On (06/05/16 06:58), Stephen Gallagher wrote:
>> On May 6, 2016, at 6:55 AM, Lukas Slebodnik <lslebodn(a)redhat.com> wrote:
>>
>>> On (05/05/16 10:46), Stephen Gallagher wrote:
>>> Ubuntu systems use "unity" as their screen-locker. Without this in
the defaults,
>>> people often get locked out of their machines when the screen locks.
>>>
>>> Resolves:
>>>
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415
>>
>> Patch is confirmed by reporter in launchpad
>>
>> But they seems to have problem also with polkit-1
>>
>> [sssd[be[INET.ACTIVARSAS.COM]]] [be_req_set_domain] (0x0400): Changing request
domain from [
INET.ACTIVARSAS.COM] to [
INET.ACTIVARSAS.COM]
>> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler] (0x0100): Got request with the
following data
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): command:
SSS_PAM_ACCT_MGMT
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): domain:
INET.ACTIVARSAS.COM
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): user: cvargasc
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): service: polkit-1
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): tty:
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): ruser: cvargasc
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): rhost:
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): authtok type: 0
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): newauthtok type: 0
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): priv: 0
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): cli_pid: 2431
>> [sssd[be[INET.ACTIVARSAS.COM]]] [pam_print_data] (0x0100): logon name: not set
>> [sssd[be[INET.ACTIVARSAS.COM]]] [sdap_access_send] (0x0400): Performing access
check for user [cvargasc]
>> [sssd[be[INET.ACTIVARSAS.COM]]] [sdap_account_expired_ad] (0x0400): Performing AD
access check for user [cvargasc]
>> [sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_send] (0x0400): using default
right
>> [sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_send] (0x0400): service polkit-1
maps to Denied
>> [sssd[be[INET.ACTIVARSAS.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access
control failed.
>> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Backend
returned: (0, 6, <NULL>) [Success]
>> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Sending
result [
6][INET.ACTIVARSAS.COM]
>> [sssd[be[INET.ACTIVARSAS.COM]]] [be_pam_handler_callback] (0x0100): Sent result
[
6][INET.ACTIVARSAS.COM]
>>
>>
>> Do we want to change it separate patch?
>>
>> LS
>
>
> The unity one seemed pretty generic, but I am not sure "polkit-1" is right
for upstream (since it sounds rather like an Ubuntu-ism". What do we call it in
Fedora?
>
I have no idea and I do not use gnome :-)
> I guess as long as it isn't in conflict, we could merge it in here, though.
OK, it can be a separate patch if needed.
unity patch was pushed to master:
89376da80b2250b82d256ea85ec349ce29fe5b51
Thank you very much
I checked this morning and we call it polkit-1 on Fedora as well. (By the way,
polkit isn't GNOME-specific, it's a FreeDesktop project)
So, the more I think of this, the more I expect that we probably wouldn't want
to treat this as an interactive logon value. Polkit can function through remote
interfaces as well (such as SSH) because it has a text-based prompter as well.
I think the closest parallel for polkit-1 would be sudo, which we have mapped to
ad_gpo_map_permit defaults. Given that sudo and polkit are both access-control
mechanisms themselves, I think it's reasonable to trust their judgment rather
than SSSD's on whether to allow or deny. If you agree, I'll send another patch
to add it there.