Suse Failed Login Pam_unix(Systemd-user:session): Session Closed for User Admin
systemd 239 in RHEL eight beta (and Fedora?) automatically attempts to get-go user session whenever user logs in. This results in running PAM session validation for systemd-user PAM service as part of PAM session setup. Below is one instance where IPA admin user tries to login over ssh with GSSAPI and fails:
Jan x 04:12:31 kvm-01-guest10 sshd[1727]: Authorized to admin, krb5 principal admin@JANHB1.Test (ssh_gssapi_krb5_cmdok) Jan 10 04:12:37 kvm-01-guest10 sshd[1727]: Accepted gssapi-with-mic for admin from 10.8.1.11 port 57802 ssh2: admin@JANHB1.Examination Jan x 04:12:37 kvm-01-guest10 systemd[1737]: pam_sss(systemd-user:account): Access denied for user admin: half dozen (Permission denied) Jan x 04:12:37 kvm-01-guest10 sshd[1727]: pam_systemd(sshd:session): Failed to create session: Start job for unit user@77200000.service failed with 'failed' Jan 10 04:12:37 kvm-01-guest10 sshd[1727]: pam_unix(sshd:session): session opened for user admin past (uid=0) Jan x 04:12:37 kvm-01-guest10 sshd[1727]: error: PAM: pam_open_session(): Arrangement error
As you tin see, pam_sss(systemd-user:account) fails due to SSSD running HBAC access bank check in business relationship phase and systemd-user is not being in the list of allowed services.
We need to add systemd-user HBAC service to the set of default services. I think we also need to create an HBAC group that includes services that are causing systemd-user PAM service employ. At least, sshd and login?
I verified that adding such HBAC services indeed fixes the login.
Login to comment on this ticket.
Suse Failed Login Pam_unix(Systemd-user:session): Session Closed for User Admin
DOWNLOAD HERE
Source: https://pagure.io/freeipa/issue/7831
Posted by: vossalessee.blogspot.com
3 years ago
Metadata Update from @abbra:
- Outcome gear up to the milestone: FreeIPA 4.7.3
3 years ago
Metadata Update from @cheimes:
- Outcome assigned to cheimes
3 years ago
The new rule from https://github.com/freeipa/freeipa/pull/2746 fixes the issue
with allow_systemd-user disabled or absent
with allow_systemd-user enabled
Edited 3 years ago by cheimes
master:
ipa-4-7:
ipa-4-6:
Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Airtight (was: Open up)
3 years agone
master:
ipa-4-vii:
ipa-4-6:
@simo suggested to remove the HBAC rule once more and instead have SSSD permit the service by default. He argued that at that place is no technical reason to brand the systemd-user service configurable. It has to exist enabled always to brand logins work.
The arroyo would too solve the case of new clients and old IPA servers without the rule.
Metadata Update from @cheimes:
- Custom field affects_doc adapted to on
- Issue condition updated to: Open up (was: Closed)
3 years ago
@jhrozek what practice you recollect? Should we file an RFE against sssd?