Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Hey guys, we have a ldap/kerberos backend we use for users on our Stretch systems. We then use nss_updatedb ldap to populate user database on each workstation. All users are represented when doing a getent passwd and id $USER works fine. PAM is configured to be aware of the users in ldap/kerberos and they can login/ssh fine to the workstations.
- nsswitch contains the following
- passwd: files db
- group: files db
- For a handfull of users in ldap, we need to run a vncserver instance. I copied the instructions from the arch wiki for setting up a service file to run tigervnc and my test user (created locally and in passwd) worked fine. vncserver is started as the proper user, and the DE fires up and ready to vnc into.
- When I ported over the service file for a user not in the passwd file, the vncservice wouldn't start, failing with no HOME environment variable found as reported by journalctl.
- root@SERVER2:/etc/systemd/system# getent passwd |grep test.user
- test.user:*:20334:100:test.user:/home/test.user:/bin/bash
- root@SERVER2:/etc/systemd/system# id test.user
- uid=20334(test.user) gid=100(users) groups=100(users)
- -- Subject: Unit vncserver@:3.service has begun start-up
- -- Defined-By: systemd
- -- Support: https://www.debian.org/support
- --
- -- Unit vncserver@:3.service has begun starting up.
- Mar 19 16:29:13 SERVER2 systemd[1]: Started Remote desktop service (VNC).
- -- Subject: Unit vncserver@:3.service has finished start-up
- -- Defined-By: systemd
- -- Support: https://www.debian.org/support
- --
- -- Unit vncserver@:3.service has finished starting up.
- --
- -- The start-up result is done.
- Mar 19 16:29:13 SERVER2 vncserver[2737]: vncserver: The HOME environment variable is not set.
- Mar 19 16:29:13 SERVER2 systemd[1]: vncserver@:3.service: Main process exited, code=exited, status=1/FAILURE
- Mar 19 16:29:13 SERVER2 vncserver[2741]: vncserver: The HOME environment variable is not set.
- Mar 19 16:29:13 SERVER2 systemd[1]: vncserver@:3.service: Control process exited, code=exited status=1
- Mar 19 16:29:13 SERVER2 systemd[1]: vncserver@:3.service: Unit entered failed state.
- Mar 19 16:29:13 SERVER2 systemd[1]: vncserver@:3.service: Failed with result 'exit-code'.
- So I edited the service file and defined a HOME environment variable like so
- [Unit]
- Description=Remote desktop service (VNC)
- After=syslog.target network.target
- [Service]
- Type=simple
- User=test.user
- Environment=HOME=/home/test.user
- PAMName=login
- PIDFile=/home/%u/.vnc/%H%i.pid
- ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
- ExecStart=/usr/bin/vncserver %i -AlwaysShared -name test.user-VNC -geometry 1920x1080 -alwaysshared -fg -localhost no
- ExecStop=/usr/bin/vncserver -kill %i
- [Install]
- WantedBy=multi-user.target
- reload systemd and when I try to fire up the service, it now runs, but it's root thats running the service rather then the users. All config files created by firing up the DE (xfce in this case) are owned by root.
- root@SERVER2:/etc/systemd/system# psef vncserver
- vnc 974 1 0 15:54 ? 00:00:00 /usr/bin/perl /usr/bin/vncserver :12 -AlwaysShared -name vnc-VNC -geometry 1920x1080 -alwaysshared -fg -localhost no
- root 2825 1 0 16:36 ? 00:00:00 /usr/bin/perl /usr/bin/vncserver :2 -AlwaysShared -name first.last-VNC -geometry 1920x1080 -alwaysshared -fg -localhost no
- root 3507 1 1 16:42 ? 00:00:00 /usr/bin/perl /usr/bin/vncserver :3 -AlwaysShared -name test.user-VNC -geometry 1920x1080 -alwaysshared -fg -localhost no
- The vnc user is the initial local user in passwd, but first.last and test.user are both users that are not in passwd but in getent databases. The unit files are all identical between the 3, other then the usernames (and the defined HOME var now)
- Fair warning, first exposure to systemd, but I cannot figure out why systemd is escalating the process' to root ownership when I want them running as certain users. It works as you think it should with local users, but not with our ldap users.
- Thanks
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement