Bug 1476101 - polkit agent ignores ldap/kerberos admin credentials and prompts for local admin user [NEEDINFO]
polkit agent ignores ldap/kerberos admin credentials and prompts for local ad...
Status: NEW
Product: Fedora
Classification: Fedora
Component: polkit (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miloslav Trmač
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-27 23:39 EDT by James H (Jim) Bills
Modified: 2017-07-28 16:15 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mitr: needinfo? (james.h.bills)


Attachments (Terms of Use)
Edited vestion of ps -Hef while running `systemctl restart NetworkManager'. (4.13 KB, text/plain)
2017-07-27 23:39 EDT, James H (Jim) Bills
no flags Details

  None (edit)
Description James H (Jim) Bills 2017-07-27 23:39:10 EDT
Created attachment 1305769 [details]
Edited vestion of ps -Hef while running `systemctl restart NetworkManager'.

Description of problem:

When I login with an administrative account (in the wheel group) having only ldap/kerberos credentials (myacct) and attempt to run program that require administrative privileges via polkit helper agent (systemctl restart ..., yumex-dnf), I am prompted for a local user with administrative privilege (luser) password instead of my ldap/kerberos privileges (myacct).

Version-Release number of selected component (if applicable):

polkit-0.113-8.fc26.x86_64
polkit-gnome-0.105-11.fc26.x86_64
polkit-kde-5.10.1-1.fc26.x86_64
polkit-libs-0.113-8.fc26.x86_64
polkit-pkla-compat-0.1-8.fc26.x86_64
polkit-qt -0.112.0-9.fc26.x86_64
polkit-qt5-1-0.112.0-9.fc26.x86_64

gnome-shell-3.24.3-1.fc26.x86_64
systemd-233-6.fc26.x86_64
yumex-dnf-4.3.3-4.1.fc26.noarch

How reproducible:
100%

Steps to Reproduce:
1. Login in as and administrative (in wheel group) user with ldap/kerberos  credentials into a gnome session.
2. Run a program that uses polkit to acquire privilege.

Example:
# Who I am, supplied by ldap/kerberos.
$ whoami
myacct
# My groups, supplied by ladp/kerberos.
$ groups myacct
myacct : users desktop_admin_r wheel ldap develop mock myacct wireshark named
# The loacl users groups.
$ groups luser
luser : users wheel luser
# Run a program that uses polkit to gain privelege.
$ systemctl restart wpa_supplicant

Actual results:

Prompted for the local user (luser) password.

Expected results:

To be prompted for my login user (myacct) password.

Additional info:

Work around for command line application (systemctl restart ...):  run using sudo or provide the local user password.

Work around for an graphical application (yumex-dnf):  provide the local user password.
Comment 1 Miloslav Trmač 2017-07-28 16:15:37 EDT
Thanks for your report.

This might be bug #1214026. Does the LDAP server allow listing group members?  (I guess, does (getent group wheel) list myacct?)

Note You need to log in before you can comment on or make changes to this bug.