Re: [systemd-devel] Cannot call GetUnit method with ssh
On Di, 12.03.19 18:17, Bao Nguyen (bao...@gmail.com) wrote: > Hi again, > > I tried to add the LDAP user in /etc/dbus-1/system.conf policy and then > send signal SIGHUP to reload the configuration, also for dbus flush user > cache, but dbus said that > > Unknown username "ldap_demo" on element > Reloaded configuration > > I search the source code in dbus. it will > call _dbus_get_user_id_and_primary_group , > then _dbus_user_database_get_system to search user ldap_demo in its > database but I am not clear how this database is built. Could you please > help me for that? > Is there anyway to make dbus aware the new user except restart dbus? If I > restart dbus, does it have any impact to the system? Please contact the dbus mailing list instead. They can definitely help you better there than here. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
Hi Mantas, Thanks for your reply. "Hold on – why are you whitelisting individual users for systemd.GetMethod()? " Sorry I am not clear your question. My intend is to add a user that fails to authenticate with DBUS in the previous email to policy config file to troubleshoot if dbus resolve it or not. But it throws "Unknown username" so I think dbus does not know anything about this user and it leads to the authenticate fails. Brs, Bao On Tue, Mar 12, 2019 at 6:20 PM Mantas Mikulėnas wrote: > On Tue, Mar 12, 2019 at 1:17 PM Bao Nguyen wrote: > >> Hi again, >> >> I tried to add the LDAP user in /etc/dbus-1/system.conf policy and then >> send signal SIGHUP to reload the configuration, also for dbus flush user >> cache, but dbus said that >> >> Unknown username "ldap_demo" on element >> Reloaded configuration >> > > Hold on – why are you whitelisting individual users for > systemd.GetMethod()? > > >> >> I search the source code in dbus. it will >> call _dbus_get_user_id_and_primary_group , >> then _dbus_user_database_get_system to search user ldap_demo in its >> database but I am not clear how this database is built. Could you please >> help me for that? >> Is there anyway to make dbus aware the new user except restart dbus? >> > > > >> If I restart dbus, does it have any impact to the system? >> > > Yes; it closes all existing bus connections, which may cause many services > to exit. > > >> >> Thanks, >> Brs, >> Bao >> >> >> On Fri, Mar 8, 2019 at 5:54 PM Lennart Poettering >> wrote: >> >>> On Fr, 08.03.19 11:59, Mantas Mikulėnas (graw...@gmail.com) wrote: >>> >>> > > dbus policy can only reference users that are available locally at >>> any >>> > > time, i.e. generally system users, not human users. >>> > > >>> > > >>> > Hmm, but in this case, the client seems to be completely refused >>> access to >>> > the bus – not just blocked by policy from sending some message. The >>> system >>> > bus normally allows any user to connect (I mean, I have no problems >>> > accessing it from an LDAP account), so I'm not sure why the bus config >>> > should matter at this point. >>> >>> At this point this is probably something to move to the dbus list... I >>> don#t remember how precisely dbus-daemon authenticates stuff, I just >>> have a rough idea. >>> >>> Lennart >>> >>> -- >>> Lennart Poettering, Red Hat >>> >> > > -- > Mantas Mikulėnas > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
On Tue, Mar 12, 2019 at 1:17 PM Bao Nguyen wrote: > Hi again, > > I tried to add the LDAP user in /etc/dbus-1/system.conf policy and then > send signal SIGHUP to reload the configuration, also for dbus flush user > cache, but dbus said that > > Unknown username "ldap_demo" on element > Reloaded configuration > Hold on – why are you whitelisting individual users for systemd.GetMethod()? > > I search the source code in dbus. it will > call _dbus_get_user_id_and_primary_group , > then _dbus_user_database_get_system to search user ldap_demo in its > database but I am not clear how this database is built. Could you please > help me for that? > Is there anyway to make dbus aware the new user except restart dbus? > > If I restart dbus, does it have any impact to the system? > Yes; it closes all existing bus connections, which may cause many services to exit. > > Thanks, > Brs, > Bao > > > On Fri, Mar 8, 2019 at 5:54 PM Lennart Poettering > wrote: > >> On Fr, 08.03.19 11:59, Mantas Mikulėnas (graw...