9:46 a.m.
Ubuntu systems use "unity" as their screen-locker. Without this in the
defaults,
people often get locked out of their machines when the screen locks.
Resolves:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415
5:55 a.m.
On (05/05/16 10:46), Stephen Gallagher wrote:
Ubuntu systems use "unity" as their screen-locker. Without
this in the defaults,
people often get locked out of their machines when the screen locks.
Resolves:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415
Patch is confirmed by reporter in launchpad
But they seems to have problem also with polkit-1
[sssd[be[INET.ACTIVARSAS.COM]]] [be_req_set_domain] (0x0400): Changing request domain from
[INET.ACTIVARSAS.COM] to [INET.ACTIVARSAS.COM]
[sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler] (0x0100): Got request with the following
data
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): domain: INET.ACTIVARSAS.COM
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): user: cvargasc
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): service: polkit-1
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): tty:
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): ruser: cvargasc
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): rhost:
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): authtok type: 0
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): priv: 0
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): cli_pid: 2431
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[INET.ACTIVARSAS.COM]]] [sdap_access_send] (0x0400): Performing access check for
user [cvargasc]
[sssd[be[INET.ACTIVARSAS.COM]]] [sdap_account_expired_ad] (0x0400): Performing AD access
check for user [cvargasc]
[sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_send] (0x0400): using default right
[sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_send] (0x0400): service polkit-1 maps to
Denied
[sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control
failed.
[sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0,
6, <NULL>) [Success]
[sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Sending result
[6][INET.ACTIVARSAS.COM]
[sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Sent result
[6][INET.ACTIVARSAS.COM]
Do we want to change it separate patch?
LS
5:58 a.m.
On May 6, 2016, at 6:55 AM, Lukas Slebodnik
<lslebodn(a)redhat.com> wrote:
> On (05/05/16 10:46), Stephen Gallagher wrote:
> Ubuntu systems use "unity" as their screen-locker. Without this in the
defaults,
> people often get locked out of their machines when the screen locks.
>
> Resolves:
> https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415
Patch is confirmed by reporter in launchpad
But they seems to have problem also with polkit-1
[sssd[be[INET.ACTIVARSAS.COM]]] [be_req_set_domain] (0x0400): Changing request domain
from [INET.ACTIVARSAS.COM] to [INET.ACTIVARSAS.COM]
[sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler] (0x0100): Got request with the following
data
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): domain: INET.ACTIVARSAS.COM
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): user: cvargasc
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): service: polkit-1
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): tty:
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): ruser: cvargasc
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): rhost:
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): authtok type: 0
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): priv: 0
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): cli_pid: 2431
[sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[INET.ACTIVARSAS.COM]]] [sdap_access_send] (0x0400): Performing access check for
user [cvargasc]
[sssd[be[INET.ACTIVARSAS.COM]]] [sdap_account_expired_ad] (0x0400): Performing AD access
check for user [cvargasc]
[sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_send] (0x0400): using default right
[sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_send] (0x0400): service polkit-1 maps to
Denied
[sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control
failed.
[sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0,
6, <NULL>) [Success]
[sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Sending result
[6][INET.ACTIVARSAS.COM]
[sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Sent result
[6][INET.ACTIVARSAS.COM]
Do we want to change it separate patch?
LS
The unity one seemed pretty generic, but I am not sure "polkit-1" is right for
upstream (since it sounds rather like an Ubuntu-ism". What do we call it in Fedora?
I guess as long as it isn't in conflict, we could merge it in here, though.
6:05 a.m.
On (06/05/16 06:58), Stephen Gallagher wrote:
> On May 6, 2016, at 6:55 AM, Lukas Slebodnik
<lslebodn(a)redhat.com> wrote:
>
>> On (05/05/16 10:46), Stephen Gallagher wrote:
>> Ubuntu systems use "unity" as their screen-locker. Without this in the
defaults,
>> people often get locked out of their machines when the screen locks.
>>
>> Resolves:
>> https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415
>
> Patch is confirmed by reporter in launchpad
>
> But they seems to have problem also with polkit-1
>
> [sssd[be[INET.ACTIVARSAS.COM]]] [be_req_set_domain] (0x0400): Changing request domain
from [INET.ACTIVARSAS.COM] to [INET.ACTIVARSAS.COM]
> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler] (0x0100): Got request with the
following data
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): command:
SSS_PAM_ACCT_MGMT
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): domain:
INET.ACTIVARSAS.COM
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): user: cvargasc
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): service: polkit-1
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): tty:
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): ruser: cvargasc
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): rhost:
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): authtok type: 0
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): newauthtok type: 0
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): priv: 0
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): cli_pid: 2431
> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): logon name: not set
> [sssd[be[INET.ACTIVARSAS.COM]]] [sdap_access_send] (0x0400): Performing access check
for user [cvargasc]
> [sssd[be[INET.ACTIVARSAS.COM]]] [sdap_account_expired_ad] (0x0400): Performing AD
access check for user [cvargasc]
> [sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_send] (0x0400): using default right
> [sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_send] (0x0400): service polkit-1 maps
to Denied
> [sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access
control failed.
> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Backend returned:
(0, 6, <NULL>) [Success]
> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Sending result
[6][INET.ACTIVARSAS.COM]
> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Sent result
[6][INET.ACTIVARSAS.COM]
>
>
> Do we want to change it separate patch?
>
> LS
The unity one seemed pretty generic, but I am not sure "polkit-1" is right for
upstream (since it sounds rather like an Ubuntu-ism". What do we call it in Fedora?
I have no idea and I do not use gnome :-)
I guess as long as it isn't in conflict, we could merge it in
here, though.
OK, it can be a separate patch if needed.
unity patch was pushed to master:
89376da80b2250b82d256ea85ec349ce29fe5b51
Thank you very much
LS
8:54 a.m.
On 05/06/2016 07:05 AM, Lukas Slebodnik wrote:
On (06/05/16 06:58), Stephen Gallagher wrote:
>> On May 6, 2016, at 6:55 AM, Lukas Slebodnik <lslebodn(a)redhat.com> wrote:
>>
>>> On (05/05/16 10:46), Stephen Gallagher wrote:
>>> Ubuntu systems use "unity" as their screen-locker. Without this in
the defaults,
>>> people often get locked out of their machines when the screen locks.
>>>
>>> Resolves:
>>> https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415
>>
>> Patch is confirmed by reporter in launchpad
>>
>> But they seems to have problem also with polkit-1
>>
>> [sssd[be[INET.ACTIVARSAS.COM]]] [be_req_set_domain] (0x0400): Changing request
domain from [INET.ACTIVARSAS.COM] to [INET.ACTIVARSAS.COM]
>> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler] (0x0100): Got request with the
following data
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): command:
SSS_PAM_ACCT_MGMT
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): domain:
INET.ACTIVARSAS.COM
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): user: cvargasc
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): service: polkit-1
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): tty:
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): ruser: cvargasc
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): rhost:
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): authtok type: 0
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): newauthtok type: 0
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): priv: 0
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): cli_pid: 2431
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): logon name: not set
>> [sssd[be[INET.ACTIVARSAS.COM]]] [sdap_access_send] (0x0400): Performing access
check for user [cvargasc]
>> [sssd[be[INET.ACTIVARSAS.COM]]] [sdap_account_expired_ad] (0x0400): Performing AD
access check for user [cvargasc]
>> [sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_send] (0x0400): using default
right
>> [sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_send] (0x0400): service polkit-1
maps to Denied
>> [sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access
control failed.
>> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Backend
returned: (0, 6, <NULL>) [Success]
>> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Sending
result [6][INET.ACTIVARSAS.COM]
>> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Sent result
[6][INET.ACTIVARSAS.COM]
>>
>>
>> Do we want to change it separate patch?
>>
>> LS
>
>
> The unity one seemed pretty generic, but I am not sure "polkit-1" is right
for upstream (since it sounds rather like an Ubuntu-ism". What do we call it in
Fedora?
>
I have no idea and I do not use gnome :-)
> I guess as long as it isn't in conflict, we could merge it in here, though.
OK, it can be a separate patch if needed.
unity patch was pushed to master:
89376da80b2250b82d256ea85ec349ce29fe5b51
Thank you very much
I checked this morning and we call it polkit-1 on Fedora as well. (By the way,
polkit isn't GNOME-specific, it's a FreeDesktop project)
So, the more I think of this, the more I expect that we probably wouldn't want
to treat this as an interactive logon value. Polkit can function through remote
interfaces as well (such as SSH) because it has a text-based prompter as well.
I think the closest parallel for polkit-1 would be sudo, which we have mapped to
ad_gpo_map_permit defaults. Given that sudo and polkit are both access-control
mechanisms themselves, I think it's reasonable to trust their judgment rather
than SSSD's on whether to allow or deny. If you agree, I'll send another patch
to add it there.
2902
days inactive
2906
days old
sssd-devel@lists.fedorahosted.org
4 comments
2 participants
participants (2)
-
Lukas Slebodnik -
Stephen Gallagher