Domain groups not accepted as 'AdminIdentities'
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| policykit-1 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Domain groups cannot be configured as 'AdminIdentities' under /etc/polkit-
EXAMPLE CONFIG
# /etc/polkit-
[Configuration]
AdminIdentities
With the above config, 'sysapp' is a group in LDAP. SSSD is configured on the machine to allow domain users to log in.
Sudo rules have been configured for the 'sysapp' group and work correctly.
However, any action that creates a polkit/GUI prompt for authentication does not allow users in the 'sysapp' group to authenticate. Instead, it only accepts auth from the root user.
If I change the config to use a local group, instead of a domain group, everything works as expected.
Similarly if I specify a domain USER instead of a domain group, everything works as expected.
The problem seems to only be with domain/LDAP groups.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: policykit-1 0.105-33
ProcVersionSign
Uname: Linux 5.15.0-48-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckR
Date: Mon Oct 3 15:20:36 2022
InstallationDate: Installed on 2022-07-15 (80 days ago)
InstallationMedia: Ubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
SourcePackage: policykit-1
UpgradeStatus: Upgraded to jammy on 2022-08-02 (61 days ago)
| James Paton-Smith (jamesps) wrote | #1 |
| Vegard Søbstad Alsli (alslinet) wrote | #2 |
| James Paton-Smith (jamesps) wrote | #3 |
This affects 20.04 as well. Can confirm groups do not work and the workarounds for the problems are creative to say the least.