View previous topic :: View next topic |
Author |
Message |
imesg Guru
Joined: 12 Jul 2002 Posts: 445
|
Posted: Tue Aug 13, 2013 1:18 am Post subject: SOLVED systemd - authentication problems |
|
|
Several things require authentication and some don't work. I think it is a permissions problem.
When I insert a usb flash drive I have to authenticate to mount it. If I want to restart my laptop I have to authenticate. NetworkManager/nm-applet will not let me disconnect from one network and connect to another. However in Network Settings I can disconnect from my home network but it immediately reconnects. If I turn on tethering on my phone I can see that network but cannot connect to it or edit the configuration. My session settings are not persistent over reboots.
I have just installed systemd and gnome 3.8 ~amd64 on a new laptop. I am almost sure that it is some permission problem but don't know exactly where to start.
Any help would be appreciated. I can supply any information, I just need to know what that is.
Thanks
Gene
Last edited by imesg on Tue Aug 13, 2013 8:56 pm; edited 1 time in total |
|
Back to top |
|
|
TomWij Retired Dev
Joined: 04 Jul 2012 Posts: 1553
|
Posted: Tue Aug 13, 2013 10:14 am Post subject: |
|
|
Did you add your user to the necessary groups? |
|
Back to top |
|
|
SamuliSuominen Retired Dev
Joined: 30 Sep 2005 Posts: 2133 Location: Finland
|
Posted: Tue Aug 13, 2013 11:30 am Post subject: |
|
|
TomWij wrote: | Did you add your user to the necessary groups? |
What do you mean? We haven't used groups for thistype of authentication since HAL. Instead, ConsoleKit or systemd-logind will tell PolicyKit the user is local and give permissions based on that.
With ConsoleKit it would be,
With systemd-logind it would be,
Code: |
$ loginctl show-session
|
I might have typed the loginctl parameters wrong, I don't have a system running now to doublecheck. Either command should show something like 'local = yes' and 'active = yes' or otherwise PolicyKit thinks the user is remote, and never gives permissions for local things like restart/shutdown etc. |
|
Back to top |
|
|
TomWij Retired Dev
Joined: 04 Jul 2012 Posts: 1553
|
Posted: Tue Aug 13, 2013 12:12 pm Post subject: |
|
|
ssuominen wrote: | TomWij wrote: | Did you add your user to the necessary groups? |
What do you mean? We haven't used groups for thistype of authentication since HAL. Instead, ConsoleKit or systemd-logind will tell PolicyKit the user is local and give permissions based on that. |
We still do, take for example the checks for the plugdev and wheel groups below.
Code: | # less /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.modify.system.rules
// Let users in plugdev group modify NetworkManager
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
subject.isInGroup("plugdev") && subject.active) {
return "yes";
}
}); |
where the defaults in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy make sure people need to go through the above policy.
Code: | # less /usr/share/polkit-1/rules.d/gnome-control-center.rules
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.locale1.set-locale" ||
action.id == "org.freedesktop.locale1.set-keyboard" ||
action.id == "org.freedesktop.hostname1.set-static-hostname" ||
action.id == "org.freedesktop.hostname1.set-hostname") &&
subject.local &&
subject.active &&
subject.isInGroup ("wheel")) {
return polkit.Result.YES;
}
}); |
where the defaults in /usr/share/polkit-1/actions/org.gnome.controlcenter.*.policy make sure people need to go through the above policy.
Of course the alternative is to add new policies to /etc/polkit-1/rules.d/ that are not based on such checks; the user has the freedom, to decide if he wants to use groups, policies or something else to manage this.
But there are policies like the above in place so upstream can simplify support by asking to add the user to the group; because, most of the users will not want to learn and write policies if a more simple approach exists. |
|
Back to top |
|
|
imesg Guru
Joined: 12 Jul 2002 Posts: 445
|
Posted: Tue Aug 13, 2013 4:25 pm Post subject: |
|
|
TomWij wrote: | ssuominen wrote: | TomWij wrote: | Did you add your user to the necessary groups? |
What do you mean? We haven't used groups for thistype of authentication since HAL. Instead, ConsoleKit or systemd-logind will tell PolicyKit the user is local and give permissions based on that. |
We still do, take for example the checks for the plugdev and wheel groups below. |
Code: | root@go:~# groups gene
lp wheel audio cdrom video cdrw usb portage messagebus plugdev users |
Quote: |
Code: | # less /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.modify.system.rules
// Let users in plugdev group modify NetworkManager
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
subject.isInGroup("plugdev") && subject.active) {
return "yes";
}
}); |
where the defaults in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy make sure people need to go through the above policy.
|
My user is in the group. How do I find out if my user is 'active'. From ssuominen's post looks like loginctl show-session might be the place:
Code: | gene@go:~# loginctl show-session 1
Id=1
Timestamp=Tue 2013-08-13 09:31:27 CDT
TimestampMonotonic=19114529
VTNr=1
TTY=/dev/tty1
Remote=no
Service=login
Scope=session-1.scope
Leader=175
Audit=1
Type=tty
Class=user
Active=no
State=online
IdleHint=no
IdleSinceHint=1376408840671985
IdleSinceHintMonotonic=4513057157
Name=gene |
Looks like user "gene" is not active. How to I make "gene" active?
