The test case for enrolling in a domain via realmd/SSSD: https://fedoraproject.org/wiki/QA:Testcase_realmd_join_sssd claims: "You will be prompted for a password for the account You will be prompted for PolicyKit authorization, because you are not running the command as root" however, when I try to enrol as a regular (admin) user on a current F24 install, I just get prompted for the FreeIPA admin password, then I see "realm: Couldn't join realm: Not authorized to perform this action" enrolling as root works fine.
I think this is a duplicate of bug #867807. Do you agree?
I think this might not be related to realmd but to policy kit and agents. I can do the following in a ssh session: [dummy@vm-058-023 ~]$ realm join rhel72.devel Password for admin: realm: Couldn't join realm: Not authorized to perform this action [dummy@vm-058-023 ~]$ nmcli agent polkit & [1] 42708 [dummy@vm-058-023 ~]$ nmcli successfully registered as a polkit agent. [dummy@vm-058-023 ~]$ realm join rhel72.devel Password for admin: Authentication is required to join this machine to a realm or domain (action_id: org.freedesktop.realmd.configure-realm) ^Z [1]- Stopped nmcli agent polkit [2]+ Stopped realm join rhel72.devel [dummy@vm-058-023 ~]$ fg %1 nmcli agent polkit Password (root): ^Z [1]+ Stopped nmcli agent polkit [dummy@vm-058-023 ~]$ fg %2 realm join rhel72.devel [dummy@vm-058-023 ~]$ realm list rhel72.devel type: kerberos realm-name: RHEL72.DEVEL domain-name: rhel72.devel configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd login-formats: %U login-policy: allow-realm-logins As you can see, if a policykit agent is running there is a password prompt for the PK authorization, but it is a bit tricky to have two processes waiting for input on a terminal.
Yup, as noted in bug #867807 ... I think admins can use sudo in the cases where a polkit agent is not already running in their login session. In a GUI session this is usually running by default, but not on terminal sessions.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
stef: I don't think so, but I don't entirely know what you mean by "The user's session should be setup correctly for polkit in order to make use of privilege escalation". I tested this with a user which is considered an 'admin' by PolicyKit, e.g. I can do stuff like add a user account in the GNOME Control Center by 'unlocking' it using that user's password. It's the situation you get by creating an 'admin' user when doing a Fedora install. I don't think it's reasonable to require any more 'setup' than that, if you want to offer this kind of interactive privilege escalation. If you *don't* actually want to offer this, we can just call it a WONTFIX and change the test case to say it must be run after acquiring privileges via sudo or whatever.
If a polkit prompting agent is not running, then use of sudo is an appropriate alternative. Marking WONTFIX as suggested.