Hi Dave, I'm not sure your issue is a bug in policykit. It seems to be more likely a configuration issue. This is quite tricky to configure SSO on Ubuntu as you need to configure cleanly the LDAP client part of your workstation, the policykit system for rights elevation and PAM for authentication.
Take a look in /etc/polkit-1/localauthority.conf.d You should have a file called 60-ldap.conf (the number may be different, this is just for ordering scripts execution) containing this text: [Configuration] AdminIdentities=unix-group:##### with ##### the name of your domain/local administrators group. You can provide more than one group if you need to. Check out that your LDAP client and nsswitch can resolve this group and all accounts within (getent group). Hope this helps ;) Loïc -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/781737 Title: policykit cannot grant special priviledges from LDAP-identified administrators Status in “policykit-1” package in Ubuntu: Confirmed Bug description: Binary package hint: policykit-1 I use an LDAP server for centralized identification of local domain users and administrators on ubuntu client workstations. Local identification is done through the PAM system using pam_ldap module. When an application asks for special privileges through the policykit system, the list of domain administrators is correctly displayed and privileged user's login/password is correctly checked against the pam_ldap.so module but then polkit-agent-helper-1 cannot send back the authentication token to the DBus interface. So, remote administrators' identification and privileges escalation work well with local and remote groups, su, sudo and related tools (gksu, gksudo), but nothing never works when privileges escalation goes through the policykit system. It seems that the reason of this bug comes from polkit-agent-helper-1. This executable is setuid root to allow communication with DBus (needed to confirm authentication if I've understood well this part of the code). Unfortunately, during PAM verification some of the PAM modules may revoke permanently process credentials. This is the case for the pam_ldap module (and maybe for other PAM modules too but I only checked with this one). Here is an explanation of what occurs in polkitagent/polkitagenthelper-pam.c. Let's say that we try to get special privileges for user 1000 (who is local or remote, this changes nothing to the issue). First we try with a local administrator account and then with a remote (LDAP) administrator account. With the LOCAL administrator account: - Before pam_authenticate() call, real uid is 1000, effective uid is 0 (polkit-agent-helper-1 is setuid root) and saved uid is 0. - After pam_authenticate() call, all uids are the same because the local administrator account has been authorized through the pam_unix module and it has not changed process credentials. As effective uid is still 0, call to send_dbus_message() works well and special privileges have been granted to user 1000. With the REMOTE (LDAP) administrator account: - Before pam_authenticate() call, real uid is 1000, effective uid is 0 and saved uid is 0. - After pam_authenticate() call, real uid is 1000, effective uid is 1000 and saved uid is 1000. The remote administrator has been authorized through the pam_ldap module and this module has revoked permanently process credentials. As effective uid is now different from 0, call to send_dbus_message() always fails and then it is impossible to grant privileges to user 1000. I made a little patch that stores process credentials before PAM processing, then forces real uid to 0 to prevent PAM modules from revoking setuid root, and then restores previous process credentials after PAM processing. I'm not sure this is the best way to resolve this issue but it works well and it may be a good workaround until someone finds a best solution. I don't think either that it may cause further security issues as polkit-agent-helper-1 is already setuid root, but it may require further investigation on that particular subject. This patch also corrects a memory leak at the end of conversation_function(). ProblemType: Bug DistroRelease: Ubuntu 11.04 Package: policykit-1 0.101-1ubuntu1 ProcVersionSignature: Ubuntu 2.6.38-9.43-generic 2.6.38.4 Uname: Linux 2.6.38-9-generic x86_64 NonfreeKernelModules: nvidia Architecture: amd64 Date: Thu May 12 16:14:52 2011 InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007) ProcEnviron: LANGUAGE=fr_FR:en LANG=fr_FR.UTF-8 SHELL=/bin/bash SourcePackage: policykit-1 UpgradeStatus: Upgraded to natty on 2011-05-06 (6 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/781737/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
