This issue has been giving me serious headache.. trying to allow our ldap users (mainly over 200 staffs) able to manage their printing services (enable, disable, add printers) without having to call "IT" currently that is impossible.
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1281700 Title: policykit-1 is not aware of groups assigned by pam_group Status in “policykit-1” package in Ubuntu: Confirmed Bug description: I'm using pam_group for my ldap users so that they get assigned default ubuntu groups: $ tail -n2 /etc/security/group.conf # add LDAP users to these default groups, but don't give them admin rights. "*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse" These additional group IDs are assigned correctly: $ id uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse) Based on these additional groups, I'm trying to give certain user groups the necessary permissions to execute program, using policykit-1. Unfortunately, policykit does seem to only 'see' / 'be aware' of the primary group that the user belongs to (and not those additional groups that are assigend via /etc/security/group.conf). This works (users can start the program): [AllowUsertoDoSomething] Identity=unix-group:ldapgroup This doesn't work (users are asked to provide the administrator password): [AllowUsertoDoSomething] Identity=unix-group:plugdev I suspect that this has something to do with the fact that 'id' does return conflicting information about groups: # call id without username, returns all groups, including the ones defined in /etc/security/group.conf $ id uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse) # call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing. $ id myusername uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup) My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups. I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line) This is Ubuntu 12.04.3 with all latest updates. Any help and suggestions are appreciated. $ lsb_release -rd Description: Ubuntu 12.04.3 LTS Release: 12.04 $ apt-cache policy policykit-1 policykit-1: Installed: 0.104-1ubuntu1.1 Candidate: 0.104-1ubuntu1.1 --- ApportVersion: 2.0.1-0ubuntu17.4 Architecture: amd64 DistroRelease: Ubuntu 12.04 MarkForUpload: True NonfreeKernelModules: nvidia Package: policykit-1 0.104-1ubuntu1.1 PackageArchitecture: amd64 ProcEnviron: LANGUAGE=en_US:en TERM=xterm PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcVersionSignature: Ubuntu 3.5.0-41.64~precise1-generic 3.5.7.21 Tags: precise Uname: Linux 3.5.0-41-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1281700/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp