systemd does not assign a seat to my session when using NIS authentication
The title says almost all.
When I am a local user (let's say the normal situation) my session gets a seat assigned.
jlinkels@donald-pc:~$ loginctl
SESSION UID USER SEAT TTY
3 1000 jlinkels seat0
However when I authenticate through NIS (which is normal on my network) it does not happen:
jlinkels@donald-pc:~$ loginctl
No sessions.
This is bad in the first place because starting in Debian 10 access permissions for devices like scanners and webcam are added in udev for the local user. The user holding the seat.
I could work around that by assiging pre-Debian 10 group permissions to devices. But it is undesirable because I don't want to edit udev rules for every installation I make. Worse is that TeamViewer 15, which is the first native Linux version, does not run if I don't have a seat assigned.
I have no idea how to tweak systemd, pamd, logind or NIS to assign a seat to my session. This is all completely new for me. (And perhaps another level of complication by systemd)
Kernel: 4.19.0-9-amd64
Debian 10 Buster
KDE5 Plasma
Solution 1:
The most likely cause is that systemd-logind is unable to resolve your user name to UID (or vice versa), because the libnss_nis name lookup module directly makes network RPC calls to your NIS server, while systemd-logind has all network access blocked as a security precaution.
(Other name lookup modules, such as libnss_sss from SSSD, as well as the newer libnss_ldap that comes with nslcd, do not have this problem because they only connect to a local daemon process which handles all network traffic – and caching – centrally.)
There are two ways to get around this problem:
-
Use SSSD configured with the 'proxy' id_provider. The NIS name lookup module will only need to be loaded by SSSD itself and all other processes will query it over local sockets.
-
Use
systemctl edit --full systemd-logind
to disable the network restrictions in systemd-logind, by removing the IPAddressDeny= and RestrictAddressFamilies= options. (And probably SystemCallFilter= as well.)
(I want to list nscd.service as a third way, as it also moves the queries out of the logind process somewhat like SSSD does, but it isn't really meant for that purpose – it's meant to be a caching daemon only and won't prevent fallback to making the NIS requests in-process as before.)