rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:nis

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
doc:appunti:linux:sa:nis [2020/05/13 10:11] – [Name Service Switch] niccolodoc:appunti:linux:sa:nis [2020/12/16 15:43] – [NIS users unable to poweroff/reboot or manage printers] niccolo
Line 108: Line 108:
 La **GNU C Library** fornisce i servizi ad esempio per avere l'elenco degli utenti. Bisogna **integrare** gli utenti standard **Unix** con quelli **NIS**, il file di configurazione da verificare è **/etc/nsswitch.conf**. La **GNU C Library** fornisce i servizi ad esempio per avere l'elenco degli utenti. Bisogna **integrare** gli utenti standard **Unix** con quelli **NIS**, il file di configurazione da verificare è **/etc/nsswitch.conf**.
  
-=== Integrazione utenti in modalità "compat" ===+=== Integrazione in modalità "compat" ===
  
 Per integrare gli utenti e i gruppi NIS in quelli standard unix si devono modificare i file **''/etc/passwd''**, **''/etc/shadow''** e **''/etc/group''** aggiungendo le seguenti righe rispettivamente: Per integrare gli utenti e i gruppi NIS in quelli standard unix si devono modificare i file **''/etc/passwd''**, **''/etc/shadow''** e **''/etc/group''** aggiungendo le seguenti righe rispettivamente:
Line 118: Line 118:
 Verificare nel file **/etc/nsswitch.conf** che i servizi **passwd**, **group**, e **shadow** includano la sorgente **compat**, che significa utilizzare la sorgente **files** (i tradizionali file Unix ''/etc/passwd'', ecc) con l'estensione NIS dovuta alle righe aggiuntive vista sopra. Verificare nel file **/etc/nsswitch.conf** che i servizi **passwd**, **group**, e **shadow** includano la sorgente **compat**, che significa utilizzare la sorgente **files** (i tradizionali file Unix ''/etc/passwd'', ecc) con l'estensione NIS dovuta alle righe aggiuntive vista sopra.
  
-=== Integrazione utenti in modalità "nis" ===+=== Integrazione in modalità "nis" ===
  
 In alternativa si può indicare in **/etc/nsswitch.conf** la sorgente **files** ed esplicitamente la sorgente **nis**, in questo caso le righe aggiuntive con il prefisso **+** non sono necessarie. In questo caso il file **/etc/nsswitch.conf** contiene qualcosa del genere: In alternativa si può indicare in **/etc/nsswitch.conf** la sorgente **files** ed esplicitamente la sorgente **nis**, in questo caso le righe aggiuntive con il prefisso **+** non sono necessarie. In questo caso il file **/etc/nsswitch.conf** contiene qualcosa del genere:
Line 128: Line 128:
 </file> </file>
  
-=== Ricerca del server NIS ===+:!: **ATTENZIONE**: Questa modalità non è compatibile con il demone **accountsservice** utilizzato ad esempio da **Ubuntu 20.4**. In questo caso l'elenco degli utenti non viene integrato con le informazioni NIS e quindi **gli utenti NIS non vengono elencati** nel greeter di **LightDM**. 
 + 
 +===== Ricerca del server NIS =====
  
 La ricerca del NIS server avviene tramite richieste broadcast sulla rete locale. Per evitarle (potrebbero fallire per regole di firewall) si dichiarano esplicitamente i server in **''/etc/yp.conf''**: La ricerca del NIS server avviene tramite richieste broadcast sulla rete locale. Per evitarle (potrebbero fallire per regole di firewall) si dichiarano esplicitamente i server in **''/etc/yp.conf''**:
Line 218: Line 220:
 <code> <code>
 IPAddressDeny=any IPAddressDeny=any
 +</code>
 +
 +====== NIS users unable to poweroff/reboot or manage printers ======
 +
 +We experienced a problem with an **Ubuntu 20.04** Focal Fossa used as **NIS client**: some tasks were inhibited because the user - despite it was **logged-in locally** on the physical machine - it was considered **non interactive** one.
 +
 +One symptom can be the following error message when you issue the **reboot** command into a terminal session:
 +
 +<code>
 +Failed to set wall message, ignoring: Interactive authentication required.
 +Failed to power off system via logind: Interactive authentication required.
 +Failed to open initctl fifo: Permission denied
 +Failed to talk to init daemon.
 +</code>
 +
 +Using the command **systemctl reboot -i** does not work either, producing the following error:
 +</code>
 +
 +<code>
 +==== AUTHENTICATING FOR org.freedesktop.login1.reboot-multiple-sessions ===
 +Authentication is required for rebooting the system while other users are logged in.
 +</code>
 +
 +Choosing to reboot or poweroff from the various **desktop applets** produces instead just a **session close**.
 +
 +
 +It turned out that the **[[https://wiki.debian.org/PolicyKit|PolicyKit]]** authorization manager is enabled, according to the default policies that problematic tasks are reserved to **local users** only, whereas users **authenticated by the NIS** server are considered somehow remote.
 +
 +One solution is to create a file on the NIS client, name **/var/lib/polkit-1/localauthority/50-local.d/10-nis-users.pkla**. The ''/var/lib/polkit-1/localauthority/'' directory is intended for 3rd party packages, the ''50-local.d'' subdirectory is intended for local usage.
 +
 +<file>
 +[Allow Printer administration for NIS users]
 +Identity=unix-group:lpadmin;unix-group:adm
 +Action=org.opensuse.cupspkhelper.mechanism.*
 +ResultAny=yes
 +
 +[Allow halt power-off and reboot for NIS users]
 +Identity=unix-group:adm
 +Action=org.freedesktop.login1.halt*;org.freedesktop.login1.power-off*;org.freedesktop.login1.reboot*
 +ResultAny=yes
 +</file>
 +
 +To make the new policy effective, issue the command:
 +
 +<code>
 +systemctl restart polkit.service
 +</code>
 +
 +The syntax of the file is explained into the **[[https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html|pklocalauthority man page]]**.
 +
 +First of all usint the **Identity** option we select the users interested into that policy. For managing printers we required the user to belong to the **lpadmin** and **adm** groups. The first group is the standard Debian group to manage printers, whereas the **adm** group is an arbitrary group assigned to some users by the NIS server (see the page **[[https://wiki.debian.org/SystemGroups|Debian system groups]]**). In our case the groups are determined by the NIS server, via the **/var/yp/ypfiles/group** file.
 +
 +For the **Action** part we had to discover the name of the printer management and the poweroff/halt/reboot. You can use the **pkaction** command and browse its output; also searching on the Net is a big resource. The **org.opensuse.cupspkhelper.mechanism.** is OpenSUSE and Ubuntu specific (I don't have it in my Debian box):
 +
 +<code>
 +pkaction | grep cupspkhelper
 +org.opensuse.cupspkhelper.mechanism.all-edit
 +org.opensuse.cupspkhelper.mechanism.class-edit
 +org.opensuse.cupspkhelper.mechanism.devices-get
 +org.opensuse.cupspkhelper.mechanism.job-edit
 +org.opensuse.cupspkhelper.mechanism.job-not-owned-edit
 +org.opensuse.cupspkhelper.mechanism.printer-enable
 +org.opensuse.cupspkhelper.mechanism.printer-local-edit
 +org.opensuse.cupspkhelper.mechanism.printer-remote-edit
 +org.opensuse.cupspkhelper.mechanism.printer-set-default
 +org.opensuse.cupspkhelper.mechanism.printeraddremove
 +org.opensuse.cupspkhelper.mechanism.server-settings
 +</code>
 +
 +For the reboot/poweroff/halt etc we have the following PolKit nodes:
 +
 +<code>
 +org.freedesktop.login1.halt
 +org.freedesktop.login1.hibernate
 +org.freedesktop.login1.power-off
 +org.freedesktop.login1.reboot
 +org.freedesktop.login1.suspend
 +</code>
 +
 +each of them have some sub-actions:
 +
 +<code>
 +pkaction | grep org.freedesktop.login1.power-off
 +org.freedesktop.login1.power-off
 +org.freedesktop.login1.power-off-ignore-inhibit
 +org.freedesktop.login1.power-off-multiple-sessions
 +</code>
 +
 +Finally the problem-solving option is **ResultAny**, which means that the policy is applicable for users logged-in in any status. The default policy is instead something like this:
 +
 +<code>
 +ResultAny=no
 +ResultInactive=no
 +ResultActive=yes
 </code> </code>
doc/appunti/linux/sa/nis.txt · Last modified: 2020/12/16 16:27 by niccolo