users-admin cannot get authorized from policy kit in VNC session

I have seen this behavior in both 64b and 32b installs. I ran apport-bug from my 64b machine, so that is why it is tagged amd64.

Have you tried without VNC, i.e. with a local GDM session?

If the patch doesn't apply, you can still edit by hand /usr/share/polkit-1/actions/org.freedesktop.SystemToolsBackends.policy and replace <allow_active> with <allow_any>. If that's enough, then that's a plain duplicate of bug 221363, which simply needs to be updated.

[BTW, when you mention bug numbers, please always write "bug XXXX" instead of "XXXX": this automatically creates the link to the report, which is much more convenient.]

users-admin works as expected in a local GDM session.

I installed Maverick desktop edition in a VM using the ISO image.

After installation, I installed only vnc4server and ssh. I logged in remotely and started the VNC session. I confirmed that users-admin does not get an authorization from policy kit. No window appears that says that it cannot get authorization. (I think that is a regression from Lucid, by itself.)

Then, I edited the /usr/share/polkit-1/actions/org.freedesktop.SystemToolsBackends.policy file manually, as you described. Rather than try to figure out what tools needed to be restarted, I rebooted after each change to this file. This is very fast in a VM on my box, so I figured it would be good to eliminate all variables. In this first edit, I only changed allow_active to allow_any in both sections of the file and deleted the allow_inactive lines. After doing so, I was able to get authorized in users-admin running in the VNC session. I was not able to get authorized in users-admin running in a local GDM session however.

Next, I edited the policy file manually again, adding back the original <allow_active> lines. Again, I rebooted. At this point, I was able to get authorized in users-admin in both the VNC session and the local GDM session. Great news!

Finally, I upgraded to the latest packages with "apt-get update && apt-get upgrade". I changed nothing in /etc/apt, either manually or using the "Software Sources" GUI. After all of the packages had been downloaded and installed, I rebooted again. In this final state, I can no longer get authorization in users-admin running in the VNC session. It still works in the local GDM session however. The policy file has not been modified or overwritten by the upgrade process.

Contents of /usr/share/polkit-1/actions/org.freedesktop.SystemToolsBackends.policy after manual edits.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
  <vendor>The System Tools Backends Project</vendor>
  <vendor_url>http://system-tools-backends.freedesktop.org</vendor_url>

  <action id="org.freedesktop.systemtoolsbackends.set">
    <description gettext-domain="system-tools-backends">Manage system configuration</description>
    <message gettext-domain="system-tools-backends">You need to authenticate to modify the system configuration</message>
    <defaults>
      <allow_active>auth_admin_keep</allow_active>
      <allow_any>auth_admin_keep</allow_any>
    </defaults>
  </action>

  <action id="org.freedesktop.systemtoolsbackends.self.set">
    <description gettext-domain="system-tools-backends">Change the user's own account configuration</description>
    <message gettext-domain="system-tools-backends">You need to authenticate to modify your user account information</message>
    <defaults>
      <allow_active>yes</allow_active>
      <allow_any>yes</allow_any>
    </defaults>
  </action>
</policyconfig>

Output of "apt-get -u upgrade". Which ones of these could have introduced this bug?

The following packages have been kept back:
  cups
The following packages will be upgraded:
  alsa-utils app-install-data-partner aptdaemon compiz compiz-core compiz-gnome compiz-plugins
  cups-bsd cups-client cups-common empathy empathy-common evolution evolution-common
  evolution-data-server evolution-data-server-common evolution-exchange evolution-plugins
  firefox firefox-branding firefox-gnome-support flashplugin-installer gcalctool
  gconf-defaults-service gconf2 gconf2-common gdb gdm-guest-session gnome-settings-daemon gvfs
  gvfs-backends gvfs-fuse gwibber gwibber-service hpijs hplip hplip-cups hplip-data
  indicator-sound initscripts jockey-common jockey-gtk libasound2 libc-bin libc-dev-bin libc6
  libc6-dev libcamel1.2-14 libcups2 libcupscgi1 libcupsdriver1 libcupsimage2 libcupsmime1
  libcupsppdc1 libdecoration0 libdrm-intel1 libdrm-nouveau1 libdrm-radeon1 libdrm2
  libebackend1.2-0 libebook1.2-9 libecal1.2-7 libedata-book1.2-2 libedata-cal1.2-7
  libedataserver1.2-13 libedataserverui1.2-8 libegroupwise1.2-13 libevolution libfreetype6
  libgconf2-4 libgdata-google1.2-1 libgdata1.2-1 libgpod-common libgpod4 libgudev-1.0-0
  libgvfscommon0 libhpmud0 libldap-2.4-2 libnss3-1d libpam-modules libpam-runtime libpam0g
  libpoppler-glib5 libpoppler7 libpulse-browse0 libpulse-mainloop-glib0 libpulse0 libpurple-bin
  libpurple0 libsane-hpaio libudev0 libutouch-grail1 libvte-common libvte9 libwebkit-1.0-2
  libwebkit-1.0-common linux-headers-2.6.35-22 linux-headers-2.6.35-22-generic
  linux-image-2.6.35-22-generic linux-libc-dev nautilus-sendto-empathy pitivi poppler-utils
  pulseaudio pulseaudio-esound-compat pulseaudio-module-bluetooth pulseaudio-module-gconf
  pulseaudio-module-x11 pulseaudio-utils python-aptdaemon python-aptdaemon-gtk
  python-cupshelpers python-papyon python-vte rhythmbox-ubuntuone-music-store simple-scan
  software-center system-config-printer-common system-config-printer-gnome
  system-config-printer-udev sysv-rc sysvinit-utils ubufox ubuntu-sso-client udev update-manager
  update-manager-core xul-ext-ubufox xulrunner-1.9.2
129 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Need to get 121MB of archives.
After this operation, 77.8kB of additional disk space will be used.
Do you want to continue [Y/n]?

