Bug 1330764 - realmd in F24 does not auth via PolicyKit when trying to enrol as a regular user
Summary: realmd in F24 does not auth via PolicyKit when trying to enrol as a regular user
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: realmd
Version: 24
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Sumit Bose
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-26 22:12 UTC by Adam Williamson
Modified: 2016-07-06 11:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-06 11:00:17 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Adam Williamson 2016-04-26 22:12:09 UTC
The test case for enrolling in a domain via realmd/SSSD:

https://fedoraproject.org/wiki/QA:Testcase_realmd_join_sssd

claims:
"You will be prompted for a password for the account 
You will be prompted for PolicyKit authorization, because you are not running the command as root"

however, when I try to enrol as a regular (admin) user on a current F24 install, I just get prompted for the FreeIPA admin password, then I see "realm: Couldn't join realm: Not authorized to perform this action"

enrolling as root works fine.

Comment 1 Stef Walter 2016-04-29 10:08:38 UTC
I think this is a duplicate of bug #867807. Do you agree?

Comment 2 Sumit Bose 2016-04-29 11:20:30 UTC
I think this might not be related to realmd but to policy kit and agents. I can do the following in a ssh session:

[dummy@vm-058-023 ~]$ realm join rhel72.devel
Password for admin: 
realm: Couldn't join realm: Not authorized to perform this action
[dummy@vm-058-023 ~]$ nmcli agent polkit &
[1] 42708
[dummy@vm-058-023 ~]$ nmcli successfully registered as a polkit agent.

[dummy@vm-058-023 ~]$ realm join rhel72.devel
Password for admin: 
Authentication is required to join this machine to a realm or domain
(action_id: org.freedesktop.realmd.configure-realm)
^Z
[1]-  Stopped                 nmcli agent polkit

[2]+  Stopped                 realm join rhel72.devel
[dummy@vm-058-023 ~]$ fg %1
nmcli agent polkit
Password (root): 

^Z
[1]+  Stopped                 nmcli agent polkit
[dummy@vm-058-023 ~]$ fg %2
realm join rhel72.devel
[dummy@vm-058-023 ~]$ realm list             
rhel72.devel
  type: kerberos
  realm-name: RHEL72.DEVEL
  domain-name: rhel72.devel
  configured: kerberos-member
  server-software: ipa
  client-software: sssd
  required-package: freeipa-client
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  login-formats: %U
  login-policy: allow-realm-logins


As you can see, if a policykit agent is running there is a password prompt for the PK authorization, but it is a bit tricky to have two processes waiting for input on a terminal.

Comment 3 Stef Walter 2016-04-29 11:34:44 UTC
Yup, as noted in bug #867807 ... I think admins can use sudo in the cases where a polkit agent is not already running in their login session. In a GUI session this is usually running by default, but not on terminal sessions.

Comment 4 Fedora Admin XMLRPC Client 2016-05-18 13:44:43 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 5 Adam Williamson 2016-07-04 17:57:21 UTC
stef: I don't think so, but I don't entirely know what you mean by "The user's session should be setup correctly for polkit in order to make use of privilege escalation". I tested this with a user which is considered an 'admin' by PolicyKit, e.g. I can do stuff like add a user account in the GNOME Control Center by 'unlocking' it using that user's password. It's the situation you get by creating an 'admin' user when doing a Fedora install. I don't think it's reasonable to require any more 'setup' than that, if you want to offer this kind of interactive privilege escalation. If you *don't* actually want to offer this, we can just call it a WONTFIX and change the test case to say it must be run after acquiring privileges via sudo or whatever.

Comment 6 Stef Walter 2016-07-06 11:00:17 UTC
If a polkit prompting agent is not running, then use of sudo is an appropriate alternative. Marking WONTFIX as suggested.


Note You need to log in before you can comment on or make changes to this bug.