On Fri, Mar 8, 2019 at 11:54 AM Lennart Poettering <lennart@xxxxxxxxxxxxxx> wrote:
On Fr, 08.03.19 16:05, Bao Nguyen (baondt@xxxxxxxxx) wrote:
> Hi Lennart,
>
> After debugging the problem, when strace the busctl call method command
>
> strace -f -tt busctl call org.freedesktop.systemd1
> /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager GetUnit s
> sys-devices-platform-serial8250-tty-ttyS6.device
>
>
> 07:54:32.027830 connect(3, {sa_family=AF_LOCAL,
> sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
> 07:54:32.028045 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0,
> gid=0}, [12]) = 0
> 07:54:32.028146 fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
> 07:54:32.028240 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0
> 07:54:32.028369 getsockname(3, {sa_family=AF_LOCAL, NULL}, [2]) = 0
> 07:54:32.028477 geteuid() = 701
> 07:54:32.028584 sendmsg(3, {msg_name(0)=NULL, msg_iov(3)=[{"\0AUTH EXTERNAL
> ", 15}, {"373031", 6}, {"\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", 28}],
> msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 49
> 07:54:32.028854 gettid() = 6861
> 07:54:32.028954 getrandom("f\7Wa\3512\306\316\3325\246\372\207\247\272(",
> 16, GRND_NONBLOCK) = 16
> *07:54:32.029115 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"REJECTED
> EXTERNAL DBUS_COOKIE_SH"..., 256}], msg_controllen=0,
> msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) =
> 82*
> *07:54:32.029230 writev(2, [{"Access denied", 13}, {"\n", 1}], 2Access
> denied*
>
> I can see that the "Access Denied" is thrown because the system dbus fail
> to authenticate NEGOTIATE_UNIX_FD sent from client . It returns *REJECTED
> EXTERNAL DBUS_COOKIE_SH. * Could you please help to explain more why DBUS
> fail to authenticate? Is there any work around to make it authenticate
> successfully? I restart dbus and the error is gone away. Not sure why and
> maybe restarting dbus is not a good WA to do.
>
> My system uses SSSD, PAM and LDAP to authenticate the user,
dbus-daemon resolves users mentioned in its policy files at
start-up. Are you referencing users that are defined in SSSD/LDAP? If
so, that's most likely your problem. You can't do that.
dbus policy can only reference users that are available locally at any
time, i.e. generally system users, not human users.
Hmm, but in this case, the client seems to be completely refused access to the bus – not just blocked by policy from sending some message. The system bus normally allows any user to connect (I mean, I have no problems accessing it from an LDAP account), so I'm not sure why the bus config should matter at this point.
Mantas Mikulėnas
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