@gmail.com) wrote: >> >> > > dbus policy can only reference users that are available locally at any >> > > time, i.e. generally system users, not human users. >> > > >> > > >> > Hmm, but in this case, the client seems to be completely refused access >> to >> > the bus – not just blocked by policy from sending some message. The >> system >> > bus normally allows any user to connect (I mean, I have no problems >> > accessing it from an LDAP account), so I'm not sure why the bus config >> > should matter at this point. >> >> At this point this is probably something to move to the dbus list... I >> don#t remember how precisely dbus-daemon authenticates stuff, I just >> have a rough idea. >> >> Lennart >> >> -- >> Lennart Poettering, Red Hat >> > -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
Hi again, I tried to add the LDAP user in /etc/dbus-1/system.conf policy and then send signal SIGHUP to reload the configuration, also for dbus flush user cache, but dbus said that Unknown username "ldap_demo" on element Reloaded configuration I search the source code in dbus. it will call _dbus_get_user_id_and_primary_group , then _dbus_user_database_get_system to search user ldap_demo in its database but I am not clear how this database is built. Could you please help me for that? Is there anyway to make dbus aware the new user except restart dbus? If I restart dbus, does it have any impact to the system? Thanks, Brs, Bao On Fri, Mar 8, 2019 at 5:54 PM Lennart Poettering wrote: > On Fr, 08.03.19 11:59, Mantas Mikulėnas (graw...@gmail.com) wrote: > > > > dbus policy can only reference users that are available locally at any > > > time, i.e. generally system users, not human users. > > > > > > > > Hmm, but in this case, the client seems to be completely refused access > to > > the bus – not just blocked by policy from sending some message. The > system > > bus normally allows any user to connect (I mean, I have no problems > > accessing it from an LDAP account), so I'm not sure why the bus config > > should matter at this point. > > At this point this is probably something to move to the dbus list... I > don#t remember how precisely dbus-daemon authenticates stuff, I just > have a rough idea. > > Lennart > > -- > Lennart Poettering, Red Hat > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
On Fr, 08.03.19 11:59, Mantas Mikulėnas (graw...@gmail.com) wrote: > > dbus policy can only reference users that are available locally at any > > time, i.e. generally system users, not human users. > > > > > Hmm, but in this case, the client seems to be completely refused access to > the bus – not just blocked by policy from sending some message. The system > bus normally allows any user to connect (I mean, I have no problems > accessing it from an LDAP account), so I'm not sure why the bus config > should matter at this point. At this point this is probably something to move to the dbus list... I don#t remember how precisely dbus-daemon authenticates stuff, I just have a rough idea. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
Hi Lennart & Mantas,
Thanks a lot for your quick response.
Maybe you're right, dbus-daemon resolves users mentioned in its policy
files at start-up. And then adding a new user to LDAP, dbus-daemon has
not resolved yet so it do not allow to access system bus. That may be
the reason that restart dbus resolve the issue, mean makes dbus aware
the new user. However, as Mantas said he does not meet the issue with
LDAP account, could Mantas please add a new LDAP account again to
confirm if you meet the same problem or not, or any new LDAP account
added you do not see the issue without restart dbus?
BTW, I remember I did not meet the same problem in older systemd, not
sure if later systemd has any changes that makes the issue "Assess
denied" happens for LDAP, or could you please let me know it is a
expected behavior for every version of systemd?
Thanks,
Brs,
Naruto
On Fri, Mar 8, 2019 at 4:59 PM Mantas Mikulėnas wrote:
>
> On Fri, Mar 8, 2019 at 11:54 AM Lennart Poettering
> wrote:
>>
>> On Fr, 08.03.19 16:05, Bao Nguyen (bao...@gmail.com) wrote:
>>
>> > Hi Lennart,
>> >
>> > After debugging the problem, when strace the busctl call method command
>> >
>> > strace -f -tt busctl call org.freedesktop.systemd1
>> > /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager GetUnit s
>> > sys-devices-platform-serial8250-tty-ttyS6.device
>> >
>> >
>> > 07:54:32.027830 connect(3, {sa_family=AF_LOCAL,
>> > sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
>> > 07:54:32.028045 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0,
>> > gid=0}, [12]) = 0
>> > 07:54:32.028146 fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
>> > 07:54:32.028240 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0
>> > 07:54:32.028369 getsockname(3, {sa_family=AF_LOCAL, NULL}, [2]) = 0
>> > 07:54:32.028477 geteuid() = 701
>> > 07:54:32.028584 sendmsg(3, {msg_name(0)=NULL, msg_iov(3)=[{"\0AUTH EXTERNAL
>> > ", 15}, {"373031", 6}, {"\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", 28}],
>> > msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 49
>> > 07:54:32.028854 gettid()= 6861
>> > 07:54:32.028954 getrandom("f\7Wa\3512\306\316\3325\246\372\207\247\272(",
>> > 16, GRND_NONBLOCK) = 16
>> > *07:54:32.029115 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"REJECTED
>> > EXTERNAL DBUS_COOKIE_SH"..., 256}], msg_controllen=0,
>> > msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) =
>> > 82*
>> > *07:54:32.029230 writev(2, [{"Access denied", 13}, {"\n", 1}], 2Access
>> > denied*
>> >
>> > I can see that the "Access Denied" is thrown because the system dbus fail
>> > to authenticate NEGOTIATE_UNIX_FD sent from client . It returns
>> > *REJECTED
>> > EXTERNAL DBUS_COOKIE_SH. * Could you please help to explain more why DBUS
>> > fail to authenticate? Is there any work around to make it authenticate
>> > successfully? I restart dbus and the error is gone away. Not sure why and
>> > maybe restarting dbus is not a good WA to do.
>> >
>> > My system uses SSSD, PAM and LDAP to authenticate the user,
>>
>> dbus-daemon resolves users mentioned in its policy files at
>> start-up. Are you referencing users that are defined in SSSD/LDAP? If
>> so, that's most likely your problem. You can't do that.
>>
>> dbus policy can only reference users that are available locally at any
>> time, i.e. generally system users, not human users.
>>
>
> Hmm, but in this case, the client seems to be completely refused access to
> the bus – not just blocked by policy from sending some message. The system
> bus normally allows any user to connect (I mean, I have no problems accessing
> it from an LDAP account), so I'm not sure why the bus config should matter at
> this point.
>
> --
> Mantas Mikulėnas
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
On Fri, Mar 8, 2019 at 11:54 AM Lennart Poettering
wrote:
> On Fr, 08.03.19 16:05, Bao Nguyen (bao...@gmail.com) wrote:
>
> > Hi Lennart,
> >
> > After debugging the problem, when strace the busctl call method command
> >
> > strace -f -tt busctl call org.freedesktop.systemd1
> > /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager GetUnit s
> > sys-devices-platform-serial8250-tty-ttyS6.device
> >
> >
> > 07:54:32.027830 connect(3, {sa_family=AF_LOCAL,
> > sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
> > 07:54:32.028045 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0,
> > gid=0}, [12]) = 0
> > 07:54:32.028146 fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
> > 07:54:32.028240 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0
> > 07:54:32.028369 getsockname(3, {sa_family=AF_LOCAL, NULL}, [2]) = 0
> > 07:54:32.028477 geteuid() = 701
> > 07:54:32.028584 sendmsg(3, {msg_name(0)=NULL, msg_iov(3)=[{"\0AUTH
> EXTERNAL
> > ", 15}, {"373031", 6}, {"\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", 28}],
> > msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 49
> > 07:54:32.028854 gettid()= 6861
> > 07:54:32.028954 getrandom("f\7Wa\3512\306\316\3325\246\372\207\247\272(",
> > 16, GRND_NONBLOCK) = 16
> > *07:54:32.029115 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"REJECTED
> > EXTERNAL DBUS_COOKIE_SH"..., 256}], msg_controllen=0,
> > msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC)
> =
> > 82*
> > *07:54:32.029230 writev(2, [{"Access denied", 13}, {"\n", 1}], 2Access
> > denied*
> >
> > I can see that the "Access Denied" is thrown because the system dbus fail
> > to authenticate NEGOTIATE_UNIX_FD sent from client . It returns
> *REJECTED
> > EXTERNAL DBUS_COOKIE_SH. * Could you please help to explain more why DBUS
> > fail to authenticate? Is there any work around to make it authenticate
> > successfully? I restart dbus and the error is gone away. Not sure why and
> > maybe restarting dbus is not a good WA to do.
> >
> > My system uses SSSD, PAM and LDAP to authenticate the user,
>
> dbus-daemon resolves users mentioned in its policy files at
> start-up. Are you referencing users that are defined in SSSD/LDAP? If
> so, that's most likely your problem. You can't do that.
>
> dbus policy can only reference users that are available locally at any
> time, i.e. generally system users, not human users.
>
>
Hmm, but in this case, the client seems to be completely refused access to
the bus – not just blocked by policy from sending some message. The system
bus normally allows any user to connect (I mean, I have no problems
accessing it from an LDAP account), so I'm not sure why the bus config
should matter at this point.
--
Mantas Mikulėnas
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
On Fr, 08.03.19 16:05, Bao Nguyen (bao...@gmail.com) wrote:
> Hi Lennart,
>
> After debugging the problem, when strace the busctl call method command
>
> strace -f -tt busctl call org.freedesktop.systemd1
> /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager GetUnit s
> sys-devices-platform-serial8250-tty-ttyS6.device
>
>
> 07:54:32.027830 connect(3, {sa_family=AF_LOCAL,
> sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
> 07:54:32.028045 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0,
> gid=0}, [12]) = 0
> 07:54:32.028146 fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
> 07:54:32.028240 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0
> 07:54:32.028369 getsockname(3, {sa_family=AF_LOCAL, NULL}, [2]) = 0
> 07:54:32.028477 geteuid() = 701
> 07:54:32.028584 sendmsg(3, {msg_name(0)=NULL, msg_iov(3)=[{"\0AUTH EXTERNAL
> ", 15}, {"373031", 6}, {"\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", 28}],
> msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 49
> 07:54:32.028854 gettid()= 6861
> 07:54:32.028954 getrandom("f\7Wa\3512\306\316\3325\246\372\207\247\272(",
> 16, GRND_NONBLOCK) = 16
> *07:54:32.029115 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"REJECTED
> EXTERNAL DBUS_COOKIE_SH"..., 256}], msg_controllen=0,
> msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) =
> 82*
> *07:54:32.029230 writev(2, [{"Access denied", 13}, {"\n", 1}], 2Access
> denied*
>
> I can see that the "Access Denied" is thrown because the system dbus fail
> to authenticate NEGOTIATE_UNIX_FD sent from client . It returns *REJECTED
> EXTERNAL DBUS_COOKIE_SH. * Could you please help to explain more why DBUS
> fail to authenticate? Is there any work around to make it authenticate
> successfully? I restart dbus and the error is gone away. Not sure why and
> maybe restarting dbus is not a good WA to do.
>
> My system uses SSSD, PAM and LDAP to authenticate the user,
dbus-daemon resolves users mentioned in its policy files at
start-up. Are you referencing users that are defined in SSSD/LDAP? If
so, that's most likely your problem. You can't do that.
dbus policy can only reference users that are available locally at any
time, i.e. generally system users, not human users.
Lennart
--
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
Hi Lennart,
After debugging the problem, when strace the busctl call method command
strace -f -tt busctl call org.freedesktop.systemd1
/org/freedesktop/systemd1 org.freedesktop.systemd1.Manager GetUnit s
sys-devices-platform-serial8250-tty-ttyS6.device
07:54:32.027830 connect(3, {sa_family=AF_LOCAL,
sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
07:54:32.028045 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0,
gid=0}, [12]) = 0
07:54:32.028146 fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
07:54:32.028240 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0
07:54:32.028369 getsockname(3, {sa_family=AF_LOCAL, NULL}, [2]) = 0
07:54:32.028477 geteuid() = 701
07:54:32.028584 sendmsg(3, {msg_name(0)=NULL, msg_iov(3)=[{"\0AUTH EXTERNAL
", 15}, {"373031", 6}, {"\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", 28}],
msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 49
07:54:32.028854 gettid()= 6861
07:54:32.028954 getrandom("f\7Wa\3512\306\316\3325\246\372\207\247\272(",
16, GRND_NONBLOCK) = 16
*07:54:32.029115 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"REJECTED
EXTERNAL DBUS_COOKIE_SH"..., 256}], msg_controllen=0,
msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) =
82*
*07:54:32.029230 writev(2, [{"Access denied", 13}, {"\n", 1}], 2Access
denied*
I can see that the "Access Denied" is thrown because the system dbus fail
to authenticate NEGOTIATE_UNIX_FD sent from client . It returns *REJECTED
EXTERNAL DBUS_COOKIE_SH. * Could you please help to explain more why DBUS
fail to authenticate? Is there any work around to make it authenticate
successfully? I restart dbus and the error is gone away. Not sure why and
maybe restarting dbus is not a good WA to do.
My system uses SSSD, PAM and LDAP to authenticate the user,
Thanks,
Brs,
Naruto
On Sat, Mar 2, 2019 at 2:31 PM Bao Nguyen wrote:
>
> Hi Lennart,
>
> Thanks for your information.
>
> I do not use selinux. Could you please show me how to enable dbus log?
> I found this thread https://wiki.ubuntu.com/DebuggingDBus, not sure it
> works but I'll give it a try.
>
> BTW, last time when I enable systemd debug systemd.log_level=debug, I
> found this log
>
> systemd[1]: Got message type=method_call sender=:1.183
> destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1
> interface=org.freedesktop.systemd1.Manager member=GetUnit cookie=2
> reply_cookie=0 error=n/a
> systemd[1]: Sent message type=method_return sender=n/a
> destination=:1.183 object=n/a interface=n/a member=n/a cookie=2151
> reply_cookie=2 error=n/a
>
> This is when I can ssh successfully, when it fails, the Sent message
> (and maybe Got Message as well, sorry I lost the log, I will update
> later) has sender and destination is "n/a". Could you please elaborate
> on this "n/a", can it lead to the Acess denied"?
>
> And if dbus-daemon refused access to the unit's runtime data, when I
> restart dbus, there is no error "Access Denied" anymore. How does
> restarting dbus relate with Access Denied? If it is permission, I
> guess even restarting dbus, it still meets Access Denied.
>
> Sorry for asking a lot of questions.
