The officially official Devuan Forum!

You are not logged in.

#1 2019-11-29 13:05:35

devlan
Member
Registered: 2019-08-17
Posts: 13  

lightdm wicd error

Hello,

I have an LDAP setup with Devuan ascii with libpam_ldap and libnss_ldap. "getent group" and "getent passwd" delivers the LDAP groups and users. To get local groups like audio, plugdev etc. assigned to the LDAP users I configured pam_group.so.

When I now login to with lightdm login manager with an LDAP user wicd is unable to contact the wicd daemon due to an access denied error from dbus. The user should be added to the "netdev" group.

Afterwards I check my groups in a terminal I get the LDAP and the localgroups and we see, that the user *is* in the netdev group:
~$ groups
STUDENTS dialout cdrom floppy audio dip video plugdev netdev DOMAINUSERS 5A 5B 5C 5D 6A 6B 6C 6D 7A 7B 7C 7D 8A 8B 8C 8D 9A 9B 9C 9D 10A 10B 10C 10D 11A 11B 11C 11D 12

When I switch to a console tty and restart lightdm as root and login afterwards, the wicd error is gone away. But of course only until next reboot.

It seems that lightdm cannot see the pam_group assigned local groups at the first start. How can I get lightdm, pam_group and wicd get working together?

Thanks!
Klaus

Offline

#2 2019-11-30 01:14:12

bgstack15
Member
Registered: 2018-02-04
Posts: 205  

Re: lightdm wicd error

I had a very similar issue and I solved it after a few months.

The full write-up is on my blog but here is the summary. It should be fairly clear when to substitute ldap in nsswitch.conf.

Use pam_group.

tf=/usr/share/pam-configs/my_groups
sudo touch "${tf}" ; sudo chmod 0644 "${tf}" ; sudo chown root.root "${tf}"
cat <<EOF | sudo tee "${tf}" 1>/dev/null
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
        required                        pam_group.so use_first_pass
EOF

Update pam and choose the new option we just made, "Activate /etc/security/group.conf."

pam-auth-update

Configure nsswitch.conf (only with glibc >= 2.24)

sed -i -r -e '/^\s*group:/s/(compat|files) sss/\1 [SUCCESS=merge] sss/;' /etc/nsswitch.conf

Make local gids match the domain gids, for any of the groups you want to merge.

test -z "${LOGFILE}" && LOGFILE=/root/deploy.log
for word in netdev video audio dip ;
do
   {
      tgid="$( getent group -s  sss  "${word}" | awk -F':' '{print $3}' )"
      ogid="$( getent group -s files "${word}" | awk -F':' '{print $3}' )"
   } 2>/dev/null
   # if group exists locally and in domain
   test -n "${ogid}" && test -n "${tgid}" && test ${ogid} -ne ${tgid} && {
      # use sed because groupmod fails because the new GID already exists
      sed -i -r -e "/^${word}:/s/:${ogid}:/:${tgid}:/;" /etc/group
      # log to stdout and logfile
      printf '%s %s\n' "$( date -u "+%FT%TZ" )" "Change ${word} from gid ${ogid} to ${tgid}" | tee -a "${LOGFILE}"
   }
done

References:
My blog post: Deuvan FreeIPA domain users control local devices
[SOLVED] Grant domain user access like he is in netdev group


This space intentionally left blank.

Offline

#3 2019-11-30 18:19:45

devlan
Member
Registered: 2019-08-17
Posts: 13  

Re: lightdm wicd error

Thank you for sharing your workaround!

But I don't think my problem is the same. I don't use sssd and the LDAP groups and local groups are already there. wicd does not "see" that the user is already in "netdev" group. Also note, that restarting lightdm solves the problem. I also tried not to let lightdm start automatically, but manually. Then the problem does not occur. I.e. the LDAP user can log in and wicd is available without errors.

I tried to debug the login with autostarting lightdm and manual starting lightdm. The only difference is in the end of the login process. Both after a reboot of the system:

/var/log/lightdm.log when wicd throws an error and autostart of lightdm:

[+14.83s] DEBUG: Session pid=2127: Logging to .xsession-errors
[+15.89s] DEBUG: Activating VT 7
[+15.89s] DEBUG: Activating login1 session 1
[+15.90s] DEBUG: Seat seat0 changes active session to 1
[+15.90s] DEBUG: Session 1 is already active

/var/log/lightdm.log when wicd runs without error and manual start of lightdm:

[+11.52s] DEBUG: Session pid=2694: Logging to .xsession-errors
[+12.31s] DEBUG: Activating VT 7
[+12.31s] DEBUG: Activating ConsoleKit session 6600bc8c21fb508c4e4c9e595de0c98d-1575135846.636290-239615711
[+12.31s] WARNING: Error activating ConsoleKit session: GDBus.Error:org.freedesktop.DBus.GLib.UnmappedError.CkVtMonitorError.Code0: Session is already active

Maybe these differences are not directly related to the wicd error. but at the moment i don't know where to look.

Thanks!

Offline

#4 2019-12-01 16:54:26

chris2be8
Member
Registered: 2018-08-11
Posts: 307  

Re: lightdm wicd error

Does lightdm read the user's groups when it starts up and cache them (thus missing groups if LDAP isn't fully up then)? That's the only thing I can think of that would explain why restarting lightdm would make it start working.

Can you delay lightdm starting until after LDAP, wicd, etc are fully initialiased?

Chris

Offline

#5 2019-12-02 06:44:24

devlan
Member
Registered: 2019-08-17
Posts: 13  

Re: lightdm wicd error

Hello Chris,

good idea! I modified /etc/init.d/lightdm:
from:
# Required-Start:    $local_fs $remote_fs x11-common
to:
# Required-Start:    $local_fs $remote_fs x11-common $network wicd elogind nscd

And did an "update-rc.d -f lightdm defaults". Unfortunately without success.

Thank you for thinking about it.

Offline

Board footer