[Bug 240178] New: Security Policy prevents automount for LDAP-authenticated user
https://bugzilla.novell.com/show_bug.cgi?id=240178 Summary: Security Policy prevents automount for LDAP- authenticated user Product: openSUSE 10.2 Version: Final Platform: i686 OS/Version: Other Status: NEW Severity: Minor Priority: P5 - None Component: KDE AssignedTo: kde-maintainers@suse.de ReportedBy: Michael.Zapf@web.de QAContact: qa@suse.de When I log into my system using LDAP authentication, I cannot access my USB sticks, and neither CDs which have been inserted into the CD drive. I get a pop-up window: A security policy in place prevents this sender from sending this message to this recipient, see message bus configuration file (rejected message had interface "org.freedesktop.Hal.Device.Volume" member "Mount" error name "(unset)" destination "org.freedesktop.Hal Some facts that I found out: - message does not appear for root, volume is mounted - message does not appear for a local user (/etc/passwd), volume is mounted - message appears for a user authenticated via LDAP, volume is not mounted Workaround: Quit KDE, go into console, execute "/etc/init.d/dbus restart". Then all users, including those via LDAP, can mount the volumes with no errors reported. This lasts until the host is rebooted, regardless of KDE logins and logouts. The config files for dbus and hald are unchanged since installation time. Problem did not exist with openSUSE 10.1. The problem also appeared in FVWM when starting konqueror. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240178 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@novell.com ------- Comment #1 from meissner@novell.com 2007-01-30 05:15 MST ------- resmgr related ... perhaps more for Ludwig. do you have all online updates installed? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240178 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kde-maintainers@suse.de |lnussel@novell.com Status|NEW |ASSIGNED ------- Comment #2 from lnussel@novell.com 2007-01-30 05:35 MST ------- please attach the output of 'sudo /sbin/resmgr dump' and 'ls -lR /var/run/resmgr' while you are logged in as ldap user without having used the "workaround". Please also attach /var/log/messages. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240178 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |Michael.Zapf@web.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240178 stbinner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Component|KDE |Basesystem -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240178 Michael.Zapf@web.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|Michael.Zapf@web.de | ------- Comment #3 from Michael.Zapf@web.de 2007-01-31 08:19 MST ------- resmgr dump (before and after plugging in the stick) ### begin dump class desktop-console class audioplayer class pda class scanner class modem class camera class usb class floppy class cdrom class input class video class sound class v4l class dvb class remote-x-desktop class desktop class desktop includes dvb class desktop includes v4l class desktop includes sound class desktop includes video class desktop includes input class desktop includes cdrom class desktop includes floppy class desktop includes usb class desktop includes camera class desktop includes scanner class desktop includes pda class desktop includes audioplayer class desktop includes desktop-console login "zapf" :0 grant "zapf" desktop grant "zapf" dvb grant "zapf" v4l grant "zapf" sound grant "zapf" video grant "zapf" input grant "zapf" cdrom grant "zapf" floppy grant "zapf" usb grant "zapf" camera grant "zapf" scanner grant "zapf" pda grant "zapf" audioplayer grant "zapf" desktop-console ### end dump ================================================== ls -lR /var/run/resmgr (change "insgesamt" to "total") /var/run/resmgr: insgesamt 4 drwxr-xr-x 16 root root 4096 31. Jan 15:24 classes /var/run/resmgr/classes: insgesamt 56 drwxr-xr-x 2 root root 4096 31. Jan 15:24 audioplayer drwxr-xr-x 2 root root 4096 31. Jan 15:24 camera drwxr-xr-x 2 root root 4096 31. Jan 15:24 cdrom drwxr-xr-x 2 root root 4096 31. Jan 15:24 desktop drwxr-xr-x 2 root root 4096 31. Jan 15:24 desktop-console drwxr-xr-x 2 root root 4096 31. Jan 15:24 dvb drwxr-xr-x 2 root root 4096 31. Jan 15:24 floppy drwxr-xr-x 2 root root 4096 31. Jan 15:24 input drwxr-xr-x 2 root root 4096 31. Jan 15:24 pda drwxr-xr-x 2 root root 4096 31. Jan 15:24 scanner drwxr-xr-x 2 root root 4096 31. Jan 15:24 sound drwxr-xr-x 2 root root 4096 31. Jan 15:24 usb drwxr-xr-x 2 root root 4096 31. Jan 15:24 v4l drwxr-xr-x 2 root root 4096 31. Jan 15:24 video /var/run/resmgr/classes/audioplayer: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/camera: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/cdrom: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/desktop: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/desktop-console: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/dvb: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/floppy: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/input: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/pda: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/scanner: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/sound: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/usb: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/v4l: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf /var/run/resmgr/classes/video: insgesamt 0 -rw-r--r-- 1 root root 0 31. Jan 15:24 zapf ================================================== /var/log/messages (the part after plugging in the stick) Jan 31 15:27:49 ruegen kernel: usb 5-6: new high speed USB device using ehci_hcd and address 2 Jan 31 15:27:50 ruegen kernel: usb 5-6: new device found, idVendor=08ec, idProduct=0008 Jan 31 15:27:50 ruegen kernel: usb 5-6: new device strings: Mfr=1, Product=2, SerialNumber=3 Jan 31 15:27:50 ruegen kernel: usb 5-6: Product: Store 'n' Go Jan 31 15:27:50 ruegen kernel: usb 5-6: Manufacturer: Verbatim Jan 31 15:27:50 ruegen kernel: usb 5-6: SerialNumber: 0BD1F3509061C8FD Jan 31 15:27:50 ruegen kernel: usb 5-6: configuration #1 chosen from 1 choice Jan 31 15:27:50 ruegen kernel: SCSI subsystem initialized Jan 31 15:27:50 ruegen kernel: Initializing USB Mass Storage driver... Jan 31 15:27:50 ruegen kernel: scsi0 : SCSI emulation for USB Mass Storage devices Jan 31 15:27:50 ruegen kernel: usb-storage: device found at 2 Jan 31 15:27:50 ruegen kernel: usb-storage: waiting for device to settle before scanning Jan 31 15:27:50 ruegen kernel: usbcore: registered new driver usb-storage Jan 31 15:27:50 ruegen kernel: USB Mass Storage support registered. Jan 31 15:27:51 ruegen kernel: Vendor: VBTM Model: Store 'n' Go Rev: 1.04 Jan 31 15:27:51 ruegen kernel: Type: Direct-Access ANSI SCSI revision: 00 Jan 31 15:27:51 ruegen kernel: usb-storage: device scan complete Jan 31 15:27:52 ruegen kernel: SCSI device sda: 2007040 512-byte hdwr sectors (1028 MB) Jan 31 15:27:52 ruegen kernel: sda: Write Protect is off Jan 31 15:27:52 ruegen kernel: sda: Mode Sense: 23 00 00 00 Jan 31 15:27:52 ruegen kernel: sda: assuming drive cache: write through Jan 31 15:27:52 ruegen kernel: SCSI device sda: 2007040 512-byte hdwr sectors (1028 MB) Jan 31 15:27:52 ruegen kernel: sda: Write Protect is off Jan 31 15:27:52 ruegen kernel: sda: Mode Sense: 23 00 00 00 Jan 31 15:27:52 ruegen kernel: sda: assuming drive cache: write through Jan 31 15:27:52 ruegen kernel: sda: sda1 Jan 31 15:27:52 ruegen kernel: sd 0:0:0:0: Attached scsi removable disk sda Jan 31 15:27:52 ruegen kernel: sd 0:0:0:0: Attached scsi generic sg0 type 0 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240178 ------- Comment #4 from Michael.Zapf@web.de 2007-01-31 08:44 MST ------- Another observation - don't know whether this is interesting or gives any hint: zapf@ruegen:~> id michael uid=500(michael) gid=100(users) groups=100(users),16(dialout),33(video) zapf@ruegen:~> id zapf uid=1001(zapf) gid=50(staff) groups=50(staff),513(Domain Users) zapf@ruegen:~> id root uid=0(root) gid=0(root) groups=0(root) Now I plug in the stick. As soon as the KDE daemon window pops up (not earlier!), I get zapf@ruegen:~> id michael uid=500(michael) gid=100(users) groups=100(users),16(dialout),33(video) zapf@ruegen:~> id zapf uid=1001(zapf) gid=50(staff) groups=50(staff),513(Domain Users) zapf@ruegen:~> id root uid=0(Administrator) gid=0(root) groups=512(Domain Admins) Accordingly, ll now shows zapf@ruegen:~> ll / total 104 -rw-r--r-- 1 Administrator root 10451 Jan 30 09:33 ATI_LICENSE.TXT drwxr-xr-x 2 Administrator root 4096 Jan 19 12:01 bin drwxr-xr-x 3 Administrator root 4096 Jan 19 13:30 boot drwxr-xr-x 11 Administrator root 7120 Jan 31 16:31 dev .. and not only in konsole (KDE) but in any console outside of KDE as well. Administrator is the name of UID 0 on the LDAP server. I thought this could be interesting because it happens when plugging in the stick. The daemon seems to change something in the base system. I doubt that 10.1 did the same - would recall that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240178 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|lnussel@novell.com |rhafer@novell.com Status|ASSIGNED |NEW ------- Comment #5 from lnussel@novell.com 2007-02-02 01:13 MST ------- That's weird indeed. I don't know if that's really the cause of the problem though. Nevertheless uid 0 shouldn't suddenly be named 'Administrator' IMO. Reassigning to maintainer of nss_ldap for clarifying whether this is intended behavior. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240178 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|rhafer@novell.com |lnussel@novell.com ------- Comment #6 from rhafer@novell.com 2007-02-02 01:35 MST ------- (In reply to comment #5)
That's weird indeed. I don't know if that's really the cause of the problem though. Nevertheless uid 0 shouldn't suddenly be named 'Administrator' IMO. Reassigning to maintainer of nss_ldap for clarifying whether this is intended behavior. I can not say if that is the intended behavior. But it seems that see reporter has created a user "Administrator" with uid 0 in the LDAP server. He might have intended something with that :). In some cases AFAIK it makes perfect sense to have multiple users with uid 0.
Note: Our default setup of the LDAP Server does not contain a user "Administrator" with uid 0. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240178 ------- Comment #7 from Michael.Zapf@web.de 2007-03-05 06:00 MST ------- I had just one suspicion: The dbus daemon tries to contact the LDAP server at boot time. Here, it gets into conflict with the SUSEfirewall which is not completely set up at this point of time, allowing no contact to the remote server. This would have explained why a later restart of dbus fixes the problem (because the firewall would then allow the daemon to reach the LDAP server). It *would* sound plausible, but actually, the actual problem with the sticks disappeared. I cannot reproduce this issue anymore. This could be due to some intermediate updates. I suggest to close this issue until it somewhere reappears. Michael -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240178 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Comment #8 from lnussel@novell.com 2007-03-05 06:18 MST ------- Ok. SuSEfirewall2 does not prevent outgoing connections though. It would only be a problem if a program tries to contact a server before SuSEfirewall2_init runs and then gets the answer after SuSEfirewall2_init. In this case the netfilter conntrack code would miss the SYN and would throw away the answer. You would see that in the logs though so I doubt that is the case. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240178 ------- Comment #9 from Michael.Zapf@web.de 2007-03-05 06:55 MST ------- I took another look at the /var/log/messages: (replaced domain names with "...") Mar 5 13:38:29 ruegen dbus-daemon: nss_ldap: failed to bind to LDAP server ldap://atlantis....: Can't contact LDAP server Mar 5 13:38:29 ruegen dbus-daemon: nss_ldap: failed to bind to LDAP server ldap://atlantis....: Can't contact LDAP server Mar 5 13:38:29 ruegen dbus-daemon: nss_ldap: could not search LDAP server - Server is unavailable .. Mar 5 13:38:31 ruegen ifup: Mar 5 13:38:31 ruegen ifup: eth0 device: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) Mar 5 13:38:31 ruegen ifup: eth0 configuration: eth-id-00:11:2f:e8:b8:43 It seems as if the problem is not the firewall but the interfaces which are not set up when the dbus-daemon first tries to contact LDAP. As you see, the warnings still appear, but haldaemon correctly mounts the sticks. Michael -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com