>
> Thanks a lot,
> Brs,
> Naruto
>
> On Fri, Mar 1, 2019 at 5:22 PM Lennart Poettering
> wrote:
> >
> > On Do, 28.02.19 18:21, Bao Nguyen (bao...@gmail.com) wrote:
> >
> > > Hello everyone,
> > >
> > > I am using systemd 228. When the system starts successfully, I tried
> > > to login to my system via ssh with my one of setting users, and I can
> > > log in successfully but systemd throws an error message:
> > >
> > > "Failed to get unit: Access denied"
> > >
> > > When I trace code of systemd, I found the message thrown from the
> > > method call via sdbus. This is one of function I added in systemd
> > > source
> > >
> > > r = sd_bus_call_method(
> > > bus,
> > > "org.freedesktop.systemd1",
> > > "/org/freedesktop/systemd1",
> > > "org.freedesktop.systemd1.Manager",
> > > "GetUnit",
> > > _message,
> > > _return,
> > > "s", name_unit);
> > > if (r < 0) {
> > > return log_errno(r, "Failed to get unit: %s",
> > > bus_error_message(_message, r));
> > > }
> > >
> > > But somehow it cannot call GetUnit method from interface
> > > org.freedesktop.systemd1.Manager with error "Access denied". Could you
> > > please let me know what the error message of this method call means ?
> > > Does it relate any to user permission and if any setting permission of
> > > user can cause the method called via sdbus can not retrieve unit
> > > object path for a unit name during ssh?
> >
> > This means dbus-daemon or selinux refused access to the unit's runtime
> > data.
> >
> > if it's dbus there might be more info in the dbus logs.
> >
> > if it's selinux (do you use that?) there might
Re: [systemd-devel] Cannot call GetUnit method with ssh
Hi Lennart,
Thanks for your information.
I do not use selinux. Could you please show me how to enable dbus log?
I found this thread https://wiki.ubuntu.com/DebuggingDBus, not sure it
works but I'll give it a try.
BTW, last time when I enable systemd debug systemd.log_level=debug, I
found this log
systemd[1]: Got message type=method_call sender=:1.183
destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=GetUnit cookie=2
reply_cookie=0 error=n/a
systemd[1]: Sent message type=method_return sender=n/a
destination=:1.183 object=n/a interface=n/a member=n/a cookie=2151
reply_cookie=2 error=n/a
This is when I can ssh successfully, when it fails, the Sent message
(and maybe Got Message as well, sorry I lost the log, I will update
later) has sender and destination is "n/a". Could you please elaborate
on this "n/a", can it lead to the Acess denied"?
And if dbus-daemon refused access to the unit's runtime data, when I
restart dbus, there is no error "Access Denied" anymore. How does
restarting dbus relate with Access Denied? If it is permission, I
guess even restarting dbus, it still meets Access Denied.
Sorry for asking a lot of questions.
Thanks a lot,
Brs,
Naruto
On Fri, Mar 1, 2019 at 5:22 PM Lennart Poettering
wrote:
>
> On Do, 28.02.19 18:21, Bao Nguyen (bao...@gmail.com) wrote:
>
> > Hello everyone,
> >
> > I am using systemd 228. When the system starts successfully, I tried
> > to login to my system via ssh with my one of setting users, and I can
> > log in successfully but systemd throws an error message:
> >
> > "Failed to get unit: Access denied"
> >
> > When I trace code of systemd, I found the message thrown from the
> > method call via sdbus. This is one of function I added in systemd
> > source
> >
> > r = sd_bus_call_method(
> > bus,
> > "org.freedesktop.systemd1",
> > "/org/freedesktop/systemd1",
> > "org.freedesktop.systemd1.Manager",
> > "GetUnit",
> > _message,
> > _return,
> > "s", name_unit);
> > if (r < 0) {
> > return log_errno(r, "Failed to get unit: %s",
> > bus_error_message(_message, r));
> > }
> >
> > But somehow it cannot call GetUnit method from interface
> > org.freedesktop.systemd1.Manager with error "Access denied". Could you
> > please let me know what the error message of this method call means ?
> > Does it relate any to user permission and if any setting permission of
> > user can cause the method called via sdbus can not retrieve unit
> > object path for a unit name during ssh?
>
> This means dbus-daemon or selinux refused access to the unit's runtime
> data.
>
> if it's dbus there might be more info in the dbus logs.
>
> if it's selinux (do you use that?) there might be AVCs...
>
> Lennart
>
> --
> Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
Hi Mantas,
Thanks for our reply.
