Ubuntu
policykit-1 package

policykit-1 is not aware of groups assigned by pam_group

Bug #1281700 reported by Andreas on 2014-02-18

This bug affects 10 people

Affects		Status	Importance	Assigned to	Milestone
	policykit-1 (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

I'm using pam_group for my ldap users so that they get assigned default ubuntu groups:
$ tail -n2 /etc/security/group.conf

# add LDAP users to these default groups, but don't give them admin rights.
"*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse"

These additional group IDs are assigned correctly:

$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)

Based on these additional groups, I'm trying to give certain user groups the necessary permissions to execute program, using policykit-1. Unfortunately, policykit does seem to only 'see' / 'be aware' of the primary group that the user belongs to (and not those additional groups that are assigend via /etc/security/group.conf).

This works (users can start the program):
[AllowUsertoDoSomething]
Identity=unix-group:ldapgroup

This doesn't work (users are asked to provide the administrator password):
[AllowUsertoDoSomething]
Identity=unix-group:plugdev

I suspect that this has something to do with the fact that 'id' does return conflicting information about groups:

# call id without username, returns all groups, including the ones defined in /etc/security/group.conf
$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)

# call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing.
$ id myusername
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup)

My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups.
I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line)

This is Ubuntu 12.04.3 with all latest updates. Any help and suggestions are appreciated.

$ lsb_release -rd
Description: Ubuntu 12.04.3 LTS
Release: 12.04

$ apt-cache policy policykit-1
policykit-1:
Installed: 0.104-1ubuntu1.1
Candidate: 0.104-1ubuntu1.1
---
ApportVersion: 2.0.1-0ubuntu17.4
Architecture: amd64
DistroRelease: Ubuntu 12.04
MarkForUpload: True
NonfreeKernelModules: nvidia
Package: policykit-1 0.104-1ubuntu1.1
PackageArchitecture: amd64
ProcEnviron:
LANGUAGE=en_US:en
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 3.5.0-41.64~precise1-generic 3.5.7.21
Tags: precise
Uname: Linux 3.5.0-41-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

See original description

Tags:

Revision history for this message

Andreas (andreas-kotowicz) wrote on 2014-02-18: Dependencies.txt

Dependencies.txt Edit (2.3 KiB, text/plain)

apport information

tags:	added: apport-collected precise
description:	updated

Andreas (andreas-kotowicz) on 2014-02-19

summary:	- policykit-1 does not "see" groups assigned by pam_group + policykit-1 is not aware of groups assigned by pam_group
description:	updated

Revision history for this message

Andreas (andreas-kotowicz) wrote on 2014-02-19:

The same problem is reported in the following forum posting:

http://ubuntuforums.org/showthread.php?t=1822217&p=11137302#post11137302

Revision history for this message

Andreas (andreas-kotowicz) wrote on 2014-02-19:

possibly related issue https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/75602

Revision history for this message

Arun (arunmohre) wrote on 2014-05-29:

I have the same issue. Using Ubuntu 14.04 LTS and I am also trying to add all users to a particular group. Some of the posts online indicated using pam_group to accomplish this. When I modify /etc/security/group.conf to add users to "audio" group - \

If I enter id - It shows that my user belongs to "audio" group. But If I enter "id <username>" it wont show up.

Any idea how can I resolve this ?

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-05-30:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in policykit-1 (Ubuntu):
status:	New → Confirmed

Revision history for this message

bigbrovar (bigbrovar) wrote on 2014-06-26:

This issue has been giving me serious headache.. trying to allow our ldap users (mainly over 200 staffs) able to manage their printing services (enable, disable, add printers) without having to call "IT" currently that is impossible.

Revision history for this message

Thomas Bordfeldt (bordfeldt) wrote on 2015-07-21:

The same problem in my Ubuntu 14.04 environment. In our school we have 50 Ubuntu-clients and we are using ldap-authentication. Now we want to assign the ldap-users to the lpadmin group to give them the possiblity to manage the printing system (i.e. set the default printer...), but its not possible.
So this is a very annoying bug.

Revision history for this message

Tom De Sloovere (tom-desloovere) wrote on 2015-10-16:

Same problem here in an openldap environment with ubuntu 14.04.3 workstations. We have this issue with adding certain openldap groups to the local sudo group.

Revision history for this message

Tobias Volfing (tobiasvv) wrote on 2016-11-14:

I am affected by this as well. I want my LDAP users to be able to manage printers. I've tried removing authentication in cupsd.conf, this works for the CUPS interface. But not from 'Printers' in system settings. So instead I've added them to the lpadmin group with the pam mount module, but it is still not possible.

As noted in another comment, id shows the user being a member of lpadmin, but id username doesn't.