Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SOLVED systemd - authentication problems
View unanswered posts
View posts from last 24 hours
View posts from last 7 days

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
imesg
Guru
Guru


Joined: 12 Jul 2002
Posts: 444

PostPosted: Tue Aug 13, 2013 1:18 am    Post subject: SOLVED systemd - authentication problems Reply with quote

Several things require authentication and some don't work. I think it is a permissions problem.

When I insert a usb flash drive I have to authenticate to mount it. If I want to restart my laptop I have to authenticate. NetworkManager/nm-applet will not let me disconnect from one network and connect to another. However in Network Settings I can disconnect from my home network but it immediately reconnects. If I turn on tethering on my phone I can see that network but cannot connect to it or edit the configuration. My session settings are not persistent over reboots.

I have just installed systemd and gnome 3.8 ~amd64 on a new laptop. I am almost sure that it is some permission problem but don't know exactly where to start.

Any help would be appreciated. I can supply any information, I just need to know what that is.

Thanks

Gene


Last edited by imesg on Tue Aug 13, 2013 8:56 pm; edited 1 time in total
Back to top
View user's profile Send private message
TomWij
Retired Dev
Retired Dev


Joined: 04 Jul 2012
Posts: 1553

PostPosted: Tue Aug 13, 2013 10:14 am    Post subject: Reply with quote

Did you add your user to the necessary groups?
Back to top
View user's profile Send private message
SamuliSuominen
Retired Dev
Retired Dev


Joined: 30 Sep 2005
Posts: 2133
Location: Finland

PostPosted: Tue Aug 13, 2013 11:30 am    Post subject: Reply with quote

TomWij wrote:
Did you add your user to the necessary groups?


What do you mean? We haven't used groups for thistype of authentication since HAL. Instead, ConsoleKit or systemd-logind will tell PolicyKit the user is local and give permissions based on that.

With ConsoleKit it would be,

Code:

$ ck-list-sessions


With systemd-logind it would be,

Code:

$ loginctl show-session


I might have typed the loginctl parameters wrong, I don't have a system running now to doublecheck. Either command should show something like 'local = yes' and 'active = yes' or otherwise PolicyKit thinks the user is remote, and never gives permissions for local things like restart/shutdown etc.
Back to top
View user's profile Send private message
TomWij
Retired Dev
Retired Dev


Joined: 04 Jul 2012
Posts: 1553

PostPosted: Tue Aug 13, 2013 12:12 pm    Post subject: Reply with quote

ssuominen wrote:
TomWij wrote:
Did you add your user to the necessary groups?


What do you mean? We haven't used groups for thistype of authentication since HAL. Instead, ConsoleKit or systemd-logind will tell PolicyKit the user is local and give permissions based on that.


We still do, take for example the checks for the plugdev and wheel groups below.

Code:
 # less /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.modify.system.rules
// Let users in plugdev group modify NetworkManager
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
        subject.isInGroup("plugdev") && subject.active) {
        return "yes";
    }
});


where the defaults in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy make sure people need to go through the above policy.

Code:
 # less /usr/share/polkit-1/rules.d/gnome-control-center.rules
polkit.addRule(function(action, subject) {
        if ((action.id == "org.freedesktop.locale1.set-locale" ||
             action.id == "org.freedesktop.locale1.set-keyboard" ||
             action.id == "org.freedesktop.hostname1.set-static-hostname" ||
             action.id == "org.freedesktop.hostname1.set-hostname") &&
            subject.local &&
            subject.active &&
            subject.isInGroup ("wheel")) {
                    return polkit.Result.YES;
            }
});


where the defaults in /usr/share/polkit-1/actions/org.gnome.controlcenter.*.policy make sure people need to go through the above policy.

Of course the alternative is to add new policies to /etc/polkit-1/rules.d/ that are not based on such checks; the user has the freedom, to decide if he wants to use groups, policies or something else to manage this.

But there are policies like the above in place so upstream can simplify support by asking to add the user to the group; because, most of the users will not want to learn and write policies if a more simple approach exists.
Back to top
View user's profile Send private message
imesg
Guru
Guru


Joined: 12 Jul 2002
Posts: 444

PostPosted: Tue Aug 13, 2013 4:25 pm    Post subject: Reply with quote

TomWij wrote:
ssuominen wrote:
TomWij wrote:
Did you add your user to the necessary groups?


What do you mean? We haven't used groups for thistype of authentication since HAL. Instead, ConsoleKit or systemd-logind will tell PolicyKit the user is local and give permissions based on that.


We still do, take for example the checks for the plugdev and wheel groups below.


Code:
root@go:~# groups gene
lp wheel audio cdrom video cdrw usb portage messagebus plugdev users


Quote:

Code:
 # less /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.modify.system.rules
// Let users in plugdev group modify NetworkManager
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
        subject.isInGroup("plugdev") && subject.active) {
        return "yes";
    }
});


where the defaults in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy make sure people need to go through the above policy.


My user is in the group. How do I find out if my user is 'active'. From ssuominen's post looks like loginctl show-session might be the place:

Code:
gene@go:~# loginctl show-session 1
Id=1
Timestamp=Tue 2013-08-13 09:31:27 CDT
TimestampMonotonic=19114529
VTNr=1
TTY=/dev/tty1
Remote=no
Service=login
Scope=session-1.scope
Leader=175
Audit=1
Type=tty
Class=user
Active=no
State=online
IdleHint=no
IdleSinceHint=1376408840671985
IdleSinceHintMonotonic=4513057157
Name=gene


Looks like user "gene" is not active. How to I make "gene" active?


Quote:

Code:
 # less /usr/share/polkit-1/rules.d/gnome-control-center.rules
polkit.addRule(function(action, subject) {
        if ((action.id == "org.freedesktop.locale1.set-locale" ||
             action.id == "org.freedesktop.locale1.set-keyboard" ||
             action.id == "org.freedesktop.hostname1.set-static-hostname" ||
             action.id == "org.freedesktop.hostname1.set-hostname") &&
            subject.local &&
            subject.active &&
            subject.isInGroup ("wheel")) {
                    return polkit.Result.YES;
            }
});


where the defaults in /usr/share/polkit-1/actions/org.gnome.controlcenter.*.policy make sure people need to go through the above policy.


I think I know what the subject lines mean but not the action.id lines. Can you elucidate?

Quote:

Of course the alternative is to add new policies to /etc/polkit-1/rules.d/ that are not based on such checks; the user has the freedom, to decide if he wants to use groups, policies or something else to manage this.

But there are policies like the above in place so upstream can simplify support by asking to add the user to the group; because, most of the users will not want to learn and write policies if a more simple approach exists.


As a reply to this last statement why would someone make it so difficult to write a policy? Configuration should be easy.

That said thanks TomWij for your help.

Gene
Back to top
View user's profile Send private message
SamuliSuominen
Retired Dev
Retired Dev


Joined: 30 Sep 2005
Posts: 2133
Location: Finland

PostPosted: Tue Aug 13, 2013 4:54 pm    Post subject: Reply with quote

TomWij wrote:
ssuominen wrote:
TomWij wrote:
Did you add your user to the necessary groups?


What do you mean? We haven't used groups for thistype of authentication since HAL. Instead, ConsoleKit or systemd-logind will tell PolicyKit the user is local and give permissions based on that.


We still do, take for example the checks for the plugdev and wheel groups below.

Code:
 # less /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.modify.system.rules
// Let users in plugdev group modify NetworkManager
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
        subject.isInGroup("plugdev") && subject.active) {
        return "yes";
    }
});


where the defaults in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy make sure people need to go through the above policy.

Code:
 # less /usr/share/polkit-1/rules.d/gnome-control-center.rules
polkit.addRule(function(action, subject) {
        if ((action.id == "org.freedesktop.locale1.set-locale" ||
             action.id == "org.freedesktop.locale1.set-keyboard" ||
             action.id == "org.freedesktop.hostname1.set-static-hostname" ||
             action.id == "org.freedesktop.hostname1.set-hostname") &&
            subject.local &&
            subject.active &&
            subject.isInGroup ("wheel")) {
                    return polkit.Result.YES;
            }
});


where the defaults in /usr/share/polkit-1/actions/org.gnome.controlcenter.*.policy make sure people need to go through the above policy.

Of course the alternative is to add new policies to /etc/polkit-1/rules.d/ that are not based on such checks; the user has the freedom, to decide if he wants to use groups, policies or something else to manage this.

But there are policies like the above in place so upstream can simplify support by asking to add the user to the group; because, most of the users will not want to learn and write policies if a more simple approach exists.


indeed, I forgot 'plugdev' will give extra authorization for networkmanager to add/remove networks. and didn't know GNOME makes use of 'wheel'.
however both of those are adding extra bits for local users, so my previous post mostly still stands.
Back to top
View user's profile Send private message
SamuliSuominen
Retired Dev
Retired Dev


Joined: 30 Sep 2005
Posts: 2133
Location: Finland

PostPosted: Tue Aug 13, 2013 4:57 pm    Post subject: Reply with quote

imesg wrote:
Looks like user "gene" is not active. How to I make "gene" active?


Well, you need to have sys-auth/pambase with USE="systemd" and kernel with CONFIG_AUDITSYSCALL=y kernel option for the pam_systemd.so module to work
And then you need to login to the GNOME desktop in a correct way, so that systemd-logind is being used, for example using GDM which has internal support for systemd-logind.

Anyways, I'm better with ConsoleKit than systemd-logind, so I'll let others to take you rest of the way. Good luck getting your user active! :P
Back to top
View user's profile Send private message
imesg
Guru
Guru


Joined: 12 Jul 2002
Posts: 444

PostPosted: Tue Aug 13, 2013 6:13 pm    Post subject: Reply with quote

ssuominen wrote:
imesg wrote:
Looks like user "gene" is not active. How to I make "gene" active?


Well, you need to have sys-auth/pambase with USE="systemd" and kernel with CONFIG_AUDITSYSCALL=y kernel option for the pam_systemd.so module to work
And then you need to login to the GNOME desktop in a correct way, so that systemd-logind is being used, for example using GDM which has internal support for systemd-logind.

Anyways, I'm better with ConsoleKit than systemd-logind, so I'll let others to take you rest of the way. Good luck getting your user active! :P


USE and kernel are configured the way you say. I however use startx instead of one of the graphical logins. Turns out there are other problems. I found in the Red Hat forums a discussion of what is happening and a work around for now.

The fix for me:
gene@go:~# tty
/dev/tty1
gene@go:~# startx -- vt01

This makes user gene "Active=yes".

First discussion
Second discussion (contains the tmp fix)

This works for me now. Would like to have something a little more substantial.

Now on to my next problem with systemd and gnome 3.8.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum