Description Janis Meybohm 2014-08-06 16:32:36 CEST

Created attachment 6060 [details]
Updated UCC session script

Ticket#: 2014080121000169

The UCC sessions handle logon scripts in different ways.

* First way, the "local UCC" way:
By default they are read from /var/cache/ucc/user-policy-$USER and called via "su $USER" in:
/etc/lightdm/session-setup/010_univention-ucc-logon
/etc/lightdm/session-cleanup/010_univention-ucc-logout


* Second way, the "remote UCC" way:
/usr/sbin/univention-ucc-fetch-user-policies (called via pam_runasroot in /etc/pam.d/lightdm) writes the scripts to ~/.ucc-environment which is then sources via pam_env.
The UCC-XRDP session script then calls the scripts before and after "startkde" with the user credentials.



Problems start when the "local UCC" way is combined with remote home directories (e.g. CIFS mount via "univention-ucc-cifshome-pam-mount" package):

* The remote home is not mounted when the scripts are called by lightdm as the "su $USER <script>" call does not use the lightdm pam stack end the users session is not set up yet.

* /usr/sbin/univention-ucc-fetch-user-policies writes the .ucc-environment file to the local $HOME directory because it is run prior to pam_mount

* pam_env does not source ~/.ucc-environment (as it does not exist in the remote home which is mounted now)

* The UCC Session script does not evaluate/run the scripts as UCC-XRDP does




I think the most consequential way (which works and can be used as workaround) would be to drop /etc/lightdm/session-setup/010_univention-ucc-logon and /etc/lightdm/session-cleanup/010_univention-ucc-logout, switch the order of pam_mount and pam_runasroot in /etc/pam.d/lightdm and extend the UCC session script to run the scripts set in the environment variable (like UCC-XRDP).