 16:14:08): [be[dom.loc]] [sdap_id_op_destroy] (0x4000): [RID#62] releasing operation connection * (2024-01-10 16:14:08): [be[dom.loc]] [be_ptask_done] (0x0040): [RID#62] Task [Dyndns update]: failed with [5]: Input/output error ********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-01-10 16:14:09): [be[dom.loc]] [ipa_id_get_account_info_orig_done] (0x0080): [RID#69] Object not found, ending request (2024-01-10 16:21:58): [be[dom.loc]] [ipa_hbac_evaluate_rules] (0x0080): [RID#94] Access granted by HBAC rule [allow_all] (2024-01-10 16:21:58): [be[dom.loc]] [ipa_deskprofile_get_config_done] (0x0080): [RID#96] Server doesn't support Desktop Profile. (2024-01-10 16:21:58): [be[dom.loc]] [ipa_hbac_evaluate_rules] (0x0080): [RID#97] Access granted by HBAC rule [allow_all] -------------------------------------
sssd_pam.log:
(2024-01-10 16:28:09): [pam] [orderly_shutdown] (0x1f7c0): SIGTERM: killing children (2024-01-10 16:28:09): [pam] [orderly_shutdown] (0x1f7c0): Shutting down (status = 0)(2024-01-10 16:28:24): [pam] [server_setup] (0x1f7c0): Starting with deb> (2024-01-10 16:28:25): [pam] [cache_req_common_process_dp_reply] (0x0040): [CID#1] CR #1: Could not get account info [1432158212]: SSSD is offline -------------------------------------
journalctl -xe when I trying to close forticlient (doing privileged action) and close auth window:
16:31:26 desktop22043.dom.loc audit[800]: AVC apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3949/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 16:31:26 desktop22043.dom.loc kernel: audit: type=1400 audit(1704889886.433:219): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3949/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 16:31:26 desktop22043.dom.loc audit[800]: AVC apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3952/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 16:31:26 desktop22043.dom.loc kernel: audit: type=1400 audit(1704889886.497:220): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3952/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
----auth windows closed: 16:33:38 desktop22043.dom.loc polkitd(authority=local)[587]: Operator of unix-session:4 FAILED to authenticate to gain authorization for action org.fortinet.fortitray.quit for unix-process:3948:18923 [sh -c pkexec /bin/bash /opt/forticlient/stop-forticlient.sh] (owned by unix-user:desktop) 16:33:38 desktop22043.dom.loc pkexec[3949]: desktop: Error executing command as another user: Request dismissed [USER=root] [TTY=unknown] [CWD=/home/desktop] [COMMAND=/bin/bash /opt/forticlient/stop-forticlient.sh] 16:33:38 desktop22043.dom.loc Fortitray.desktop[3949]: Error executing command as another user: Request dismissed
On Срд, 10 сту 2024, Dmitry Krasov via FreeIPA-users wrote:
HBAC allow_all enabled. I think everything default, only sudo rule from video.
I did debug level 3...
Please use debug level 9 and provide full logs somewhere. You can send the link to logs/logs themselves off list, I'll continue in this thread with findings.
sssd_dom.loc.log:
(2024-01-10 16:14:08): [be[dom.loc]] [sdap_dyndns_dns_addrs_done] (0x0040): [RID#62] Could not receive list of current addresses [5]: Input/output error (2024-01-10 16:14:08): [be[dom.loc]] [ipa_dyndns_sdap_update_done] (0x0040): [RID#62] Dynamic DNS update failed [5]: Input/output error
(2024-01-10 16:14:08): [be[dom.loc]] [be_ptask_done] (0x0040): [RID#62] Task [Dyndns update]: failed with [5]: Input/output error ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-01-10 16:14:08): [be[dom.loc]] [sdap_id_op_destroy] (0x4000): [RID#62] releasing operation connection
- (2024-01-10 16:14:08): [be[dom.loc]] [be_ptask_done] (0x0040): [RID#62] Task [Dyndns update]: failed with [5]: Input/output error
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-01-10 16:14:09): [be[dom.loc]] [ipa_id_get_account_info_orig_done] (0x0080): [RID#69] Object not found, ending request (2024-01-10 16:21:58): [be[dom.loc]] [ipa_hbac_evaluate_rules] (0x0080): [RID#94] Access granted by HBAC rule [allow_all] (2024-01-10 16:21:58): [be[dom.loc]] [ipa_deskprofile_get_config_done] (0x0080): [RID#96] Server doesn't support Desktop Profile. (2024-01-10 16:21:58): [be[dom.loc]] [ipa_hbac_evaluate_rules] (0x0080): [RID#97] Access granted by HBAC rule [allow_all]
sssd_pam.log:
(2024-01-10 16:28:09): [pam] [orderly_shutdown] (0x1f7c0): SIGTERM: killing children (2024-01-10 16:28:09): [pam] [orderly_shutdown] (0x1f7c0): Shutting down (status = 0)(2024-01-10 16:28:24): [pam] [server_setup] (0x1f7c0): Starting with deb> (2024-01-10 16:28:25): [pam] [cache_req_common_process_dp_reply] (0x0040): [CID#1] CR #1: Could not get account info [1432158212]: SSSD is offline
journalctl -xe when I trying to close forticlient (doing privileged action) and close auth window:
16:31:26 desktop22043.dom.loc audit[800]: AVC apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3949/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 16:31:26 desktop22043.dom.loc kernel: audit: type=1400 audit(1704889886.433:219): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3949/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 16:31:26 desktop22043.dom.loc audit[800]: AVC apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3952/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 16:31:26 desktop22043.dom.loc kernel: audit: type=1400 audit(1704889886.497:220): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3952/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
----auth windows closed: 16:33:38 desktop22043.dom.loc polkitd(authority=local)[587]: Operator of unix-session:4 FAILED to authenticate to gain authorization for action org.fortinet.fortitray.quit for unix-process:3948:18923 [sh -c pkexec /bin/bash /opt/forticlient/stop-forticlient.sh] (owned by unix-user:desktop) 16:33:38 desktop22043.dom.loc pkexec[3949]: desktop: Error executing command as another user: Request dismissed [USER=root] [TTY=unknown] [CWD=/home/desktop] [COMMAND=/bin/bash /opt/forticlient/stop-forticlient.sh] 16:33:38 desktop22043.dom.loc Fortitray.desktop[3949]: Error executing command as another user: Request dismissed -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd_dom.loc.log https://codeshare.io/qP8rYx
sssd_pam.log https://codeshare.io/eVgexb
On Чцв, 11 сту 2024, Dmitry Krasov via FreeIPA-users wrote:
sssd_dom.loc.log https://codeshare.io/qP8rYx
sssd_pam.log https://codeshare.io/eVgexb
Is this user ('desktop') a member of any administrative groups?
