systemd-issue

Hey guys,  we have a ldap/kerberos backend we use for users on our Stretch systems.  We then use nss_updatedb ldap to populate user database on each workstation.  All users are represented when doing a getent passwd and id $USER works fine.  PAM is configured to be aware of the users in ldap/kerberos and they can login/ssh fine to the workstations.

nsswitch contains the following

passwd: files db
group: files db


For a handfull of users in ldap,  we need to run a vncserver instance.  I copied the instructions from the arch wiki for setting up a service file to run tigervnc and my test user (created locally and in passwd) worked fine.   vncserver is started as the proper user,  and the DE fires up and ready to vnc into.

When I ported over the service file for a user not in the passwd file,  the vncservice wouldn't start, failing with no HOME environment variable found as reported by journalctl.

root@SERVER2:/etc/systemd/system# getent passwd |grep test.user
test.user:*:20334:100:test.user:/home/test.user:/bin/bash
root@SERVER2:/etc/systemd/system# id test.user
uid=20334(test.user) gid=100(users) groups=100(users)

-- Subject: Unit vncserver@:3.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit vncserver@:3.service has begun starting up.
Mar 19 16:29:13 SERVER2 systemd[1]: Started Remote desktop service (VNC).
-- Subject: Unit vncserver@:3.service has finished start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit vncserver@:3.service has finished starting up.
--
-- The start-up result is done.
Mar 19 16:29:13 SERVER2 vncserver[2737]: vncserver: The HOME environment variable is not set.
Mar 19 16:29:13 SERVER2 systemd[1]: vncserver@:3.service: Main process exited, code=exited, status=1/FAILURE
Mar 19 16:29:13 SERVER2 vncserver[2741]: vncserver: The HOME environment variable is not set.
Mar 19 16:29:13 SERVER2 systemd[1]: vncserver@:3.service: Control process exited, code=exited status=1
Mar 19 16:29:13 SERVER2 systemd[1]: vncserver@:3.service: Unit entered failed state.
Mar 19 16:29:13 SERVER2 systemd[1]: vncserver@:3.service: Failed with result 'exit-code'.

So I edited the service file and defined a HOME environment variable like so

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=simple
User=test.user
Environment=HOME=/home/test.user
PAMName=login
PIDFile=/home/%u/.vnc/%H%i.pid
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/bin/vncserver %i -AlwaysShared -name test.user-VNC -geometry 1920x1080 -alwaysshared -fg -localhost no
ExecStop=/usr/bin/vncserver -kill %i

[Install]
WantedBy=multi-user.target

reload systemd and when I try to fire up the service,  it now runs,  but it's root thats running the service rather then the users.  All config files created by firing up the DE (xfce in this case) are owned by root.

root@SERVER2:/etc/systemd/system# psef vncserver
vnc        974     1  0 15:54 ?        00:00:00 /usr/bin/perl /usr/bin/vncserver :12 -AlwaysShared -name vnc-VNC -geometry 1920x1080 -alwaysshared -fg -localhost no
root      2825     1  0 16:36 ?        00:00:00 /usr/bin/perl /usr/bin/vncserver :2 -AlwaysShared -name first.last-VNC -geometry 1920x1080 -alwaysshared -fg -localhost no
root      3507     1  1 16:42 ?        00:00:00 /usr/bin/perl /usr/bin/vncserver :3 -AlwaysShared -name test.user-VNC -geometry 1920x1080 -alwaysshared -fg -localhost no

The vnc user is the initial local user in passwd,  but first.last and test.user are both users that are not in passwd but in getent databases.   The unit files are all identical between the 3,  other then the usernames (and the defined HOME var now)

Fair warning,  first exposure to systemd,  but I cannot figure out why systemd is escalating the process' to root ownership when I want them running as certain users. It works as you think it should with local users,  but not with our ldap users.

Thanks