rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:nis

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Last revisionBoth sides next revision
doc:appunti:linux:sa:nis [2020/12/16 15:43] – [NIS users unable to poweroff/reboot or manage printers] niccolodoc:appunti:linux:sa:nis [2020/12/16 16:22] – [NIS users unable to poweroff/reboot or manage printers] niccolo
Line 222: Line 222:
 </code> </code>
  
-====== NIS users unable to poweroff/reboot or manage printers ====== 
  
-We experienced a problem with an **Ubuntu 20.04** Focal Fossa used as **NIS client**: some tasks were inhibited because the user - despite it was **logged-in locally** on the physical machine - it was considered **non interactive** one. 
- 
-One symptom can be the following error message when you issue the **reboot** command into a terminal session: 
- 
-<code> 
-Failed to set wall message, ignoring: Interactive authentication required. 
-Failed to power off system via logind: Interactive authentication required. 
-Failed to open initctl fifo: Permission denied 
-Failed to talk to init daemon. 
-</code> 
- 
-Using the command **systemctl reboot -i** does not work either, producing the following error: 
-</code> 
- 
-<code> 
-==== AUTHENTICATING FOR org.freedesktop.login1.reboot-multiple-sessions === 
-Authentication is required for rebooting the system while other users are logged in. 
-</code> 
- 
-Choosing to reboot or poweroff from the various **desktop applets** produces instead just a **session close**. 
- 
- 
-It turned out that the **[[https://wiki.debian.org/PolicyKit|PolicyKit]]** authorization manager is enabled, according to the default policies that problematic tasks are reserved to **local users** only, whereas users **authenticated by the NIS** server are considered somehow remote. 
- 
-One solution is to create a file on the NIS client, name **/var/lib/polkit-1/localauthority/50-local.d/10-nis-users.pkla**. The ''/var/lib/polkit-1/localauthority/'' directory is intended for 3rd party packages, the ''50-local.d'' subdirectory is intended for local usage. 
- 
-<file> 
-[Allow Printer administration for NIS users] 
-Identity=unix-group:lpadmin;unix-group:adm 
-Action=org.opensuse.cupspkhelper.mechanism.* 
-ResultAny=yes 
- 
-[Allow halt power-off and reboot for NIS users] 
-Identity=unix-group:adm 
-Action=org.freedesktop.login1.halt*;org.freedesktop.login1.power-off*;org.freedesktop.login1.reboot* 
-ResultAny=yes 
-</file> 
- 
-To make the new policy effective, issue the command: 
- 
-<code> 
-systemctl restart polkit.service 
-</code> 
- 
-The syntax of the file is explained into the **[[https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html|pklocalauthority man page]]**. 
- 
-First of all usint the **Identity** option we select the users interested into that policy. For managing printers we required the user to belong to the **lpadmin** and **adm** groups. The first group is the standard Debian group to manage printers, whereas the **adm** group is an arbitrary group assigned to some users by the NIS server (see the page **[[https://wiki.debian.org/SystemGroups|Debian system groups]]**). In our case the groups are determined by the NIS server, via the **/var/yp/ypfiles/group** file. 
- 
-For the **Action** part we had to discover the name of the printer management and the poweroff/halt/reboot. You can use the **pkaction** command and browse its output; also searching on the Net is a big resource. The **org.opensuse.cupspkhelper.mechanism.** is OpenSUSE and Ubuntu specific (I don't have it in my Debian box): 
- 
-<code> 
-pkaction | grep cupspkhelper 
-org.opensuse.cupspkhelper.mechanism.all-edit 
-org.opensuse.cupspkhelper.mechanism.class-edit 
-org.opensuse.cupspkhelper.mechanism.devices-get 
-org.opensuse.cupspkhelper.mechanism.job-edit 
-org.opensuse.cupspkhelper.mechanism.job-not-owned-edit 
-org.opensuse.cupspkhelper.mechanism.printer-enable 
-org.opensuse.cupspkhelper.mechanism.printer-local-edit 
-org.opensuse.cupspkhelper.mechanism.printer-remote-edit 
-org.opensuse.cupspkhelper.mechanism.printer-set-default 
-org.opensuse.cupspkhelper.mechanism.printeraddremove 
-org.opensuse.cupspkhelper.mechanism.server-settings 
-</code> 
- 
-For the reboot/poweroff/halt etc we have the following PolKit nodes: 
- 
-<code> 
-org.freedesktop.login1.halt 
-org.freedesktop.login1.hibernate 
-org.freedesktop.login1.power-off 
-org.freedesktop.login1.reboot 
-org.freedesktop.login1.suspend 
-</code> 
- 
-each of them have some sub-actions: 
- 
-<code> 
-pkaction | grep org.freedesktop.login1.power-off 
-org.freedesktop.login1.power-off 
-org.freedesktop.login1.power-off-ignore-inhibit 
-org.freedesktop.login1.power-off-multiple-sessions 
-</code> 
- 
-Finally the problem-solving option is **ResultAny**, which means that the policy is applicable for users logged-in in any status. The default policy is instead something like this: 
- 
-<code> 
-ResultAny=no 
-ResultInactive=no 
-ResultActive=yes 
-</code> 
doc/appunti/linux/sa/nis.txt · Last modified: 2020/12/16 16:27 by niccolo