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_eval_user_element] (0x1000): [RID#101] [2] groups for [desktop@dom.loc] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_eval_user_element] (0x1000): [RID#101] Added group [ipausers] for user [desktop] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_eval_user_element] (0x1000): [RID#101] Added group [desktop22043] for user [desktop] .... (2024-01-11 15:01:26): [be[dom.loc]] [hbac_req_debug_print] (0x2000): [RID#98] REQUEST: (2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98] service [gdm-password] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98] service_group (none) (2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98] user [desktop] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98] user_group: (2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98] [ipausers] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98] [desktop22043] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98] targethost [desktop22043.dom.loc] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98] targethost_group: (2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98] [desktop22043] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98] srchost_group (none) (2024-01-11 15:01:26): [be[dom.loc]] [hbac_req_debug_print] (0x2000): [RID#98] request time 2024-01-11 15:01:26 (2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98] RULE [allow_all] [ENABLED]: (2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98] services: (2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): [RID#98] category [0x1] [ALL] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98] users: (2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): [RID#98] category [0x1] [ALL] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98] targethosts: (2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): [RID#98] category [0x1] [ALL] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98] srchosts: (2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): [RID#98] category [0x1] [ALL] (2024-01-11 15:01:26): [be[dom.loc]] [hbac_evaluate] (0x0100): [RID#98] ALLOWED by rule [allow_all].
It seems it is a member of only two groups.
From your previous log, polkit was unable to authorize access using own rules:
16:33:38 desktop22043.dom.loc polkitd(authority=local)[587]: Operator of unix-session:4 FAILED to authenticate to gain authorization for action org.fortinet.fortitray.quit for unix-process:3948:18923 [sh -c pkexec /bin/bash /opt/forticlient/stop-forticlient.sh] (owned by unix-user:desktop)
IIRC, if you didn't modify them, polkit default configuration is to allow only administrative users to operate as another user (allow_active=auth_admin in polkit actions, see https://manpages.ubuntu.com/manpages/jammy/man8/polkit.8.html for details). The meaning of an administrative user is defined in polkit rules. For example, https://www.freeipa.org/page/Howto/FreeIPA_PolicyKit describes how you can add a rule that matches a certain IPA group (really, any group membership known on the system).
You can check which actions are allowed for your user 'desktop' by running
$ pkaction
as that user in their logged-in session.
See https://www.admin-magazine.com/Articles/Assigning-Privileges-with-sudo-and-P... for somewhat detailed explanation how this all works -- this is general enough to work with or without FreeIPA.
https://youtu.be/-LlK_x4WaPI?si=3giEsGIxQVgoeEXD Created file on client ubuntu machine. But it still doesn't work. Also, it seems code tegs in this "Howto/FreeIPA and PolicyKit" page doesn't quite correct.
did I do everything right?
in journalctl -xe seems like same logs:
11:12:03 desktop22043.dom.loc kernel: audit: type=1400 audit(1705561923.050:266): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/4471/cmdline" pid=813 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 11:12:03 desktop22043.dom.loc audit[813]: AVC apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/4474/cmdline" pid=813 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 11:12:03 desktop22043.dom.loc kernel: audit: type=1400 audit(1705561923.078:267): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/4474/cmdline" pid=813 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 11:12:06 desktop22043.dom.loc polkitd(authority=local)[644]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.fortinet.fortitray.quit for unix-process:4470:92693 [sh -c pkexec /bin/bash /opt/forticlient/stop-forticlient.sh] (owned by unix-user:desktop) 11:12:06 desktop22043.dom.loc pkexec[4471]: desktop: Error executing command as another user: Request dismissed [USER=root] [TTY=unknown] [CWD=/home/desktop] [COMMAND=/bin/bash /opt/forticlient/stop-forticlient.sh] 11:12:06 desktop22043.dom.loc Fortitray.desktop[4471]: Error executing command as another user: Request dismissed
freeipa-users@lists.fedorahosted.org