likewise-open

Cannot authenticate using PolicyKit dialogs with domain credentials, prompts for local user

Bug #479226 reported by Darren Worrall on 2009-11-09

32

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	likewise-open	New	Undecided	Unassigned
	policykit (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

Binary package hint: likewise-open5

When logged in as a domain user - who has root permission via sudoers - policykit dialogs prompt for the password of a different local user, rather than who I'm currently logged in as.

local user fooadmin
domain user foo

Not sure which part has their knickers in a twist, apologies if filing against likewise-open is wrong.

Steps to reproduce:

login as domain user (domain\foo)
try to edit a network connection
when clicking apply, policykit dialog pops up asking for password of local fooadmin user.

ProblemType: Bug
Architecture: amd64
Date: Mon Nov 9 15:12:25 2009
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
NonfreeKernelModules: nvidia
Package: likewise-open5 5.0.3991.1+krb5-0ubuntu2
ProcEnviron:
LANG=en_GB.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
SourcePackage: likewise-open5
Uname: Linux 2.6.31-14-generic x86_64

Tags:

Revision history for this message

Darren Worrall (dazworrall) wrote on 2009-11-09:

#1

Dependencies.txt Edit (1.1 KiB, text/plain; charset="utf-8")
XsessionErrors.txt Edit (7.9 KiB, text/plain; charset="utf-8")

Chuck Short (zulcss) on 2009-11-26

affects:

likewise-open5 (Ubuntu) → policykit (Ubuntu)

Revision history for this message

David L Norris (webaugur) wrote on 2010-01-27:

#2

likewise-open5(-lsass?) needs to drop an appropriate file into /etc/polkit-1/localauthority.conf.d/ which tells PolicyKit which Active Directory security group defines domain administrators. I'm not sure what that needs to look like but I set mine up like this (my AD domain is CORP):

[Configuration]
AdminIdentities=unix-group:CORP\\domain^admins

It does not seem to work exactly correctly but its close enough until its either fixed or I can read the PolicyKit docs further.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-01-23:

#3

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in policykit (Ubuntu):
status:	New → Confirmed

Revision history for this message

Alex Mauer (hawke) wrote on 2012-01-23:

#4

I’m not sure that’s the entire problem/solution, actually.

I think this is saying that a likewise-open user, which has been added to the local group 'admin' (and so should have admin privileges), does not get admin privileges, or they are limited in some way.

Not that the AD 'domain admins' should have local admin rights (perhaps they should, but that’s something different)

Revision history for this message

Steve O (techrgs) wrote on 2014-03-11:

#5

This bug affects me, too (with Likewise Open 6, however). My workaround is a two-pronged approach. Let's assume that you want the Domain Users group to have both sudo and administrative rights on the local machine. (Usually, it's only Domain Admins or another group, but we have a special configuration where I am.) First, I added the Domain Users group to the sudoers file (accessed by typing "sudo visudo" on an account that already has sudoer rights, or by running "visudo" simply as root). I then added the following line on the section with the header "Members of the admin group":

%domain^users ALL=(ALL) ALL

Please note that depending on your setup, you may have to add the domain explicitly:

%DOMAIN\\domain^users ALL=(ALL) ALL

So now all people in the Domain Users group have sudo access! They can type "sudo <command>" in any command prompt and it should work fine. BUT, if your users use the GUI, we still have the problem that any Policy Kit dialog boxes that pop up do not recognize this authority and demand you log in as root or as a local administrator.

So, following David Norris' suggestion, I navigated to /etc/polkit-1/localauthority.conf.d/ and added a new file called "52-likewise-admin.conf". The 52 is just because there were already files in there that started with "50" and "51", and I know that the configuration files get loaded in order based on their number. So the "52" is arbitrary. The file contents are as follows:

[Configuration]
AdminIdentities=unix-group:domain^users

AS BEFORE, you may need to explicitly state your domain, as follows:

[Configuration]
AdminIdentities=unix-group:DOMAIN\\domain^users

Of course, change "domain^users" to "domain^admins" or other groups as necessary. I hope this helps some people.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.