systemd does not assign a seat to my session when using NIS authentication

linux debian systemd session udev

The title says almost all.

When I am a local user (let's say the normal situation) my session gets a seat assigned.

jlinkels@donald-pc:~$ loginctl 
SESSION  UID USER     SEAT  TTY
      3 1000 jlinkels seat0

However when I authenticate through NIS (which is normal on my network) it does not happen:

jlinkels@donald-pc:~$ loginctl
No sessions.

This is bad in the first place because starting in Debian 10 access permissions for devices like scanners and webcam are added in udev for the local user. The user holding the seat.

I could work around that by assiging pre-Debian 10 group permissions to devices. But it is undesirable because I don't want to edit udev rules for every installation I make. Worse is that TeamViewer 15, which is the first native Linux version, does not run if I don't have a seat assigned.

I have no idea how to tweak systemd, pamd, logind or NIS to assign a seat to my session. This is all completely new for me. (And perhaps another level of complication by systemd)

Kernel: 4.19.0-9-amd64
Debian 10 Buster
KDE5 Plasma


Solution 1:

The most likely cause is that systemd-logind is unable to resolve your user name to UID (or vice versa), because the libnss_nis name lookup module directly makes network RPC calls to your NIS server, while systemd-logind has all network access blocked as a security precaution.

(Other name lookup modules, such as libnss_sss from SSSD, as well as the newer libnss_ldap that comes with nslcd, do not have this problem because they only connect to a local daemon process which handles all network traffic – and caching – centrally.)

There are two ways to get around this problem:

  1. Use SSSD configured with the 'proxy' id_provider. The NIS name lookup module will only need to be loaded by SSSD itself and all other processes will query it over local sockets.

  2. Use systemctl edit --full systemd-logind to disable the network restrictions in systemd-logind, by removing the IPAddressDeny= and RestrictAddressFamilies= options. (And probably SystemCallFilter= as well.)

(I want to list nscd.service as a third way, as it also moves the queries out of the logind process somewhat like SSSD does, but it isn't really meant for that purpose – it's meant to be a caching daemon only and won't prevent fallback to making the NIS requests in-process as before.)

Related

How do I filter out addresses using HTTPS for a D-Link router?
RSS reader with windows notifications [closed]
"Unsplit" article pages on the web
Simple excel math wrong
Mount an ISO from the Command Line and Get its Drive Letter in Windows 8
Blue screen 'inaccessible boot device' on Windows 10
Computer won't POST after power outage
Duplicating formula in Excel 2010
Vista to Windows 7 - Upgrading or clean installation?
Hibernating laptop randomly wakes up and stays on when lid is closed
How to recover deleted files?
Password Protecting Partitions on an External Hard Drive