[X2Go-User] [INTERNET] Re: x2godbadmin
"BOTZ Franck (Administrateur Systèmes et Réseaux) - DDT 67/SIDSIC/Pôle Infra"
franck.botz at bas-rhin.gouv.fr
Mon Jun 8 21:55:05 CEST 2015
Hi Mike
Thanks a lot for the cron job. But, for me, it doesn't work.
My group is "x2go-users". It is not a local group but a winbind group.
The users, which are is this group, dosn't have all their /home
created on the server.
I didn't known all the passwords and i won't.
The winbind configuration (it's not my project) doesn't allow the
expand group for better responses so a "getent group" list the group
but not the users. So x2godbadmin --addgroup does nothing.
For the first connexion, pam_mkhomedir.so do the job and create the
/home. But then howto launch the x2godbadmin because it's necessarly
launch with root user ?
Modify the right access on pgadmin file solve the problem, but can
compromise the entire database.
I think about pam_group.so. So i created a local group
with-x2go-access ;-) and fill it dynamically at user's logon. The user
is in group but the problem is that the content of this group is only
available for the user. A secondary console (in root) doesn't list the
user in with-x2go-access. The situation is similar, the x2godbadmin
can't be launch. So cron job launch every munites does nothing.
Humm ... i didn't see how to solve this.
Perhaps a postgresql config for using pam authentification ? First
question : has someone do that ? Second question is the database build
for doing something like that ?
Regards
Franck
Le 07/06/2015, "> Mike Gabriel (par Internet)"
<mike.gabriel at das-netzwerkteam.de> a écrit:
> Hi Franck,
>
> On Do 04 Jun 2015 13:31:52 CEST, BOTZ Franck (Administrateur
> Systèmes et Réseaux) - DDT 67/SIDSIC/Pôle Infra wrote:
>
>> My x2gobroker installation works very well (nightly build).
>
> Good!
>
>> I have a question about x2godbadmin and the --addgroup option.
>>
>> I have supposed that run the command x2godbadmin --addgroup
>> x2gouser add the group in the PostgreSQL database and then all
>> members of the x2gouser can access to x2goserver
>
> Don't have add users to group "x2gouser". The group is a system
> group and only the user "x2gouser" may be a member of this group.
> If other users get added to this group your X2Go installation can
> be potentially compromised by those users (esp. if you are using
> the SQLite backend).
>
>> But after that, it appears that new user add to the group can't
>> open a x2gosession. x2goserver say : "Can't read password file
>> /home/xxxx/.x2go/sqlpass".
>>
>> So, what do really this command ?
>> * Read the content of the /etc/group/
>> * find x2gouser line
>> * read the users that are member
>> * add on per one in the database the user and write a
>> ~/.x2go/sqlpass for each one ?
>
> This question has been brought up several times already.
>
> What I do:
>
> o create a group "with-x2go-access" (or use an already existing
> group that can hold all potential X2Go Users)
> o run a nightly cron job as root (x2godbadmin --addgroup with-x2go-access)
>
> Not very elegant but working. I agree with you that the DB handling
> in X2Go needs some love.
>
> Greets,
> Mike
> --
>
> DAS-NETZWERKTEAM
> mike gabriel, herweg 7, 24357 fleckeby
> fon: +49 (1520) 1976 148
>
> GnuPG Key ID 0x25771B31
> mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
>
> freeBusy:
> https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
>
More information about the x2go-user
mailing list