[X2Go-User] [INTERNET] Re: x2godbadmin

"BOTZ Franck (Administrateur Systèmes et Réseaux) - DDT 67/SIDSIC/Pôle Infra" franck.botz at bas-rhin.gouv.fr
Mon Jun 8 21:55:05 CEST 2015


Hi Mike

Thanks a lot for the cron job. But, for me, it doesn't work.

My group is "x2go-users". It is not a local group but a winbind group.  
The users, which are is this group, dosn't have all their /home  
created on the server.

I didn't known all the passwords and i won't.

The winbind configuration (it's not my project) doesn't allow the  
expand group for better responses so a "getent group" list the group  
but not the users. So x2godbadmin --addgroup does nothing.

For the first connexion, pam_mkhomedir.so do the job and create the  
/home. But then howto launch the x2godbadmin because it's necessarly  
launch with root user ?

Modify the right access on pgadmin file solve the problem, but can  
compromise the entire database.

I think about pam_group.so. So i created a local group  
with-x2go-access ;-) and fill it dynamically at user's logon. The user  
is in group but the problem is that the content of this group is only  
available for the user. A secondary console (in root) doesn't list the  
user in with-x2go-access. The situation is similar, the x2godbadmin  
can't be launch. So cron job launch every munites does nothing.

Humm ... i didn't see how to solve this.

Perhaps a postgresql config for using pam authentification ? First  
question : has someone do that ? Second question is the database build  
for doing something like that ?

Regards

Franck

Le 07/06/2015, "> Mike Gabriel (par Internet)"  
<mike.gabriel at das-netzwerkteam.de> a écrit:

> Hi Franck,
>
> On  Do 04 Jun 2015 13:31:52 CEST, BOTZ Franck (Administrateur  
> Systèmes  et Réseaux) - DDT 67/SIDSIC/Pôle Infra wrote:
>
>> My x2gobroker installation works very well (nightly build).
>
> Good!
>
>> I have a question about x2godbadmin and the --addgroup option.
>>
>> I have supposed that run the command x2godbadmin --addgroup  
>> x2gouser  add the group in the PostgreSQL database and then all  
>> members of the  x2gouser can access to x2goserver
>
> Don't have add users to group "x2gouser". The group is a system  
> group  and only the user "x2gouser" may be a member of this group.  
> If other  users get added to this group your X2Go installation can  
> be  potentially compromised by those users (esp. if you are using  
> the  SQLite backend).
>
>> But after that, it appears that new user add to the group can't  
>> open  a x2gosession. x2goserver say : "Can't read password file   
>> /home/xxxx/.x2go/sqlpass".
>>
>> So, what do really this command ?
>>  * Read the content of the /etc/group/
>>  * find x2gouser line
>>  * read the users that are member
>>  * add on per one in the database the user and write a   
>> ~/.x2go/sqlpass for each one ?
>
> This question has been brought up several times already.
>
> What I do:
>
>   o create a group "with-x2go-access" (or use an already existing   
> group that can hold all potential X2Go Users)
>   o run a nightly cron job as root (x2godbadmin --addgroup with-x2go-access)
>
> Not very elegant but working. I agree with you that the DB handling  
> in  X2Go needs some love.
>
> Greets,
> Mike
> -- 
>
> DAS-NETZWERKTEAM
> mike gabriel, herweg 7, 24357 fleckeby
> fon: +49 (1520) 1976 148
>
> GnuPG Key ID 0x25771B31
> mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
>
> freeBusy:
> https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
>





More information about the x2go-user mailing list