<div dir="ltr">Hi Lennart,<br><br>After debugging the problem, when strace the busctl call method command<br><br>strace -f -tt busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager GetUnit s sys-devices-platform-serial8250-tty-ttyS6.device<br><br><br>07:54:32.027830 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0<br>07:54:32.028045 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0, gid=0}, [12]) = 0<br>07:54:32.028146 fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0<br>07:54:32.028240 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0<br>07:54:32.028369 getsockname(3, {sa_family=AF_LOCAL, NULL}, [2]) = 0<br>07:54:32.028477 geteuid() = 701<br>07:54:32.028584 sendmsg(3, {msg_name(0)=NULL, msg_iov(3)=[{"\0AUTH EXTERNAL ", 15}, {"373031", 6}, {"\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", 28}], msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 49<br>07:54:32.028854 gettid() = 6861<br>07:54:32.028954 getrandom("f\7Wa\3512\306\316\3325\246\372\207\247\272(", 16, GRND_NONBLOCK) = 16<br><b>07:54:32.029115 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"REJECTED EXTERNAL DBUS_COOKIE_SH"..., 256}], msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = 82</b><br><b>07:54:32.029230 writev(2, [{"Access denied", 13}, {"\n", 1}], 2Access denied</b><br><br>I can see that the "Access Denied" is thrown because the system dbus fail to authenticate
NEGOTIATE_UNIX_FD sent from client . It returns
<b>REJECTED EXTERNAL DBUS_COOKIE_SH. </b> Could you please help to explain more why DBUS fail to authenticate? Is there any work around to make it authenticate successfully? I restart dbus and the error is gone away. Not sure why and maybe restarting dbus is not a good WA to do.<div><br></div><div>My system uses SSSD, PAM and LDAP to authenticate the user,<br><div><br></div><div>Thanks,</div><div>Brs,</div><div>Naruto</div><div><br>On Sat, Mar 2, 2019 at 2:31 PM Bao Nguyen <<a href="mailto:baondt@gmail.com">baondt@gmail.com</a>> wrote:<br>><br>> Hi Lennart,<br>><br>> Thanks for your information.<br>><br>> I do not use selinux. Could you please show me how to enable dbus log?<br>> I found this thread <a href="https://wiki.ubuntu.com/DebuggingDBus">https://wiki.ubuntu.com/DebuggingDBus</a>, not sure it<br>> works but I'll give it a try.<br>><br>> BTW, last time when I enable systemd debug systemd.log_level=debug, I<br>> found this log<br>><br>> systemd[1]: Got message type=method_call sender=:1.183<br>> destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1<br>> interface=org.freedesktop.systemd1.Manager member=GetUnit cookie=2<br>> reply_cookie=0 error=n/a<br>> systemd[1]: Sent message type=method_return sender=n/a<br>> destination=:1.183 object=n/a interface=n/a member=n/a cookie=2151<br>> reply_cookie=2 error=n/a<br>><br>> This is when I can ssh successfully, when it fails, the Sent message<br>> (and maybe Got Message as well, sorry I lost the log, I will update<br>> later) has sender and destination is "n/a". Could you please elaborate<br>> on this "n/a", can it lead to the Acess denied"?<br>><br>> And if dbus-daemon refused access to the unit's runtime data, when I<br>> restart dbus, there is no error "Access Denied" anymore. How does<br>> restarting dbus relate with Access Denied? If it is permission, I<br>> guess even restarting dbus, it still meets Access Denied.<br>><br>> Sorry for asking a lot of questions.<br>><br>> Thanks a lot,<br>> Brs,<br>> Naruto<br>><br>> On Fri, Mar 1, 2019 at 5:22 PM Lennart Poettering<br>> <<a href="mailto:lennart@poettering.net">lennart@poettering.net</a>> wrote:<br>> ><br>> > On Do, 28.02.19 18:21, Bao Nguyen (<a href="mailto:baondt@gmail.com">baondt@gmail.com</a>) wrote:<br>> ><br>> > > Hello everyone,<br>> > ><br>> > > I am using systemd 228. When the system starts successfully, I tried<br>> > > to login to my system via ssh with my one of setting users, and I can<br>> > > log in successfully but systemd throws an error message:<br>> > ><br>> > > "Failed to get unit: Access denied"<br>> > ><br>> > > When I trace code of systemd, I found the message thrown from the<br>> > > method call via sdbus. This is one of function I added in systemd<br>> > > source<br>> > ><br>> > > r = sd_bus_call_method(<br>> > > bus,<br>> > > "org.freedesktop.systemd1",<br>> > > "/org/freedesktop/systemd1",<br>> > > "org.freedesktop.systemd1.Manager",<br>> > > "GetUnit",<br>> > > &error_message,<br>> > > &reply_return,<br>> > > "s", name_unit);<br>> > > if (r < 0) {<br>> > > return log_errno(r, "Failed to get unit: %s",<br>> > > bus_error_message(&error_message, r));<br>> > > }<br>> > ><br>> > > But somehow it cannot call GetUnit method from interface<br>> > > org.freedesktop.systemd1.Manager with error "Access denied". Could you<br>> > > please let me know what the error message of this method call means ?<br>> > > Does it relate any to user permission and if any setting permission of<br>> > > user can cause the method called via sdbus can not retrieve unit<br>> > > object path for a unit name during ssh?<br>> ><br>> > This means dbus-daemon or selinux refused access to the unit's runtime<br>> > data.<br>> ><br>> > if it's dbus there might be more info in the dbus logs.<br>> ><br>> > if it's selinux (do you use that?) there might be AVCs...<br>> ><br>> > Lennart<br>> ><br>> > --<br>> > Lennart Poettering, Red Hat</div></div></div>