Bug 975008

Summary: Cannot join AD or FreeIPA domain with g-i-s: "Not authorized to perform this action.", "rejecting access to method 'Join'"
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: gnome-initial-setupAssignee: Matthias Clasen <mclasen>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: awilliam, manday, mclasen, sirdeiu, stefw, tiagomatos
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-18 22:24:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Woodhouse 2013-06-17 11:35:22 UTC 
I made a fresh install of Fedora 19 in a VM, to test Active Directory integration.

I was asked by gnome-initial-setup for my domain, username and password, but received the error 'Not authorized to perform this action.'

If I run realmd in a VT and try it, I see the following:
(realmd:2170): DEBUG: rejecting access to method 'Join' on interface 'org.freedesktop.realmd.KerberosMembership' at /org/freedesktop/realmd/Sssd/get_corp_intel_com_1
Comment 2 Andrei Amuraritei 2014-09-01 19:42:30 UTC 
Hello, while trying out freeipa 4.0.1 with fedora 20, I get the same error. 

When there are no local users defined, and gnome-initial-setup is started, after entering the domain / username / password details for enterprise login, I get the same error: Not authorized to perform this action and can't skip that step, unless I create a local user account.
Comment 3 Adam Williamson 2014-09-07 02:34:58 UTC 
Yup, I am seeing this with current F21 and a FreeIPA host also:

realmd[1469]: rejecting access to method 'Join' on interface 'org.freedesktop.realmd.KerberosMembership' at /org/freedesktop/realmd/Sssd/happyassassin_net_2

Let's CC the owner of realmd to see if the realmd dbus policy might be at fault here?
Comment 4 Adam Williamson 2014-09-07 07:14:55 UTC 
Note that Control Center's 'Users' panel can enrol in the domain just fine (though I hit later bugs with login).
Comment 5 Stef Walter 2014-09-08 07:28:30 UTC 
By default only users of type Administrator (ie: in the wheel group) can join a domain.

The gnome-initial-setup user needs to either be in the wheel group, root equivalent, or have a polkit rule that says it can perform the action in question.
Comment 6 Cedric Sodhi 2014-09-18 10:20:00 UTC 
We're trying to set up a cluster of Fedora Boxes at our company and we're faced with the same problem. It's not possible to use the "Enterprise Login" after installation (using an Exchange/AD Server).
Comment 7 Cedric Sodhi 2014-09-18 10:29:41 UTC 
After I join the realm on TTY using `realm join -U ... ...` I'm still not able to log in using the GUI, in which case I get a "Failed to register account".
Comment 8 Stef Walter 2014-09-18 10:30:34 UTC 
(In reply to Cedric Sodhi from comment #7)
> After I join the realm on TTY using `realm join -U ... ...` I'm still not
> able to log in using the GUI, in which case I get a "Failed to register
> account".

Yes, that's the bug. In Fedora 21, gnome-initial-setup is not privileged to do the various things that it needs to do.
Comment 9 Stef Walter 2014-09-18 10:31:44 UTC 
Possible work around:

 * Ctrl-Alt-F2
 * login as root
 * sudo usermod -aG wheel gnome-initial-setup

Perhaps a reboot is necessary after above step.
Comment 10 Cedric Sodhi 2014-09-18 10:41:44 UTC 
usermod -aG wheel gnome-initial-setup
realm permit --all

did not change that behaviour.
Comment 11 Matthias Clasen 2014-09-18 22:24:07 UTC 
this should be fixed in gnome-initial-setup-3.13.7-1.fc21.x86_64