Public bug reported: It is not possible to gain elevated privileges from the GUI (policy kit) using an Active Directory account through SSSD. Gaining elevated privileges via sudo works as expected from console.
This issue was mentioned as a secondary problem in http://askubuntu.com/questions/767079/lockscreen-access-denied-ad-auth- via-sssd and the subsequent bug report https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415 but was not address in the bug resolution. How to reproduce: - clean install - join to AD using sssd - reboot - login with AD account (that is in sudo group) - request elevated privileges. (eg, unlock the users settings panel) - fill in password for AD user --> authorization is rejected, not expected Solution: add to /etc/sssd/sssd.conf ad_gpo_map_interactive = +unity This could be added to default configuration. ProblemType: Bug DistroRelease: Ubuntu 16.10 Package: sssd-ad 1.13.4-3 ProcVersionSignature: Ubuntu 4.8.0-27.29-generic 4.8.1 Uname: Linux 4.8.0-27-generic x86_64 ApportVersion: 2.20.3-0ubuntu8 Architecture: amd64 CurrentDesktop: Unity Date: Mon Nov 21 10:28:07 2016 InstallationDate: Installed on 2016-11-18 (2 days ago) InstallationMedia: Ubuntu 16.10 "Yakkety Yak" - Release amd64 (20161012.2) JournalErrors: Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. Users in the 'systemd-journal' group can see all messages. Pass -q to turn off this notice. No journal files were opened due to insufficient permissions. ProcEnviron: LANGUAGE=en_US PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: sssd UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: sssd (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug yakkety ** Description changed: It is not possible to gain elevated privileges from the GUI (policy kit) using an Active Directory account through SSSD. Gaining elevated privileges via sudo works as expected from console. This issue was mentioned as a secondary problem in http://askubuntu.com/questions/767079/lockscreen-access-denied-ad-auth- - via-sssd and the subsequent but report + via-sssd and the subsequent bug report https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415 but was not address in the bug resolution. How to reproduce: - - clean install - - join to AD using sssd - - reboot - - login with AD account (that is in sudo group) - - request elevated privileges. (eg, unlock the users settings panel) - - fill in password for AD user --> authorization is rejected, not expected + - clean install + - join to AD using sssd + - reboot + - login with AD account (that is in sudo group) + - request elevated privileges. (eg, unlock the users settings panel) + - fill in password for AD user --> authorization is rejected, not expected Solution: - add to /etc/sssd/sssd.conf - ad_gpo_map_interactive = +unity - This could be added to default configuration. + add to /etc/sssd/sssd.conf + ad_gpo_map_interactive = +unity + This could be added to default configuration. - Ubuntu 16.10 - sssd: - Installed: 1.13.4-3 - Candidate: 1.13.4-3 - Version table: - *** 1.13.4-3 500 - 500 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 Packages - 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.10 Package: sssd-ad 1.13.4-3 ProcVersionSignature: Ubuntu 4.8.0-27.29-generic 4.8.1 Uname: Linux 4.8.0-27-generic x86_64 ApportVersion: 2.20.3-0ubuntu8 Architecture: amd64 CurrentDesktop: Unity Date: Mon Nov 21 10:28:07 2016 InstallationDate: Installed on 2016-11-18 (2 days ago) InstallationMedia: Ubuntu 16.10 "Yakkety Yak" - Release amd64 (20161012.2) JournalErrors: - Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. - Users in the 'systemd-journal' group can see all messages. Pass -q to - turn off this notice. - No journal files were opened due to insufficient permissions. + Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. + Users in the 'systemd-journal' group can see all messages. Pass -q to + turn off this notice. + No journal files were opened due to insufficient permissions. ProcEnviron: - LANGUAGE=en_US - PATH=(custom, no user) - XDG_RUNTIME_DIR=<set> - LANG=en_US.UTF-8 - SHELL=/bin/bash + LANGUAGE=en_US + PATH=(custom, no user) + XDG_RUNTIME_DIR=<set> + LANG=en_US.UTF-8 + SHELL=/bin/bash SourcePackage: sssd UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1643602 Title: Graphical privilege escalation fails (AD auth via sssd, polkit) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1643602/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
