rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:nis

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
doc:appunti:linux:sa:nis [2020/12/16 12:27] – [NIS users unable to poweroff/reboot or manage printers] niccolodoc:appunti:linux:sa:nis [2020/12/16 15:43] – [NIS users unable to poweroff/reboot or manage printers] niccolo
Line 224: Line 224:
 ====== NIS users unable to poweroff/reboot or manage printers ====== ====== NIS users unable to poweroff/reboot or manage printers ======
  
-We experienced a problem with an **Ubuntu 20.04** Focal Fossa used as **NIS client**: some tasks were inhibited because the user - despite it was **logged-in locally** on the physical machine - it was considered **as a remote** one.+We experienced a problem with an **Ubuntu 20.04** Focal Fossa used as **NIS client**: some tasks were inhibited because the user - despite it was **logged-in locally** on the physical machine - it was considered **non interactive** one
 + 
 +One symptom can be the following error message when you issue the **reboot** command into a terminal session: 
 + 
 +<code> 
 +Failed to set wall message, ignoring: Interactive authentication required. 
 +Failed to power off system via logind: Interactive authentication required. 
 +Failed to open initctl fifo: Permission denied 
 +Failed to talk to init daemon. 
 +</code> 
 + 
 +Using the command **systemctl reboot -i** does not work either, producing the following error: 
 +</code> 
 + 
 +<code> 
 +==== AUTHENTICATING FOR org.freedesktop.login1.reboot-multiple-sessions === 
 +Authentication is required for rebooting the system while other users are logged in. 
 +</code> 
 + 
 +Choosing to reboot or poweroff from the various **desktop applets** produces instead just a **session close**.
  
-FIXME What the errors? 
  
 It turned out that the **[[https://wiki.debian.org/PolicyKit|PolicyKit]]** authorization manager is enabled, according to the default policies that problematic tasks are reserved to **local users** only, whereas users **authenticated by the NIS** server are considered somehow remote. It turned out that the **[[https://wiki.debian.org/PolicyKit|PolicyKit]]** authorization manager is enabled, according to the default policies that problematic tasks are reserved to **local users** only, whereas users **authenticated by the NIS** server are considered somehow remote.
Line 243: Line 261:
 ResultAny=yes ResultAny=yes
 </file> </file>
 +
 +To make the new policy effective, issue the command:
 +
 +<code>
 +systemctl restart polkit.service
 +</code>
  
 The syntax of the file is explained into the **[[https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html|pklocalauthority man page]]**. The syntax of the file is explained into the **[[https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html|pklocalauthority man page]]**.
  
-First of all usint the **Identity** option we select the users interested into that policy. For managing printers we required the user to belong to the **lpadmin** and **adm** groups. The first group is the standard Debian group to manage printers, whereas the **adm** group is an arbitrary group assigned to some users by the NIS server (see the page **[[https://wiki.debian.org/SystemGroups|Debian system groups]]**).+First of all usint the **Identity** option we select the users interested into that policy. For managing printers we required the user to belong to the **lpadmin** and **adm** groups. The first group is the standard Debian group to manage printers, whereas the **adm** group is an arbitrary group assigned to some users by the NIS server (see the page **[[https://wiki.debian.org/SystemGroups|Debian system groups]]**). In our case the groups are determined by the NIS server, via the **/var/yp/ypfiles/group** file. 
 + 
 +For the **Action** part we had to discover the name of the printer management and the poweroff/halt/reboot. You can use the **pkaction** command and browse its output; also searching on the Net is a big resource. The **org.opensuse.cupspkhelper.mechanism.** is OpenSUSE and Ubuntu specific (I don't have it in my Debian box): 
 + 
 +<code> 
 +pkaction | grep cupspkhelper 
 +org.opensuse.cupspkhelper.mechanism.all-edit 
 +org.opensuse.cupspkhelper.mechanism.class-edit 
 +org.opensuse.cupspkhelper.mechanism.devices-get 
 +org.opensuse.cupspkhelper.mechanism.job-edit 
 +org.opensuse.cupspkhelper.mechanism.job-not-owned-edit 
 +org.opensuse.cupspkhelper.mechanism.printer-enable 
 +org.opensuse.cupspkhelper.mechanism.printer-local-edit 
 +org.opensuse.cupspkhelper.mechanism.printer-remote-edit 
 +org.opensuse.cupspkhelper.mechanism.printer-set-default 
 +org.opensuse.cupspkhelper.mechanism.printeraddremove 
 +org.opensuse.cupspkhelper.mechanism.server-settings 
 +</code> 
 + 
 +For the reboot/poweroff/halt etc we have the following PolKit nodes: 
 + 
 +<code> 
 +org.freedesktop.login1.halt 
 +org.freedesktop.login1.hibernate 
 +org.freedesktop.login1.power-off 
 +org.freedesktop.login1.reboot 
 +org.freedesktop.login1.suspend 
 +</code> 
 + 
 +each of them have some sub-actions: 
 + 
 +<code> 
 +pkaction | grep org.freedesktop.login1.power-off 
 +org.freedesktop.login1.power-off 
 +org.freedesktop.login1.power-off-ignore-inhibit 
 +org.freedesktop.login1.power-off-multiple-sessions 
 +</code> 
 + 
 +Finally the problem-solving option is **ResultAny**, which means that the policy is applicable for users logged-in in any status. The default policy is instead something like this:
  
-FIXME Action, ResultAny and pkaction+<code> 
 +ResultAny=no 
 +ResultInactive=no 
 +ResultActive=yes 
 +</code>
doc/appunti/linux/sa/nis.txt · Last modified: 2020/12/16 16:27 by niccolo