View Issue Details

IDProjectCategoryView StatusLast Update
0014485CentOS-7polkitpublic2018-02-12 22:41
Reporterjmfrank63 
PrioritynormalSeveritycrashReproducibilityalways
Status newResolutionopen 
Platform3.10.0-693.11.1.el7.x86_64 #1 SMOSLinux Centos7OS Version
Product Version7.4.1708 
Target VersionFixed in Version 
Summary0014485: polkit fails to register agent with ldap users
Descriptionpolkit 0.112-12.el7_3 fails to register any agent when machine is puppeted and user is retrieved via ldap.

Example agent (xfce but kde and mate fail the same)

/usr/libexec/xfce-polkit

** (xfce-polkit:15429): CRITICAL **: polkit_agent_listener_register_with_options: assertion 'POLKIT_IS_SUBJECT (subject)' failed

(xfce-polkit:15429): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed

I have no idea why this could be failing. It looks like get peername correctly assumes a socket but gets a file.





Steps To ReproduceIt can always be reproduced. However I do not exactly know how puppet and ldap works, so I cannot give instructions how to reproduce outside of my company.

However I will supply any additional information that might help.

I did the following troubleshooting:

Checked with other desktops, polkit agents always fail.

User is not in /etc/passwd, nor are the groups.
Access is via xrdp, no display manager, it isn't even installed.
pamtester authorises fine against sshd, xrdp-sesman and polkit-1

Local installed user that is not retrieved via ldap fails as well, with exactly the same error.

authconfig

Source of polkit is here: https://github.com/wingo/polkit/blob/4c9a813f3fc1ada4fcce508d286e95f965a3002a/src/polkitagent/polkitagentlistener.c


/etc/pam.d/system-auth-ac:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account sufficient pam_ldap.so
account sufficient pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so

session required pam_mkhomedir.so skel=/etc/skel umask=0077
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session sufficient pam_unix.so
session sufficient pam_ldap.so


Additional Informationstrace before fail:

futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/proc/9527/cgroup", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84828fa000
read(5, "11:freezer:/\n10:memory:/\n9:cpuac"..., 1024) = 192
close(5) = 0
munmap(0x7f84828fa000, 4096) = 0
open("/proc/1/cgroup", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84828fa000
read(5, "11:freezer:/\n10:memory:/\n9:cpuac"..., 1024) = 148
close(5) = 0
munmap(0x7f84828fa000, 4096) = 0
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
getpeername(2, 0x7ffc19e92230, 0x7ffc19e9222c) = -1 ENOTSOCK (Socket operation on non-socket)
futex(0x7f84826da528, FUTEX_WAKE_PRIVATE, 2147483647) = 0
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
open("/usr/lib64/charset.alias", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "\n** (xfce-polkit:9527): \33[1;35mC"..., 140
** (xfce-polkit:9527): CRITICAL **: polkit_agent_listener_register_with_options: assertion 'POLKIT_IS_SUBJECT (subject)' failed
) = 140

content of cgroup

11:freezer:/
10:memory:/
9:cpuacct,cpu:/
8:blkio:/
7:net_prio,net_cls:/
6:cpuset:/
5:perf_event:/
4:hugetlb:/
3:devices:/system.slice/xrdp-sesman.service
2:pids:/
1:name=systemd:/system.slice/xrdp-sesman.service

The bug might be inbetween two packets.
Tags7.4, centos
abrt_hash
URL

Activities

jmfrank63

jmfrank63

2018-02-12 22:41

reporter   ~0031218

I've reported this here as well:

https://github.com/neutrinolabs/xrdp/issues/1039

Issue History

Date Modified Username Field Change
2018-02-12 22:25 jmfrank63 New Issue
2018-02-12 22:25 jmfrank63 Tag Attached: 7.4
2018-02-12 22:25 jmfrank63 Tag Attached: centos
2018-02-12 22:41 jmfrank63 Note Added: 0031218