-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
afpd: systemd-logind ReleaseSession rejected by dbus-daemon #361
Comments
Thanks for filing this! Since the macro suggests that this particular branch applies to SuSE in addition to Debian, let me run a quick test on openSUSE to make sure this works cross-distro. |
Tested on Debian Bookworm & openSUSE Tumbleweed. Works as expected. Next up is to back port this to the 2.2 branch. |
2.2 branch PR #367 |
This also applies for Fedora 38 at least. Using it on a Raspi, so I can only confirm this for the arm side of things. |
@mwmahlberg Can you tell me the location and contents of the pam.d auth dir? This is the current RH/Fedora logic:
We need to figure out if the non-interactive configuration sits in that same file, or if there's another one we should import instead. |
I booted into Fedora Linux Asahi Remix (39 based) on my MacBook to investigate. This is what I see.
There's no equivalent "non-interactive" profile that I can see, unlike Debian. Some other solution may be required. |
For reference, this is the diff between interactive and non-interactive pam configs on Debian.
|
So in conclusion, the generated netatalk.pam on Fedora needs to not have this line, I think:
However, the way we have implemented this presently is to blanket import system-auth.
|
@knight-of-ni Do you have any insights into how Fedora deals with PAM configuration variants like this? Do you have something in your rpm packaging scripts that handles this? In fact, from my brief testing on Fedora Remix Asahi Linux 39, I can't see that our install target even installs the generated |
Yep. The pam config you posted earlier is included as an additional source file in the rpm specfile: This file predates my time as the Netatalk package maintainer. I never really looked too closely at it. |
@knight-of-ni Thanks for sharing, it is interesting to see how this was tackled downstream! I'm a bit hesitant to manage a custom PAM config file in the upstream project. I think there's a bigger risk it goes stale here than in the downstream package script. One idea though... I wonder if it's possible to fit an equivalent configuration into the existing template: https://github.com/Netatalk/netatalk/blob/main/config/pam/netatalk.tmpl Something worth investigating... |
@rdmark Sorry for the late reply. $ ssh raspi -- cat /etc/pam.d/netatalk
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so Interestingly, this seems to look quite a bit different to what you get. I am not exactly a PAM expert, so you might need to guide me here. $ ssh raspi.fritz.box -- authselect current
Profile ID: sssd
Enabled features:
- with-silent-lastlog This seems to indicate the use of sssd, which in turn does not run because of
To my understanding the sssd profile only makes sense in an environment with centralized IDP. I'd rather not change the auth-select profile on the installation, unless absolutely necessary. Could you check what your auth-select profile is on your Fedora 39? |
@mwmahlberg Thanks for sharing! So what you have there, is exactly the template used by the rpm packaging recipe that is linked in the previous comment. So this suggests that you installed netatalk via the rpm, and not from source. Is this accurate? The reason our netatalk pam config is different is most likely because I installed from source in this particular instance. Anyways, if the pam behavior on Fedora is the same as on Debian (which I would expect) it means that this line... Either the system pam config needs to be modified (on the fly?) or the netatalk pam config for the rpm package needs to be updated to work properly with today's Fedora default. More research is required... |
@rdmark Indeed, I installed it from an RPM. Actually, mid-term I think of utilizing cockpit to provide a UI for setting up TimeMachine Backups. Which basically means a UI for netatalk. @rdmark @knight-of-ni In this case, it should be easy enough to test, as far as I can see it:
I will try this as soon as possible and will let you know the results. |
@mwmahlberg Cockpit looks neat! We do have a Webmin module for netatalk which I've recently been improving upon. It works fairly well for basic administration of netatalk, including enabling TM for a volume. It does not, however, create dirs and set permissions on the dir for you. You have to prepare a dir elsewhere. I assume your use case is to do the administration end-to-end in the Web UI? |
@mwmahlberg Since the original issue for Debian was resolved and the solution for Fedora looks to be quite different, let me close this ticket again. May I ask you to create a new ticket for the Fedora situation? |
Indeed it is. The idea is to have a small Fedora distribution for converting a Raspi into a fully fledged TimeMachine and then some (for example Storage/LTS on SSE S3 instead of a local disk). I very much assume I am not the only one with that use case. The neat thing about Cockpit is that one has a bridge for about any operation one needs to do. In a local network, the security risk of that is (imho) acceptable. |
Will do later this day or tomorrow. |
As reported at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018106
I am using netatalk for time machine backups. After every session I see this line in /var/log/auth.log
Today I finally found the solution at https://bugs.launchpad.net/ubuntu/+source/netatalk/+bug/1538004
It is simple really, in
/etc/pam.d/netatalk
replace this line:with this line:
This fixed the issue for me.
The text was updated successfully, but these errors were encountered: