PAM with LDAP breaks authentication to Policykit enabled Gnome applications using LDAP credentials

Bug #892680 reported by Dave Koelmeyer
44
This bug affects 9 people
Affects Status Importance Assigned to Milestone
policykit-1 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Hi,

1) Test system

My client is a fresh installation of Ubuntu 10.04 LTS x86. It has been fully patched.

libnss-ldap and dependencies have then been installed with Synaptic package manager using the local administrator account created during installation of Ubuntu.

/etc/ldap.conf has been modified to point to an OpenDJ v2.4.2 LDAP server running on the local network,using ldaps://server:port nomenclature. I am not using SSL.

A dedicated bind account has been created in the LDAP server and this has been specified in /etc/ldap.conf with the bind password recorded at /etc/ldap.secret

PAM configuration files at /etc/pam.d have been modified to contain the following, in order common-account, common-auth, common-password and common-session:

account sufficient pam_ldap.so
account required pam_unix.so

auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

password sufficient pam_ldap.so nullok
password required pam_unix.so nullok obscure min=4 max=8 md5

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session optional pam_ldap.so

/etc/nsswitch.conf has been modified accordingly to contain the following information:

passwd: files ldap
group: files ldap
shadow: files ldap

LDAP users can log in to the client successfully, and home directories are created automatically. In LDAP, my test user accounts have been assigned the gidNumber attribute value of 119 (admin).

2) What I expect to happen

As an LDAP user (note *not* as a local administrator), I expect to be able to launch a Gnome application such as Ubuntu Software Center and have Policykit validate my LDAP credentials correctly, such that I can install or remove applications (or otherwise perform administrative tasks).

3) What happened instead

Logging in to the system as an LDAP user, I can launch Ubuntu Software Center. Upon (for example) attempting to install an application, I am prompted for my credentials. I enter these (the same credentials used to log into the system), but they are rejected with an "Authentication Failure" error.

Also, Policykit seems to want to only accept the credentials of the local administrator account created during installation of the OS, as the authentication window prompts for "Password for itadmin" ('itadmin' being my local administrator account).

4) Additional information

Using the same LDAP account and credentials, I can authenticate to and use Synaptic Package Manager to install applications without issue.

Logged in as the LDAP user, the id command returns the following, where "dave" is the LDAP username:

$ id
uid=1001(dave) gid=119(admin) groups=119(admin)

Policykit version details:

$ apt-cache policy policykit-1
policykit-1:
  Installed: 0.96-2ubuntu0.1
  Candidate: 0.96-2ubuntu0.1
  Version table:
 *** 0.96-2ubuntu0.1 0
        500 http://nz.archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
        500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
        100 /var/lib/dpkg/status
     0.96-2 0
        500 http://nz.archive.ubuntu.com/ubuntu/ lucid/main Packages

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in policykit-1 (Ubuntu):
status: New → Confirmed
Revision history for this message
Bruno Léon (bruno-leon) wrote :

I have the exact same behavior using SSSD as the LDAP provider.

Revision history for this message
Bruno Léon (bruno-leon) wrote :

It seems that the wrong username is passed to /usr/lib/policykit-1/polkit-agent-helper-1.

I'm logged in as user bruno.leon (LDAP), but when I'm prompted to auth, what I can see in the process list is:
/usr/lib/policykit-1/polkit-agent-helper-1 nono cookie4

nono being the local user on /etc/passwd with id 1000.

If I remove the user from /etc/passwd, then the process list shows:
/usr/lib/policykit-1/polkit-agent-helper-1 root cookie5

Looks like ubuntu is getting the username from somewhere (may be passwd... can't say for sure) when it should simply pass $USERNAME I think.

Revision history for this message
spidernik84 (alexander-rilik) wrote :

Confirmed on our setup as well. SSSD works fine, but every time a graphical utility (software center, network manager) asks for root privileges, the prompts requests a local user's credentials.

As suggested by some users, adding the ldap user to "admin" group fixes the problem.
sudo adduser <ldap-user> admin

This, of course, is just a workaround.

Revision history for this message
spidernik84 (alexander-rilik) wrote :

Ok, I think I've found a solution. It could not be related, so feel free to remove my comments in case they're misleading.
I had to add a config file in /etc/polkit-1/localauthority.conf.d/ named, for example, 52-ldapsudo.conf. It contains the needed line to instruct polkit to use the right groups. Like this:

[Configuration]
AdminIdentities=unix-group:unixadm

Where unixadm is a group with admin permissions.

Revision history for this message
Dan Bishop (danbishop) wrote :

Still the case on Ubuntu 12.04 beta 1, though comment #5 doesn't seem to help. Instead it causes the PolicyKit prompt to ask for the root password!

Revision history for this message
Dave Koelmeyer (davekoelmeyer-b) wrote :

Same as Dan, comment #5 results in a prompt for root credentials.

Seeing as this was marked as a duplicate of https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/781737 has anyone succesfully performed the steps detailed in that bug report for Ubuntu 12.04 x86?

Revision history for this message
Dave Koelmeyer (davekoelmeyer-b) wrote :

I have applied the patch detailed in https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/781737 and there is no change to the behaviour.

I believe this bug has been incorrectly marked as a duplicate of 781737.

In bug 781737 the OP notes the following:

"When an application asks for special privileges through the policykit system, the list of domain administrators is correctly displayed..."

I don't even see this - LDAP accounts are not displayed by policykit enable applications at all. This is 100 percent reproducible by the simple setup I have described here and is clearly not the same as 781737. Note that I am now using Ubuntu 12.04 x86 and OpenDJ 2.4.6.

Revision history for this message
Jason B. Alonso (jalonso-hackorp) wrote :

I am a long-time follower of bug 781737, but I have found that I had to take the same measures as comment #5. In particular, groups in LDAP that share the same name as a predefined group in /etc/group are not handled reliably, so I had to create a "netadmins" group for my purposes when carrying out my version of comment #5. My additional configuration looks like this:

[Configuration]
AdminIdentities=unix-group:netadmins;unix-group:admin

Revision history for this message
DJ (ke7mbz) wrote :

Here's a good article on how to handle this for a freeIPA domain, but it should apply to any remote auth method.

https://www.happyassassin.net/2014/09/09/freeipa-setting-polkit-policykit-rules-for-users-make-your-user-a-polkit-administrator-on-your-clients/

I'm sure this is a bug though. It should try to authentication as root, instead of using some random user.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.