search

neutrinolabs / xrdp

xrdp: an open source RDP server
http://www.xrdp.org/
Apache License 2.0
5.77k stars 1.73k forks source link

xrdp-sesman reports wrong policy subject to agent when user is ldap #1039

Open jmfrank63 opened 6 years ago

jmfrank63 commented 6 years ago

The bug has been reported here as well: https://bugs.centos.org/view.php?id=14485

polkit 0.112-12.el7_3 fails to register any agent when machine is puppeted and user is retrieved via ldap.Example agent (xfce but kde and mate fail the same)/usr/libexec/xfce-polkit  (xfce-polkit:15429): CRITICAL : polkit_agent_listener_register_with_options: assertion 'POLKIT_IS_SUBJECT (subject)' failed(xfce-polkit:15429): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed

I have no idea why this could be failing. It looks like get peername correctly assumes a socket but gets a file. It can always be reproduced. However I do not exactly know how puppet and ldap works, so I cannot give instructions how to reproduce outside of my company.However I will supply any additional information that might help. I did the following troubleshooting: Checked with other desktops, polkit agents always fail.

User is not in /etc/passwd, nor are the groups. Access is via xrdp, no display manager, it isn't even installed. pamtester authorises fine against sshd, xrdp-sesman and polkit-1 Local installed user that is not retrieved via ldap fails as well, with exactly the same error. authconfig 

System is puppeted with user as ldap user, not in /etc/passwd.

However a local installed user fails as well.

Source of polkit is here:  https://github.com/wingo/polkit/blob/4c9a813f3fc1ada4fcce508d286e95f965a3002a/src/polkitagent/polkitagentlistener.c

/etc/pam.d/system-auth-ac:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     sufficient    pam_ldap.so
account     sufficient    pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_first_pass
password    required      pam_deny.so

session     required      pam_mkhomedir.so skel=/etc/skel umask=0077
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_unix.so
session     sufficient    pam_ldap.so

strace:

futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/proc/9527/cgroup", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84828fa000
read(5, "11:freezer:/\n10:memory:/\n9:cpuac"..., 1024) = 192
close(5)                                = 0
munmap(0x7f84828fa000, 4096)            = 0
open("/proc/1/cgroup", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84828fa000
read(5, "11:freezer:/\n10:memory:/\n9:cpuac"..., 1024) = 148
close(5)                                = 0
munmap(0x7f84828fa000, 4096)            = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
getpeername(2, 0x7ffc19e92230, 0x7ffc19e9222c) = -1 ENOTSOCK (Socket operation on non-socket)
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
open("/usr/lib64/charset.alias", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "\n** (xfce-polkit:9527): \33[1;35mC"..., 140
** (xfce-polkit:9527): CRITICAL **: polkit_agent_listener_register_with_options: assertion 'POLKIT_IS_SUBJECT (subject)' failed
) = 140

Content of cgroup:

11:freezer:/
10:memory:/
9:cpuacct,cpu:/
8:blkio:/
7:net_prio,net_cls:/
6:cpuset:/
5:perf_event:/
4:hugetlb:/
3:devices:/system.slice/xrdp-sesman.service
2:pids:/
1:name=systemd:/system.slice/xrdp-sesman.service
moobyfr commented 6 years ago

There is nothing related to puppet, puppet only apply configuration asked by the ssyadmin. I think that the user source isn't related too (/etc/passwd or ldap). There can be probably missing bits for systemd because opening sessions remotely isn't really prepared on systemd and xrdp doesn't implement any systemd hooks.

jmfrank63 commented 6 years ago

Hi @moobyfr, I installed the same exact version on a AWS machine and it worked seamlessly. Do you have any hints I could look for what the difference between the two system could be?

jmfrank63 commented 6 years ago

I am not a good c-programmer, however willing to learn. I have some python skills. If someone could point me into the right direction how to track this down (debugger etc), I'll do the work. Thank you