I am affected by this as well. I want my LDAP users to be able to manage printers. I've tried removing authentication in cupsd.conf, this works for the CUPS interface. But not from 'Printers' in system settings. So instead I've added them to the lpadmin group with the pam mount module, but it is still not possible.
As noted in another comment, id shows the user being a member of lpadmin, but id username doesn't. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1281700 Title: policykit-1 is not aware of groups assigned by pam_group Status in policykit-1 package in Ubuntu: Confirmed Bug description: I'm using pam_group for my ldap users so that they get assigned default ubuntu groups: $ tail -n2 /etc/security/group.conf # add LDAP users to these default groups, but don't give them admin rights. "*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse" These additional group IDs are assigned correctly: $ id uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse) Based on these additional groups, I'm trying to give certain user groups the necessary permissions to execute program, using policykit-1. Unfortunately, policykit does seem to only 'see' / 'be aware' of the primary group that the user belongs to (and not those additional groups that are assigend via /etc/security/group.conf). This works (users can start the program): [AllowUsertoDoSomething] Identity=unix-group:ldapgroup This doesn't work (users are asked to provide the administrator password): [AllowUsertoDoSomething] Identity=unix-group:plugdev I suspect that this has something to do with the fact that 'id' does return conflicting information about groups: # call id without username, returns all groups, including the ones defined in /etc/security/group.conf $ id uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse) # call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing. $ id myusername uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup) My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups. I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line) This is Ubuntu 12.04.3 with all latest updates. Any help and suggestions are appreciated. $ lsb_release -rd Description: Ubuntu 12.04.3 LTS Release: 12.04 $ apt-cache policy policykit-1 policykit-1: Installed: 0.104-1ubuntu1.1 Candidate: 0.104-1ubuntu1.1 --- ApportVersion: 2.0.1-0ubuntu17.4 Architecture: amd64 DistroRelease: Ubuntu 12.04 MarkForUpload: True NonfreeKernelModules: nvidia Package: policykit-1 0.104-1ubuntu1.1 PackageArchitecture: amd64 ProcEnviron: LANGUAGE=en_US:en TERM=xterm PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcVersionSignature: Ubuntu 3.5.0-41.64~precise1-generic 3.5.7.21 Tags: precise Uname: Linux 3.5.0-41-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1281700/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
