[Pkg-utopia-maintainers] Bug#700165: network-manager: LDAP/SSSD user not authorized to control networking even if member of netdev group
Luca Capello
luca at pca.it
Sat Feb 9 11:40:25 UTC 2013
Package: network-manager
Version: 0.9.4.0-10
Severity: normal
File: /usr/bin/nmcli
Usertags: pca.it-communication
Hi there!
Since I setup user authentication via LDAP/SSSD on my laptop I can no
longer activate NM connections as a such user:
=====
$ su
Password:
# ls -l /etc/NetworkManager/system-connections/FOSDEM
-rw------- 1 root root 134 Feb 2 13:24 /etc/NetworkManager/system-connections/FOSDEM
# exit
$ nmcli con up id FOSDEM
Error: Connection activation failed: Not authorized to control networking.
$ groups
Domain Users adm disk dialout cdrom floppy tape audio dip www-data video \
plugdev crontab netdev vlock kvm fuse libvirt lpadmin bacula scanner
clear clear_console
$ ck-list-sessions
Session1:
unix-user = '10000'
realname = 'Luca Capello'
seat = 'Seat2'
session-type = ''
active = FALSE
x11-display = ':0'
x11-display-device = '/dev/tty7'
display-device = ''
remote-host-name = ''
is-local = FALSE
on-since = '2013-02-08T07:22:35.394207Z'
login-session-id = '4294967295'
$
=====
The problem with ConsoleKit is well-known (see #665973). However,
according to /usr/share/doc/network-manager/README.Debian:
--8<---------------cut here---------------start------------->8---
system connections and security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In NetworkManager version 0.9, network connections are stored as keyfiles in
the /etc/NetworkManager/system-connections/ directory.
When creating new wireless or wired connections, they are by default
system-owned (i.e. available to everyone) and the secrets (e.g WPA-PSK or WEP
key) are stored as plain text in the corresponding connection configuration
file. The advantage of system connections is, that they can be active before a
user has logged in and they are active across user sessions.
Modifying or creating such system-owned connections requires admin privileges.
To avoid prompts for the root/admin password, NetworkManager ships a PolicyKit
configuration file which grants everyone in group "netdev" or "sudo" the
privilege to modify a system connection without prior authentication.
--8<---------------cut here---------------end--------------->8---
Indeed the PolicyKit configuration seems to be correct, but the
LDAP/SSSD user does not have access to it (which should not be a
problem):
=====
$ cat /etc/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla
cat: /etc/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla: Permission denied
$ su
Password:
# cat /etc/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla
[Adding or changing system-wide NetworkManager connections]
Identity=unix-group:netdev;unix-group:sudo
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=no
ResultInactive=no
ResultActive=yes
#
=====
What is strange is that the default user created by d-i (thus not
LDAP/SSSD) can control networking without any problem, thus I guess
there is something going wrong with SSSD. I have anyway reported it to
network-manager since this is the only package I have had problems with
so far.
Thx, bye,
Gismo / Luca
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.7-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages network-manager depends on:
ii adduser 3.113+nmu3
ii dbus 1.6.8-1
ii dpkg 1.16.9
ii isc-dhcp-client 4.2.4-4
ii libc6 2.13-38
ii libdbus-1-3 1.6.8-1
ii libdbus-glib-1-2 0.100-1
ii libgcrypt11 1.5.0-3
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libgnutls26 2.12.20-4
ii libgudev-1.0-0 175-7.1
ii libnl-3-200 3.2.7-4
ii libnl-genl-3-200 3.2.7-4
ii libnl-route-3-200 3.2.7-4
ii libnm-glib4 0.9.4.0-10
ii libnm-util2 0.9.4.0-10
ii libpolkit-gobject-1-0 0.105-3
ii libuuid1 2.20.1-5.3
ii lsb-base 4.1+Debian9
ii udev 175-7.1
ii wpasupplicant 1.0-3+b2
Versions of packages network-manager recommends:
pn crda <none>
ii dnsmasq-base 2.65-1
ii iptables 1.4.16.3-4
ii modemmanager 0.5.2.0-2
ii policykit-1 0.105-3
ii ppp 2.4.5-5.1+b1
Versions of packages network-manager suggests:
pn avahi-autoipd <none>
-- Configuration Files:
/etc/NetworkManager/NetworkManager.conf changed:
[main]
plugins=ifupdown,keyfile
[ifupdown]
managed=false
/etc/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla [Errno 13] Permission denied: u'/etc/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla'
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20130209/f38d6410/attachment-0001.pgp>
More information about the Pkg-utopia-maintainers
mailing list