What you describe feels weird to me, especially the part about the upgrade breaking things... Please run 'sudo killall /usr/lib/policykit-1/polkitd && sudo /usr/lib/policykit-1/polkitd', retry to authenticate via users-admin from a local GDM session and a VNC session, and paste the output here. Thanks!

$ sudo killall polkitd && sudo /usr/lib/policykit-1/polkitd
Registering null backend at priority -10
** (process:2314): DEBUG: Added `/var/lib/polkit-1/localauthority/10-vendor.d' as a local authorization store
** (process:2314): DEBUG: Added `/etc/polkit-1/localauthority/10-vendor.d' as a local authorization store
** (process:2314): DEBUG: Added `/var/lib/polkit-1/localauthority/20-org.d' as a local authorization store
** (process:2314): DEBUG: Added `/etc/polkit-1/localauthority/20-org.d' as a local authorization store
** (process:2314): DEBUG: Added `/var/lib/polkit-1/localauthority/30-site.d' as a local authorization store
** (process:2314): DEBUG: Added `/etc/polkit-1/localauthority/30-site.d' as a local authorization store
** (process:2314): DEBUG: Added `/var/lib/polkit-1/localauthority/50-local.d' as a local authorization store
** (process:2314): DEBUG: Added `/etc/polkit-1/localauthority/50-local.d' as a local authorization store
** (process:2314): DEBUG: Added `/var/lib/polkit-1/localauthority/90-mandatory.d' as a local authorization store
** (process:2314): DEBUG: Added `/etc/polkit-1/localauthority/90-mandatory.d' as a local authorization store
** (process:2314): DEBUG: Monitoring `/var/lib/polkit-1/localauthority' for changes
** (process:2314): DEBUG: Monitoring `/etc/polkit-1/localauthority' for changes
Using authority class PolkitBackendLocalAuthority
** (process:2314): DEBUG: system-bus-name::1.47 is inquiring whether system-bus-name::1.90 is authorized for org.freedesktop.systemtoolsbackends.set
** (process:2314): DEBUG: user of caller is unix-user:root
** (process:2314): DEBUG: user of subject is unix-user:jeffrey
** (process:2314): DEBUG: checking whether system-bus-name::1.90 is authorized for org.freedesktop.systemtoolsbackends.set

** (process:2314): WARNING **: skipping unknown tag <_description> at line 12

** (process:2314): WARNING **: skipping unknown tag <_message> at line 13

** (process:2314): WARNING **: skipping unknown tag <_description> at line 21

** (process:2314): WARNING **: skipping unknown tag <_message> at line 22

** (process:2314): WARNING **: skipping unknown tag <_description> at line 30

** (process:2314): WARNING **: skipping unknown tag <_message> at line 31

** (process:2314): WARNING **: skipping unknown tag <_description> at line 39

** (process:2314): WARNING **: skipping unknown tag <_message> at line 40

** (process:2314): WARNING **: skipping unknown tag <_description> at line 15

** (process:2314): WARNING **: skipping unknown tag <_message> at line 16
** (process:2314): DEBUG: (nil)
** (process:2314): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/10-vendor.d'
** (process:2314): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/10-vendor.d'
** (process:2314): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/20-org.d'
** (process:2314): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/20-org.d'
** (process:2314): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/30-site.d'
** (process:2314): DEBUG: Dropping all .pkla caches for direc...

And using pkcheck:

$ pkcheck --action-id org.freedesktop.systemtoolsbackends.self.set --process `pidof users-admin` -u
$ echo $?
0
$ pkcheck --action-id org.freedesktop.systemtoolsbackends.set --process `pidof users-admin` -u
polkit\56retains_authorization_after_challenge=1
Authorization requires authentication but no agent is available.
$ ps -ef |grep pol
root 1304 1303 0 12:04 ? 00:00:01 udisks-daemon: polling /dev/sr0
jeffrey 1847 1799 0 12:05 ? 00:00:00 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
root 2314 2166 0 14:00 pts/0 00:00:00 /usr/lib/policykit-1/polkitd
jeffrey 2533 2470 0 14:06 pts/1 00:00:00 grep --color=auto pol

> Authorization requires authentication but no agent is available.
This means you need to start /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 so that the authentication dialog can be shown.

But this should be started automatically on login thanks to a desktop file.Check that it isn't listed as disabled in gnome-session-properties (normally, it isn't listed there, and is started via /etc/xdg/autostart/polkit-gnome-authentication-agent-1.desktop).

Is this working now? If this was the problem, it's not a bug and is not related to remote sessions at all.

Please look again at the process listing in #10. It is running, and I checked that it is in fact a child of gnome-session. The only gnome-session running on this machine is the one started by VNC. So, why is policy kit unable to find this authentication agent? This is the same issue that I keep seeing. What's the next step?

Hm, indeed, sorry. Next step would be to run the authentication agent manualy after killing the one that is running, and see if it changes something. If it doesn't, have a look at the messages it prints to the console, and also to the messages printed by polkitd, which (IIRC) should also say it detected the agent.

But please try all this stuff with a /local/ GDM session. If it works, we'll check VNC, but mixing two potential error sources is not a good idea.

[Expired for gnome-system-tools (Ubuntu) because there has been no activity for 60 days.]