Bug 975008 - Cannot join AD or FreeIPA domain with g-i-s: "Not authorized to perform this action.", "rejecting access to method 'Join'"
Summary: Cannot join AD or FreeIPA domain with g-i-s: "Not authorized to perform this ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: gnome-initial-setup
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Matthias Clasen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-17 11:35 UTC by David Woodhouse
Modified: 2014-09-19 04:54 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-18 22:24:07 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 736218 0 None None None Never

Description David Woodhouse 2013-06-17 11:35:22 UTC 
I made a fresh install of Fedora 19 in a VM, to test Active Directory integration.

I was asked by gnome-initial-setup for my domain, username and password, but received the error 'Not authorized to perform this action.'

If I run realmd in a VT and try it, I see the following:
(realmd:2170): DEBUG: rejecting access to method 'Join' on interface 'org.freedesktop.realmd.KerberosMembership' at /org/freedesktop/realmd/Sssd/get_corp_intel_com_1
Comment 2 Andrei Amuraritei 2014-09-01 19:42:30 UTC 
Hello, while trying out freeipa 4.0.1 with fedora 20, I get the same error. 

When there are no local users defined, and gnome-initial-setup is started, after entering the domain / username / password details for enterprise login, I get the same error: Not authorized to perform this action and can't skip that step, unless I create a local user account.
Comment 3 Adam Williamson 2014-09-07 02:34:58 UTC 
Yup, I am seeing this with current F21 and a FreeIPA host also:

realmd[1469]: rejecting access to method 'Join' on interface 'org.freedesktop.realmd.KerberosMembership' at /org/freedesktop/realmd/Sssd/happyassassin_net_2

Let's CC the owner of realmd to see if the realmd dbus policy might be at fault here?
Comment 4 Adam Williamson 2014-09-07 07:14:55 UTC 
Note that Control Center's 'Users' panel can enrol in the domain just fine (though I hit later bugs with login).
Comment 5 Stef Walter 2014-09-08 07:28:30 UTC 
By default only users of type Administrator (ie: in the wheel group) can join a domain.

The gnome-initial-setup user needs to either be in the wheel group, root equivalent, or have a polkit rule that says it can perform the action in question.
Comment 6 Cedric Sodhi 2014-09-18 10:20:00 UTC 
We're trying to set up a cluster of Fedora Boxes at our company and we're faced with the same problem. It's not possible to use the "Enterprise Login" after installation (using an Exchange/AD Server).
Comment 7 Cedric Sodhi 2014-09-18 10:29:41 UTC 
After I join the realm on TTY using `realm join -U ... ...` I'm still not able to log in using the GUI, in which case I get a "Failed to register account".
Comment 8 Stef Walter 2014-09-18 10:30:34 UTC 
(In reply to Cedric Sodhi from comment #7)
> After I join the realm on TTY using `realm join -U ... ...` I'm still not
> able to log in using the GUI, in which case I get a "Failed to register
> account".

Yes, that's the bug. In Fedora 21, gnome-initial-setup is not privileged to do the various things that it needs to do.
Comment 9 Stef Walter 2014-09-18 10:31:44 UTC 
Possible work around:

 * Ctrl-Alt-F2
 * login as root
 * sudo usermod -aG wheel gnome-initial-setup

Perhaps a reboot is necessary after above step.
Comment 10 Cedric Sodhi 2014-09-18 10:41:44 UTC 
usermod -aG wheel gnome-initial-setup
realm permit --all

did not change that behaviour.
Comment 11 Matthias Clasen 2014-09-18 22:24:07 UTC 
this should be fixed in gnome-initial-setup-3.13.7-1.fc21.x86_64
Note You need to log in before you can comment on or make changes to this bug.