Bug 975008 - Cannot join AD or FreeIPA domain with g-i-s: "Not authorized to perform this action.", "rejecting access to method 'Join'"
Cannot join AD or FreeIPA domain with g-i-s: "Not authorized to perform this ...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: gnome-initial-setup (Show other bugs)
21
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Matthias Clasen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-17 07:35 EDT by David Woodhouse
Modified: 2014-09-19 00:54 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-18 18:24:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Bugzilla 736218 None None None Never

  None (edit)
Description David Woodhouse 2013-06-17 07:35:22 EDT
I made a fresh install of Fedora 19 in a VM, to test Active Directory integration.

I was asked by gnome-initial-setup for my domain, username and password, but received the error 'Not authorized to perform this action.'

If I run realmd in a VT and try it, I see the following:
(realmd:2170): DEBUG: rejecting access to method 'Join' on interface 'org.freedesktop.realmd.KerberosMembership' at /org/freedesktop/realmd/Sssd/get_corp_intel_com_1
Comment 2 Andrei Amuraritei 2014-09-01 15:42:30 EDT
Hello, while trying out freeipa 4.0.1 with fedora 20, I get the same error. 

When there are no local users defined, and gnome-initial-setup is started, after entering the domain / username / password details for enterprise login, I get the same error: Not authorized to perform this action and can't skip that step, unless I create a local user account.
Comment 3 Adam Williamson 2014-09-06 22:34:58 EDT
Yup, I am seeing this with current F21 and a FreeIPA host also:

realmd[1469]: rejecting access to method 'Join' on interface 'org.freedesktop.realmd.KerberosMembership' at /org/freedesktop/realmd/Sssd/happyassassin_net_2

Let's CC the owner of realmd to see if the realmd dbus policy might be at fault here?
Comment 4 Adam Williamson 2014-09-07 03:14:55 EDT
Note that Control Center's 'Users' panel can enrol in the domain just fine (though I hit later bugs with login).
Comment 5 Stef Walter 2014-09-08 03:28:30 EDT
By default only users of type Administrator (ie: in the wheel group) can join a domain.

The gnome-initial-setup user needs to either be in the wheel group, root equivalent, or have a polkit rule that says it can perform the action in question.
Comment 6 Cedric Sodhi 2014-09-18 06:20:00 EDT
We're trying to set up a cluster of Fedora Boxes at our company and we're faced with the same problem. It's not possible to use the "Enterprise Login" after installation (using an Exchange/AD Server).
Comment 7 Cedric Sodhi 2014-09-18 06:29:41 EDT
After I join the realm on TTY using `realm join -U ... ...` I'm still not able to log in using the GUI, in which case I get a "Failed to register account".
Comment 8 Stef Walter 2014-09-18 06:30:34 EDT
(In reply to Cedric Sodhi from comment #7)
> After I join the realm on TTY using `realm join -U ... ...` I'm still not
> able to log in using the GUI, in which case I get a "Failed to register
> account".

Yes, that's the bug. In Fedora 21, gnome-initial-setup is not privileged to do the various things that it needs to do.
Comment 9 Stef Walter 2014-09-18 06:31:44 EDT
Possible work around:

 * Ctrl-Alt-F2
 * login as root
 * sudo usermod -aG wheel gnome-initial-setup

Perhaps a reboot is necessary after above step.
Comment 10 Cedric Sodhi 2014-09-18 06:41:44 EDT
usermod -aG wheel gnome-initial-setup
realm permit --all

did not change that behaviour.
Comment 11 Matthias Clasen 2014-09-18 18:24:07 EDT
this should be fixed in gnome-initial-setup-3.13.7-1.fc21.x86_64

Note You need to log in before you can comment on or make changes to this bug.