You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1669407
some distributions, like RHEL-8 add a new systemd-user service that is called by the systemd user session and includes system-auth. This means that the access control rules must also include the systemd-user service or else authentication fails.
We should probably document this at least for the purely client-side access control schemas like authorizedService. GPOs already include systemd-user as permit-by-default and IPA had changed its defaults to include this service as well.
I would prefer if SSSD would always allowed systemd-user access in HBAC rules. We are going to remove a special HBAC rule for systemd-user because there is no variability in that one, it has simply to be allowed always.
OK, adding a 'special rule' if fine with me (I would just open a separate ticket). I'd also like to get your opinion on two things:
do you feel we should also add a 'subfilter' for the systemd-user service for e.g. the authorizedServices LDAP attribute? Here I would personally say no, the LDAP filters are too 'low-level' and free-form in my opinion that I think we should not presume anything and just let admin configure them
do you think this should be a RHEL-8.0 fix? IIRC you planned to fix systemd-user for 8.0, did that change?
I don't think (1) is needed to be done, indeed. I'd rather allow admins to have full control there.
For (2) -- it affects Fedora 29+ and RHEL 8 post-beta. We fixed RHEL 8 post-beta but I think now we want to remove that fix and also revert it upstream and instead rely on a fixed SSSD. The problem with an explicit HBAC rule is that it makes little sense for something which is a system-specific property which is pretty much not configurable. pam_systemd always launches systemd --user and the exact PAM service name is hardcoded in systemd source code:
src/login/pam_systemd.c: if (streq_ptr(service, "systemd-user")) {
So I would consider this as a distribution specific detail as all systemd-based distributions will have it and the only difference is whether pam_systemd is included with required or optional line in PAM configuration, either forcing a failure or pampering over it.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3932
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1669407
some distributions, like RHEL-8 add a new systemd-user service that is called by the systemd user session and includes system-auth. This means that the access control rules must also include the systemd-user service or else authentication fails.
We should probably document this at least for the purely client-side access control schemas like authorizedService. GPOs already include systemd-user as permit-by-default and IPA had changed its defaults to include this service as well.
Comments
Comment from jhrozek at 2019-01-28 21:20:13
Metadata Update from @jhrozek:
Comment from abbra at 2019-01-29 08:14:57
I would prefer if SSSD would always allowed
systemd-user
access in HBAC rules. We are going to remove a special HBAC rule for systemd-user because there is no variability in that one, it has simply to be allowed always.Comment from jhrozek at 2019-01-29 08:44:25
OK, adding a 'special rule' if fine with me (I would just open a separate ticket). I'd also like to get your opinion on two things:
do you feel we should also add a 'subfilter' for the systemd-user service for e.g. the authorizedServices LDAP attribute? Here I would personally say no, the LDAP filters are too 'low-level' and free-form in my opinion that I think we should not presume anything and just let admin configure them
do you think this should be a RHEL-8.0 fix? IIRC you planned to fix systemd-user for 8.0, did that change?
Comment from abbra at 2019-01-29 12:34:29
I don't think (1) is needed to be done, indeed. I'd rather allow admins to have full control there.
For (2) -- it affects Fedora 29+ and RHEL 8 post-beta. We fixed RHEL 8 post-beta but I think now we want to remove that fix and also revert it upstream and instead rely on a fixed SSSD. The problem with an explicit HBAC rule is that it makes little sense for something which is a system-specific property which is pretty much not configurable.
pam_systemd
always launchessystemd --user
and the exact PAM service name is hardcoded insystemd
source code:So I would consider this as a distribution specific detail as all systemd-based distributions will have it and the only difference is whether
pam_systemd
is included withrequired
oroptional
line in PAM configuration, either forcing a failure or pampering over it.Comment from jhrozek at 2019-01-29 12:44:00
OK, I'll open another ticket. Thanks for the opinions.
Comment from jhrozek at 2019-01-29 12:45:25
Issue #3933 created.
Comment from jhrozek at 2019-02-27 16:49:02
Metadata Update from @jhrozek:
Comment from jhrozek at 2019-02-27 17:22:38
Metadata Update from @jhrozek:
Comment from jhrozek at 2019-06-13 23:08:56
Metadata Update from @jhrozek:
Comment from jhrozek at 2019-07-04 10:24:11
Metadata Update from @jhrozek:
Comment from jhrozek at 2019-07-04 10:24:17
PR: #845
Comment from mzidek at 2019-08-18 23:15:15
master: 820151f
Comment from mzidek at 2019-08-18 23:15:16
Metadata Update from @mzidek:
The text was updated successfully, but these errors were encountered: