Dbus denies access to the user added, authenticated via LDAP, SSSD, PAM

Naruto Nguyen narutonguyen2018 at gmail.com
Thu Mar 14 15:22:54 UTC 2019 

Hello everyone,

I am using systemd 228. When the system starts successfully, I tried
to add a new LDAP user and login to my system via ssh with my one of
setting users, and I can log in successfully but systemd throws an
error message: (My system is setup to authenticate via LDAP, SSSD,
PAM)

"Failed to get unit: Access denied"

When I trace code of systemd, I found the message thrown from the
method call via sdbus. This is one of function I added in systemd
source

        r = sd_bus_call_method(
                        bus,
                        "org.freedesktop.systemd1",
                        "/org/freedesktop/systemd1",
                        "org.freedesktop.systemd1.Manager",
                        "GetUnit",
                        &error_message,
                        &reply_return,
                        "s", name_unit);
        if (r < 0) {
                        return log_errno(r, "Failed to get unit: %s",
bus_error_message(&error_message, r));
        }

But somehow it cannot call GetUnit method from interface
org.freedesktop.systemd1.Manager with error "Access denied". The
problem disappears if I restart dbus. Looks like restart dbus cause
dbus update the new user added via LDAP.

When doing

strace strace -f -tt busctl call org.freedesktop.systemd1
/org/freedesktop/systemd1 org.freedesktop.systemd1.Manager GetUnit s
sys-devices-platform-serial8250-tty-ttyS6.device

07:54:32.027830 connect(3, {sa_family=AF_LOCAL,
sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
07:54:32.028045 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0,
gid=0}, [12]) = 0
07:54:32.028146 fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
07:54:32.028240 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0
07:54:32.028369 getsockname(3, {sa_family=AF_LOCAL, NULL}, [2]) = 0
07:54:32.028477 geteuid()               = 701
07:54:32.028584 sendmsg(3, {msg_name(0)=NULL, msg_iov(3)=[{"\0AUTH
EXTERNAL ", 15}, {"373031", 6}, {"\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n",
28}], msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 49
07:54:32.028854 gettid()                = 6861
07:54:32.028954
getrandom("f\7Wa\3512\306\316\3325\246\372\207\247\272(", 16,
GRND_NONBLOCK) = 16
07:54:32.029115 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"REJECTED
EXTERNAL DBUS_COOKIE_SH"..., 256}], msg_controllen=0,
msg_flags=MSG_CMSG_CLOEXEC},
MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = 82
07:54:32.029230 writev(2, [{"Access denied", 13}, {"\n", 1}], 2Access denied


I can see that the "Access Denied" is thrown because the system dbus
fail to authenticate  NEGOTIATE_UNIX_FD sent from client . It returns
REJECTED EXTERNAL DBUS_COOKIE_SH.

I tried to the added LDAP user in /etc/dbus-1/system.conf policy and
then send signal SIGHUP to reload the configuration, also for dbus
flush user cache, but dbus said that

Unknown username "ldap_demo" on element <allow>
Reloaded configuration

I search the source code in dbus. it will call
_dbus_get_user_id_and_primary_group , then
_dbus_user_database_get_system to search user ldap_demo in its
database but I am not clear how this database is built. Could you
please help me for that?  why restarting dbus can fix the issue, is
restating dbus make dbus aware a new added user? Is there anyway to
make dbus aware the new LDAP user except restarting dbus as restarting
dbus may impact to the system.

Thanks a lot,
Brs,
Naruto

More information about the dbus mailing list