desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #100586
[Bug 892680] Re: PAM with LDAP breaks authentication to Policykit enabled Gnome applications using LDAP credentials
*** This bug is a duplicate of bug 781737 ***
https://bugs.launchpad.net/bugs/781737
Here's a good article on how to handle this for a freeIPA domain, but it
should apply to any remote auth method.
https://www.happyassassin.net/2014/09/09/freeipa-setting-polkit-
policykit-rules-for-users-make-your-user-a-polkit-administrator-on-your-
clients/
I'm sure this is a bug though. It should try to authentication as root,
instead of using some random user.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/892680
Title:
PAM with LDAP breaks authentication to Policykit enabled Gnome
applications using LDAP credentials
Status in policykit-1 package in Ubuntu:
Confirmed
Bug description:
Hi,
1) Test system
My client is a fresh installation of Ubuntu 10.04 LTS x86. It has been
fully patched.
libnss-ldap and dependencies have then been installed with Synaptic
package manager using the local administrator account created during
installation of Ubuntu.
/etc/ldap.conf has been modified to point to an OpenDJ v2.4.2 LDAP
server running on the local network,using ldaps://server:port
nomenclature. I am not using SSL.
A dedicated bind account has been created in the LDAP server and this
has been specified in /etc/ldap.conf with the bind password recorded
at /etc/ldap.secret
PAM configuration files at /etc/pam.d have been modified to contain
the following, in order common-account, common-auth, common-password
and common-session:
account sufficient pam_ldap.so
account required pam_unix.so
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
password sufficient pam_ldap.so nullok
password required pam_unix.so nullok obscure min=4 max=8 md5
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session optional pam_ldap.so
/etc/nsswitch.conf has been modified accordingly to contain the
following information:
passwd: files ldap
group: files ldap
shadow: files ldap
LDAP users can log in to the client successfully, and home directories
are created automatically. In LDAP, my test user accounts have been
assigned the gidNumber attribute value of 119 (admin).
2) What I expect to happen
As an LDAP user (note *not* as a local administrator), I expect to be
able to launch a Gnome application such as Ubuntu Software Center and
have Policykit validate my LDAP credentials correctly, such that I can
install or remove applications (or otherwise perform administrative
tasks).
3) What happened instead
Logging in to the system as an LDAP user, I can launch Ubuntu Software
Center. Upon (for example) attempting to install an application, I am
prompted for my credentials. I enter these (the same credentials used
to log into the system), but they are rejected with an "Authentication
Failure" error.
Also, Policykit seems to want to only accept the credentials of the
local administrator account created during installation of the OS, as
the authentication window prompts for "Password for itadmin"
('itadmin' being my local administrator account).
4) Additional information
Using the same LDAP account and credentials, I can authenticate to and
use Synaptic Package Manager to install applications without issue.
Logged in as the LDAP user, the id command returns the following,
where "dave" is the LDAP username:
$ id
uid=1001(dave) gid=119(admin) groups=119(admin)
Policykit version details:
$ apt-cache policy policykit-1
policykit-1:
Installed: 0.96-2ubuntu0.1
Candidate: 0.96-2ubuntu0.1
Version table:
*** 0.96-2ubuntu0.1 0
500 http://nz.archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
100 /var/lib/dpkg/status
0.96-2 0
500 http://nz.archive.ubuntu.com/ubuntu/ lucid/main Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/892680/+subscriptions
