Reply to topic

KAuth/Policykit problem, can't change Systemsettings

User avatar zwede
Registered Member
Posts
29
Karma
0
OS
Running KDE 4.6.2 on Gentoo. I'm not able to change any system settings requiring admin (Login, Date/time). When I try to save I get "Unable to authenticate/execute the action: 3,".

I verified I have polkit and consolekit installed and kde was built with them. During build, I see kdelibs detecting polkit-qt. It also states KAuth will use polkit-qt as the backend.

ck-list-sessions shows my login:

Code: Select all
markus@markuspc ~ $ ck-list-sessions
Session1:
        unix-user = '1000'
        realname = 'Markus Strobl'
        seat = 'Seat1'
        session-type = ''
        active = TRUE
        x11-display = ':0'
        x11-display-device = '/dev/tty7'
        display-device = ''
        remote-host-name = ''
        is-local = TRUE
        on-since = '2011-04-09T20:10:15.338596Z'
        login-session-id = '1'


I never see any DBUS messages (using dbus-monitor) related to authorization when I click "apply" (should I?)

The authentication agent is running, but I have never seen it pop up a dialog:

Code: Select all
markus@markuspc ~ $ ps -ef | grep authentication-agent
markus    4501     1  0 15:10 ?        00:00:00 /usr/lib64/kde4/libexec/polkit-kde-authentication-agent-1
markus    7506  5127  0 15:32 pts/0    00:00:00 grep --colour=auto authentication-agent


I have rebuilt polkit packages, kdelibs and systemsettings with debug enabled but never see anything indicating it is even trying to authenticate.

The only error message I can find in the logs is in kdm.log:

Code: Select all
klauncher(4263) kdemain: No DBUS session-bus found. Check if you have started the DBUS server.
kdeinit4: Communication error with launcher. Exiting!
kdmgreet(4257)/kdecore (K*TimeZone*): KSystemTimeZones: ktimezoned initialize() D-Bus call failed:  "Not connected to D-Bus server"


However, I can see KDE using DBUS once I'm logged in, so I don't know what the kdm.log message is complaining about?

How do I continue troubleshooting this?
User avatar bcooksley
Administrator
Posts
19759
Karma
86
OS
The D-Bus messages from KDM can be safely ignored, they are not related.

Messages relating to KAuth will be sent on the System Bus, which can execute applications as root, so you need to monitor that bus instead.

I suspect you may have an issue with the system wide dbus-daemon not acknowledging the presence of the KAuth helpers which allow System Settings to set the time, etc if you are authorized.


KDE Sysadmin
[img]http://forum.kde.org/content/bcooksley_sig.png[/img]
User avatar zwede
Registered Member
Posts
29
Karma
0
OS
Thanks for the tip, monitoring the system bus yielded much more interesting results. I unlocked the system bus so I can see all the messages. I have a second machine running KDE where authentication works, so I did the same test/monitoring on it. The messages look the same all the way to (and including) the message to the authentication agent.

On the working KDE, this then pops up a dialog. On the broken one it does not.

Here is the DBUS message to the authentication agent on the broken machine:

Code: Select all
method call sender=:1.4 -> dest=:1.19 serial=26 path=/org/kde/PolicyKit1/AuthenticationAgent; interface=org.freedesktop.PolicyKit1.AuthenticationAgent; member=BeginAuthentication
   string "org.freedesktop.policykit.exec"
   string "Authentication is needed to run `/bin/bash' as the super user"
   string ""
   array [
      dict entry(
         string "polkit.caller-pid"
         string "3014"
      )
      dict entry(
         string "polkit.subject-pid"
         string "3006"
      )
   ]
   string "cookie0"
   array [
      struct {
         string "unix-user"
         array [
            dict entry(
               string "uid"
               variant                   uint32 0
            )
         ]
      }
   ]


I verified (using qdbusviewer) that 1.19 is indeed the kde authentication agent. Using qdbusviewer I sent it a ping and get-machine-id, to which it responded.

Yet it will not open a dialog.

Polkit is version 1.01. That's compatible with KDE 4.6.2, right?

Any tips on how to continue?


Gentoo Linux x64. Intel Core 2 Quad.
User avatar zwede
Registered Member
Posts
29
Karma
0
OS
Some further developments:

I killed the kde authentication agent and started the gnome version. Now when I do "pkexec bash" I get a dialog and bash indeed starts as root.

But systemsettings still don't work (never get a dialog). I see it doing the checkauthorization, but there is no "beginauthorization" signal being sent. Here's the relevant part of DBUS. Note that there is no more, this is the last polkit related signaling.

method call sender=:1.47 -> dest=:1.4 serial=10 path=/org/freedesktop/PolicyKit1/Authority; interface=org.freedesktop.PolicyKit1.Authority; member=CheckAuthorization
struct {
string "unix-process"
array [
dict entry(
string "pid"
variant uint32 3764
)
dict entry(
string "start-time"
variant uint64 54821
)
]
}
string "org.kde.kcontrol.kcmkdm.save"
array [
]
uint32 0
string ""
method call sender=:1.4 -> dest=org.freedesktop.DBus serial=93 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixUser
string ":1.47"
method call sender=:1.4 -> dest=org.freedesktop.ConsoleKit serial=94 path=/org/freedesktop/ConsoleKit/Manager; interface=org.freedesktop.ConsoleKit.Manager; member=GetSessionForUnixProcess
uint32 3764
method call sender=:1.2 -> dest=org.freedesktop.DBus serial=124 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixUser
string ":1.4"
method call sender=:1.2 -> dest=org.freedesktop.DBus serial=125 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
string ":1.4"
method call sender=:1.2 -> dest=org.freedesktop.DBus serial=126 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixUser
string ":1.4"
method call sender=:1.2 -> dest=org.freedesktop.DBus serial=127 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
string ":1.4"
method return sender=:1.2 -> dest=:1.4 reply_serial=94
object path "/org/freedesktop/ConsoleKit/Session1"
method return sender=:1.4 -> dest=:1.47 reply_serial=10
struct {
boolean false
boolean true
array [
]
}


Gentoo Linux x64. Intel Core 2 Quad.
krassboter
Registered Member
Posts
14
Karma
0
You need to build qt-core and qt-gui with glib-USE-Flag enabled.
http://bugs.gentoo.org/show_bug.cgi?id=353143
This also will make the gstreamer-phononbackend work.
User avatar zwede
Registered Member
Posts
29
Karma
0
OS
Unfortunately (?) qt-core and qt-gui were already built with GLIB. I rebuilt the packages just in case, but there was no difference. I still never get a dialog from the KDE authentication agent.


Gentoo Linux x64. Intel Core 2 Quad.
User avatar bcooksley
Administrator
Posts
19759
Karma
86
OS
I'm out of ideas unfortunately. Only guess is to make sure that KDE detects the correct version of PolicyKit installed on your system, in case you happen to have both.


KDE Sysadmin
[img]http://forum.kde.org/content/bcooksley_sig.png[/img]
User avatar zwede
Registered Member
Posts
29
Karma
0
OS
I see systemsettings talking to polkit, and polkit talking to consolekit. The version is detected correctly (1.01, also tried 0.99 with no change).

I did a test where I started systemsettings, and then just clicked on "Login". I then compared the DBUS system logs between the working and broken system.

The logs are identical right up to the last few messages. What I see in both logs:

systemsettings starts up polkit1 and enumerates the actions.

polkit report a "kcmkdm.save" action.

systemsettings -> polkit1: CheckAuthorization
Polkit1 -> Consolekit: GetSession/GetConnection
Consolekit -> Polkit1: Reports the session for systemsettings PID
Polkit1 -> Systemsettings: response for checkauthorization with properties false, true

The broken one stops here and displays "You are not authorized to save the configuration"
The working one repeats the checkauthorization sequence 2 more times and then displays "You will be asked to authenticate before saving".

The final response message on the broken one from polkit1 to systemsettings is identical to the working system. Question is why the other 2 CheckAuthorizations are never sent?

How can I debug further? Who sends the CheckAuthorizations? Is it Kauth in kdelibs?


Gentoo Linux x64. Intel Core 2 Quad.
krassboter
Registered Member
Posts
14
Karma
0
Could you compare /etc/PolicyKit/PolicyKit.conf on both systems?
Also compare the groups, both users are in (e.g. with kuser).

You also could try to rebuild polkit, polkit-qt, polkit-kde-agent and kdelibs, though I don't think, that's the problem.
User avatar bcooksley
Administrator
Posts
19759
Karma
86
OS
It is likely the PolicyKit configuration in this case which prevents the action from being authorized. I would suggest following the steps listed by krassboter first, checking /usr/share/polkit-1/actions/ as well.


KDE Sysadmin
[img]http://forum.kde.org/content/bcooksley_sig.png[/img]
User avatar zwede
Registered Member
Posts
29
Karma
0
OS
Hmmm... I see that on the working system both policykit as well as polkit1 is installed. The broken one only has polkit1. Looking in my Gentoo repos I don't see policykit, only polkit1. Looks like it is no longer available.

But if I understand this stuff correctly, KDE4.6 no longer uses policykit?

So there's no /etc/PolicyKit/PolicyKit.conf to compare.

I looked at the files in /etc/PolicyKit/PolicyKit.conf and they are the same except for some of the Danish and slavic translations.


Gentoo Linux x64. Intel Core 2 Quad.
User avatar zwede
Registered Member
Posts
29
Karma
0
OS
Stranger by the minute... I added some debug printouts to KAuth, specifically:

KAuth::Polkit1Backend::actionStatus

My test was: Open systemsettings, click on Login.

From the debug printout I see that polkit returns auth_required. Yet systemsettings displays "you are not allowed to save the configuration"!

Any pointers where I should move my debugging next?


Gentoo Linux x64. Intel Core 2 Quad.
User avatar bcooksley
Administrator
Posts
19759
Karma
86
OS
You need to look into KAuth::Action, KPushButton and KCModule (in terms of classes at least). For KCModule, the functions useRootOnlyMessage() and rootOnlyMessage() are the ones of interest. For KPushButton, you are looking at just setAuthAction(). KAuth::Action is likely the class which can help you most with you debugging however.


KDE Sysadmin
[img]http://forum.kde.org/content/bcooksley_sig.png[/img]
User avatar zwede
Registered Member
Posts
29
Karma
0
OS
Haven't had much time to dig into this, but did put an hour on it today. Some more debug statements in KAuth::Action yielded the following:

systemsettings(23158) KAuth::Action::Action: Action::constructor
systemsettings(23158) KAuth::Action::Action: Action::constructor - calling setName
systemsettings(23158) KAuth::Action::setName: Action::setName
systemsettings(23158) KAuth::Polkit1Backend::Polkit1Backend: Markus: Constructor
systemsettings(23158) KAuth::Action::setName: Action::setName calling actionExists
systemsettings(23158) KAuth::Polkit1Backend::actionExists: Markus: actionExists
systemsettings(23158) KAuth::Action::Action: Action::constructor - calling setupAction
systemsettings(23158) KAuth::Polkit1Backend::actionStatus: Markus: actionStatus
systemsettings(23158) KAuth::Polkit1Backend::actionStatus: Markus: actionStatus r=default (authrequired)
systemsettings(23158) KAuth::Action::status: Action::status
systemsettings(23158) KAuth::Action::status: Action::status returning invalid
systemsettings(23158) KAuth::Action::status: Action::status
systemsettings(23158) KAuth::Action::status: Action::status returning invalid

So from this I can see that in the KAuth::Action constructor, polkit1 backend is called and does an authorization check. This check works fine and return authrequired as it should.

But then KAuth::Action::status is called twice... on the working machine I see two exchanges with polkit1 at this point on DBUS. On the broken machine those do not happen and instead it returns invalid. This seems to only be possible if actionExists has returned false?

In KAuth::Action::setName:

Code: Select all
d->valid = BackendsManager::authBackend()->actionExists(name);


So I think I need to focus on actionExists. Does this sound right?

Well, looking at actionExists I realize I need some pointers. What in the world does this do?

Code: Select all
bool Polkit1Backend::actionExists(const QString& action)
{
   kWarning() << "Markus: actionExists";
    // Any flying actions?
    if (m_flyingActions) {
        int tries = 0;
        while (m_flyingActions && tries < 10) {
            // Wait max 2 seconds
            QEventLoop e;
            QTimer::singleShot(200, &e, SLOT(quit()));
            e.exec();
            ++tries;
        }
    }

    return m_knownActions.contains(action);
}


Gentoo Linux x64. Intel Core 2 Quad.
User avatar bcooksley
Administrator
Posts
19759
Karma
86
OS
It seems to fire off an nested event loop which it uses to wait for 2 seconds. The value m_flyingActions is probably modified by some code in another thread, which is filling the m_knownActions list with actions that exist on the system.


KDE Sysadmin
[img]http://forum.kde.org/content/bcooksley_sig.png[/img]

 
Reply to topic

Bookmarks



Who is online

Registered users: Baidu [Spider], Bing [Bot], claydoh, Google [Bot], La Ninje, langsholt, Majestic-12 [Bot], NickElliott, skakoty, Sogou [Bot], srgmro33, YaCy [Bot], Yahoo [Bot]