No, my /usr has not any special setup, it is already in initrd.
Brs,
Naruto
On Fri, Mar 1, 2019 at 4:33 PM Mantas Mikulėnas wrote:
>
> Does your system have any sort of special setup for /etc or /usr?
>
> It sounds very much like /usr is on a separate filesystem that's not yet
> mounted at the time of system boot, so dbus-daemon cannot find its
> configuration at that time. When /usr is separate, it must be pre-mounted by
> the initramfs.
>
> On Thu, Feb 28, 2019 at 1:28 PM Bao Nguyen wrote:
>>
>> Hi again,
>>
>> Just would like to update that when i restart dbus service, the issue does
>> not happen.
>>
>> Brs,
>> Bao
>>
>> On Thu, Feb 28, 2019 at 6:21 PM Bao Nguyen wrote:
>>>
>>> Hello everyone,
>>>
>>> I am using systemd 228. When the system starts successfully, I tried
>>> to login to my system via ssh with my one of setting users, and I can
>>> log in successfully but systemd throws an error message:
>>>
>>> "Failed to get unit: Access denied"
>>>
>>> When I trace code of systemd, I found the message thrown from the
>>> method call via sdbus. This is one of function I added in systemd
>>> source
>>>
>>> r = sd_bus_call_method(
>>> bus,
>>> "org.freedesktop.systemd1",
>>> "/org/freedesktop/systemd1",
>>> "org.freedesktop.systemd1.Manager",
>>> "GetUnit",
>>> _message,
>>> _return,
>>> "s", name_unit);
>>> if (r < 0) {
>>> return log_errno(r, "Failed to get unit: %s",
>>> bus_error_message(_message, r));
>>> }
>>>
>>> But somehow it cannot call GetUnit method from interface
>>> org.freedesktop.systemd1.Manager with error "Access denied". Could you
>>> please let me know what the error message of this method call means ?
>>> Does it relate any to user permission and if any setting permission of
>>> user can cause the method called via sdbus can not retrieve unit
>>> object path for a unit name during ssh?
>>>
>>> Thanks a lot,
>>> Brs,
>>> Naruto
>>
>> ___
>> systemd-devel mailing list
>> systemd-devel@lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
>
>
> --
> Mantas Mikulėnas
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
On Do, 28.02.19 18:21, Bao Nguyen (bao...@gmail.com) wrote:
> Hello everyone,
>
> I am using systemd 228. When the system starts successfully, I tried
> to login to my system via ssh with my one of setting users, and I can
> log in successfully but systemd throws an error message:
>
> "Failed to get unit: Access denied"
>
> When I trace code of systemd, I found the message thrown from the
> method call via sdbus. This is one of function I added in systemd
> source
>
> r = sd_bus_call_method(
> bus,
> "org.freedesktop.systemd1",
> "/org/freedesktop/systemd1",
> "org.freedesktop.systemd1.Manager",
> "GetUnit",
> _message,
> _return,
> "s", name_unit);
> if (r < 0) {
> return log_errno(r, "Failed to get unit: %s",
> bus_error_message(_message, r));
> }
>
> But somehow it cannot call GetUnit method from interface
> org.freedesktop.systemd1.Manager with error "Access denied". Could you
> please let me know what the error message of this method call means ?
> Does it relate any to user permission and if any setting permission of
> user can cause the method called via sdbus can not retrieve unit
> object path for a unit name during ssh?
This means dbus-daemon or selinux refused access to the unit's runtime
data.
if it's dbus there might be more info in the dbus logs.
if it's selinux (do you use that?) there might be AVCs...
Lennart
--
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
Does your system have any sort of special setup for /etc or /usr?
It sounds very much like /usr is on a separate filesystem that's not yet
mounted at the time of system boot, so dbus-daemon cannot find its
configuration at that time. When /usr is separate, it must be pre-mounted
by the initramfs.
On Thu, Feb 28, 2019 at 1:28 PM Bao Nguyen wrote:
> Hi again,
>
> Just would like to update that when i restart dbus service, the issue does
> not happen.
>
> Brs,
> Bao
>
> On Thu, Feb 28, 2019 at 6:21 PM Bao Nguyen wrote:
>
>> Hello everyone,
>>
>> I am using systemd 228. When the system starts successfully, I tried
>> to login to my system via ssh with my one of setting users, and I can
>> log in successfully but systemd throws an error message:
>>
>> "Failed to get unit: Access denied"
>>
>> When I trace code of systemd, I found the message thrown from the
>> method call via sdbus. This is one of function I added in systemd
>> source
>>
>> r = sd_bus_call_method(
>> bus,
>> "org.freedesktop.systemd1",
>> "/org/freedesktop/systemd1",
>> "org.freedesktop.systemd1.Manager",
>> "GetUnit",
>> _message,
>> _return,
>> "s", name_unit);
>> if (r < 0) {
>> return log_errno(r, "Failed to get unit: %s",
>> bus_error_message(_message, r));
>> }
>>
>> But somehow it cannot call GetUnit method from interface
>> org.freedesktop.systemd1.Manager with error "Access denied". Could you
>> please let me know what the error message of this method call means ?
>> Does it relate any to user permission and if any setting permission of
>> user can cause the method called via sdbus can not retrieve unit
>> object path for a unit name during ssh?
>>
>> Thanks a lot,
>> Brs,
>> Naruto
>>
> ___
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
Mantas Mikulėnas
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Cannot call GetUnit method with ssh
Hi again,
Just would like to update that when i restart dbus service, the issue does
not happen.
Brs,
Bao
On Thu, Feb 28, 2019 at 6:21 PM Bao Nguyen wrote:
> Hello everyone,
>
> I am using systemd 228. When the system starts successfully, I tried
> to login to my system via ssh with my one of setting users, and I can
> log in successfully but systemd throws an error message:
>
> "Failed to get unit: Access denied"
>
> When I trace code of systemd, I found the message thrown from the
> method call via sdbus. This is one of function I added in systemd
> source
>
> r = sd_bus_call_method(
> bus,
> "org.freedesktop.systemd1",
> "/org/freedesktop/systemd1",
> "org.freedesktop.systemd1.Manager",
> "GetUnit",
> _message,
> _return,
> "s", name_unit);
> if (r < 0) {
> return log_errno(r, "Failed to get unit: %s",
> bus_error_message(_message, r));
> }
>
> But somehow it cannot call GetUnit method from interface
> org.freedesktop.systemd1.Manager with error "Access denied". Could you
> please let me know what the error message of this method call means ?
> Does it relate any to user permission and if any setting permission of
> user can cause the method called via sdbus can not retrieve unit
> object path for a unit name during ssh?
>
> Thanks a lot,
> Brs,
> Naruto
>
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Cannot call GetUnit method with ssh
Hello everyone,
I am using systemd 228. When the system starts successfully, I tried
to login to my system via ssh with my one of setting users, and I can
log in successfully but systemd throws an error message:
"Failed to get unit: Access denied"
When I trace code of systemd, I found the message thrown from the
method call via sdbus. This is one of function I added in systemd
source
r = sd_bus_call_method(
bus,
"org.freedesktop.systemd1",
"/org/freedesktop/systemd1",
"org.freedesktop.systemd1.Manager",
"GetUnit",
_message,
_return,
"s", name_unit);
if (r < 0) {
return log_errno(r, "Failed to get unit: %s",
bus_error_message(_message, r));
}
But somehow it cannot call GetUnit method from interface
org.freedesktop.systemd1.Manager with error "Access denied". Could you
please let me know what the error message of this method call means ?
Does it relate any to user permission and if any setting permission of
user can cause the method called via sdbus can not retrieve unit
object path for a unit name during ssh?
Thanks a lot,
Brs,
Naruto
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