Quote: |
Code: | # less /usr/share/polkit-1/rules.d/gnome-control-center.rules
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.locale1.set-locale" ||
action.id == "org.freedesktop.locale1.set-keyboard" ||
action.id == "org.freedesktop.hostname1.set-static-hostname" ||
action.id == "org.freedesktop.hostname1.set-hostname") &&
subject.local &&
subject.active &&
subject.isInGroup ("wheel")) {
return polkit.Result.YES;
}
}); |
where the defaults in /usr/share/polkit-1/actions/org.gnome.controlcenter.*.policy make sure people need to go through the above policy. |
I think I know what the subject lines mean but not the action.id lines. Can you elucidate?
Quote: |
Of course the alternative is to add new policies to /etc/polkit-1/rules.d/ that are not based on such checks; the user has the freedom, to decide if he wants to use groups, policies or something else to manage this.
But there are policies like the above in place so upstream can simplify support by asking to add the user to the group; because, most of the users will not want to learn and write policies if a more simple approach exists. |
As a reply to this last statement why would someone make it so difficult to write a policy? Configuration should be easy.
That said thanks TomWij for your help.
Gene |
|
Back to top |
|
|
SamuliSuominen Retired Dev
Joined: 30 Sep 2005 Posts: 2133 Location: Finland
|
Posted: Tue Aug 13, 2013 4:54 pm Post subject: |
|
|
TomWij wrote: | ssuominen wrote: | TomWij wrote: | Did you add your user to the necessary groups? |
What do you mean? We haven't used groups for thistype of authentication since HAL. Instead, ConsoleKit or systemd-logind will tell PolicyKit the user is local and give permissions based on that. |
We still do, take for example the checks for the plugdev and wheel groups below.
Code: | # less /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.modify.system.rules
// Let users in plugdev group modify NetworkManager
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
subject.isInGroup("plugdev") && subject.active) {
return "yes";
}
}); |
where the defaults in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy make sure people need to go through the above policy.
Code: | # less /usr/share/polkit-1/rules.d/gnome-control-center.rules
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.locale1.set-locale" ||
action.id == "org.freedesktop.locale1.set-keyboard" ||
action.id == "org.freedesktop.hostname1.set-static-hostname" ||
action.id == "org.freedesktop.hostname1.set-hostname") &&
subject.local &&
subject.active &&
subject.isInGroup ("wheel")) {
return polkit.Result.YES;
}
}); |
where the defaults in /usr/share/polkit-1/actions/org.gnome.controlcenter.*.policy make sure people need to go through the above policy.
Of course the alternative is to add new policies to /etc/polkit-1/rules.d/ that are not based on such checks; the user has the freedom, to decide if he wants to use groups, policies or something else to manage this.
But there are policies like the above in place so upstream can simplify support by asking to add the user to the group; because, most of the users will not want to learn and write policies if a more simple approach exists. |
indeed, I forgot 'plugdev' will give extra authorization for networkmanager to add/remove networks. and didn't know GNOME makes use of 'wheel'.
however both of those are adding extra bits for local users, so my previous post mostly still stands. |
|
Back to top |
|
|
SamuliSuominen Retired Dev
Joined: 30 Sep 2005 Posts: 2133 Location: Finland
|
Posted: Tue Aug 13, 2013 4:57 pm Post subject: |
|
|
imesg wrote: | Looks like user "gene" is not active. How to I make "gene" active? |
Well, you need to have sys-auth/pambase with USE="systemd" and kernel with CONFIG_AUDITSYSCALL=y kernel option for the pam_systemd.so module to work
And then you need to login to the GNOME desktop in a correct way, so that systemd-logind is being used, for example using GDM which has internal support for systemd-logind.
Anyways, I'm better with ConsoleKit than systemd-logind, so I'll let others to take you rest of the way. Good luck getting your user active! |
|
Back to top |
|
|
imesg Guru
Joined: 12 Jul 2002 Posts: 445
|
Posted: Tue Aug 13, 2013 6:13 pm Post subject: |
|
|
ssuominen wrote: | imesg wrote: | Looks like user "gene" is not active. How to I make "gene" active? |
Well, you need to have sys-auth/pambase with USE="systemd" and kernel with CONFIG_AUDITSYSCALL=y kernel option for the pam_systemd.so module to work
And then you need to login to the GNOME desktop in a correct way, so that systemd-logind is being used, for example using GDM which has internal support for systemd-logind.
Anyways, I'm better with ConsoleKit than systemd-logind, so I'll let others to take you rest of the way. Good luck getting your user active! |
USE and kernel are configured the way you say. I however use startx instead of one of the graphical logins. Turns out there are other problems. I found in the Red Hat forums a discussion of what is happening and a work around for now.
The fix for me:
gene@go:~# tty
/dev/tty1
gene@go:~# startx -- vt01
This makes user gene "Active=yes".
First discussion
Second discussion (contains the tmp fix)
This works for me now. Would like to have something a little more substantial.
Now on to my next problem with systemd and gnome 3.8. |
|
Back to top |
|
|
|