GNOME Bugzilla – Bug 736218
Cannot join AD or FreeIPA domain: "Not authorized to perform this action.", "rejecting access to method 'Join'"
Last modified: 2014-09-15 10:24:41 UTC
Just sending https://bugzilla.redhat.com/show_bug.cgi?id=975008 upstream, as it's a major bug that's been open for two Fedora releases without resolution. Joining any kind of enterprise domain (AD or FreeIPA) fails due to some kind of realmd dbus policy issue: realmd[1469]: rejecting access to method 'Join' on interface 'org.freedesktop.realmd.KerberosMembership' at /org/freedesktop/realmd/Sssd/happyassassin_net_2 I see this all the way up to 3.13.5 on current Fedora 21. Not sure if the error's in g-i-s or realmd, but it needs some attention...
Note that the control-center Users applet is able to enrol the system successfully, if you create a temporary local user with g-i-s, log in as that user, and use the control-center to enrol.
do you get a polkit dialog when doing this in the control-center ?
No, but it does prompt me for the FreeIPA admin credentials (that's a different thing from local privs). I'm about 99% sure the g-i-s flow doesn't.
oh, no, that's right, it does (I'd forgotten). It hits the dbus error (UI error is 'Failed to join domain - Not authorized to perform this action') right after entering the admin credentials. I see this in the server's Kerberos log during the process: Sep 07 07:50:51 id.happyassassin.net krb5kdc[5637](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.216: NEEDED_PREAUTH: adamw@HAPPYASSASSIN.NET for krbtgt/HAPPYASSASSIN.NET@HAPPYASSASSIN.NET, Additional pre-authentication required Sep 07 07:50:51 id.happyassassin.net krb5kdc[5637](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.216: ISSUE: authtime 1410101451, etypes {rep=18 tkt=18 ses=18}, adamw@HAPPYASSASSIN.NET for krbtgt/HAPPYASSASSIN.NET@HAPPYASSASSIN.NET Sep 07 07:51:32 id.happyassassin.net krb5kdc[5637](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.216: NEEDED_PREAUTH: admin@HAPPYASSASSIN.NET for krbtgt/HAPPYASSASSIN.NET@HAPPYASSASSIN.NET, Additional pre-authentication required Sep 07 07:51:32 id.happyassassin.net krb5kdc[5637](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.216: ISSUE: authtime 1410101492, etypes {rep=18 tkt=18 ses=18}, admin@HAPPYASSASSIN.NET for krbtgt/HAPPYASSASSIN.NET@HAPPYASSASSIN.NET the first two are when I enter username and password, the second two when I enter the admin credentials. It looks like it auths correctly in both cases, but the operation still fails. The UI error is "Failed to join domain - Not authorized to perform this action" , BTW.
i think i know what the issue is, will attach patch now, and test patch tomorrow
Created attachment 285950 [details] [review] polkit: whitelist realmd actions for gnome-initial-setup user gnome-initial-setup needs to be allowed to joing a realm without a polkit agent running.
Review of attachment 285950 [details] [review]: yep, looks right
Attachment 285950 [details] pushed as 81d0a90 - polkit: whitelist realmd actions for gnome-initial-setup user