Bug 1330764
| Summary: | realmd in F24 does not auth via PolicyKit when trying to enrol as a regular user | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | realmd | Assignee: | Sumit Bose <sbose> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | awilliam, jhrozek, sbose, stefw |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-06 11:00:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Adam Williamson
2016-04-26 22:12:09 UTC
I think this is a duplicate of bug #867807. Do you agree? I think this might not be related to realmd but to policy kit and agents. I can do the following in a ssh session: [dummy@vm-058-023 ~]$ realm join rhel72.devel Password for admin: realm: Couldn't join realm: Not authorized to perform this action [dummy@vm-058-023 ~]$ nmcli agent polkit & [1] 42708 [dummy@vm-058-023 ~]$ nmcli successfully registered as a polkit agent. [dummy@vm-058-023 ~]$ realm join rhel72.devel Password for admin: Authentication is required to join this machine to a realm or domain (action_id: org.freedesktop.realmd.configure-realm) ^Z [1]- Stopped nmcli agent polkit [2]+ Stopped realm join rhel72.devel [dummy@vm-058-023 ~]$ fg %1 nmcli agent polkit Password (root): ^Z [1]+ Stopped nmcli agent polkit [dummy@vm-058-023 ~]$ fg %2 realm join rhel72.devel [dummy@vm-058-023 ~]$ realm list rhel72.devel type: kerberos realm-name: RHEL72.DEVEL domain-name: rhel72.devel configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd login-formats: %U login-policy: allow-realm-logins As you can see, if a policykit agent is running there is a password prompt for the PK authorization, but it is a bit tricky to have two processes waiting for input on a terminal. Yup, as noted in bug #867807 ... I think admins can use sudo in the cases where a polkit agent is not already running in their login session. In a GUI session this is usually running by default, but not on terminal sessions. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. stef: I don't think so, but I don't entirely know what you mean by "The user's session should be setup correctly for polkit in order to make use of privilege escalation". I tested this with a user which is considered an 'admin' by PolicyKit, e.g. I can do stuff like add a user account in the GNOME Control Center by 'unlocking' it using that user's password. It's the situation you get by creating an 'admin' user when doing a Fedora install. I don't think it's reasonable to require any more 'setup' than that, if you want to offer this kind of interactive privilege escalation. If you *don't* actually want to offer this, we can just call it a WONTFIX and change the test case to say it must be run after acquiring privileges via sudo or whatever. If a polkit prompting agent is not running, then use of sudo is an appropriate alternative. Marking WONTFIX as suggested. |