[Pkg-utopia-maintainers] Bug#700165: network-manager: LDAP/SSSD user not authorized to control networking even if member of netdev group

Luca Capello luca at pca.it
Sat Feb 9 11:40:25 UTC 2013 

Package: network-manager
Version: 0.9.4.0-10
Severity: normal
File: /usr/bin/nmcli
Usertags: pca.it-communication

Hi there!

Since I setup user authentication via LDAP/SSSD on my laptop I can no
longer activate NM connections as a such user:
=====
$ su
Password:
# ls -l /etc/NetworkManager/system-connections/FOSDEM
-rw------- 1 root root 134 Feb  2 13:24 /etc/NetworkManager/system-connections/FOSDEM
# exit
$ nmcli con up id FOSDEM
Error: Connection activation failed: Not authorized to control networking.
$ groups
Domain Users adm disk dialout cdrom floppy tape audio dip www-data video \
 plugdev crontab netdev vlock kvm fuse libvirt lpadmin bacula scanner
clear          clear_console
$ ck-list-sessions
Session1:
        unix-user = '10000'
        realname = 'Luca Capello'
        seat = 'Seat2'
        session-type = ''
        active = FALSE
        x11-display = ':0'
        x11-display-device = '/dev/tty7'
        display-device = ''
        remote-host-name = ''
        is-local = FALSE
        on-since = '2013-02-08T07:22:35.394207Z'
        login-session-id = '4294967295'
$
=====

The problem with ConsoleKit is well-known (see #665973).  However,
according to /usr/share/doc/network-manager/README.Debian:

--8<---------------cut here---------------start------------->8---
system connections and security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In NetworkManager version 0.9, network connections are stored as keyfiles in
the /etc/NetworkManager/system-connections/ directory.
When creating new wireless or wired connections, they are by default
system-owned (i.e. available to everyone) and the secrets (e.g WPA-PSK or WEP
key) are stored as plain text in the corresponding connection configuration
file. The advantage of system connections is, that they can be active before a
user has logged in and they are active across user sessions.
Modifying or creating such system-owned connections requires admin privileges.
To avoid prompts for the root/admin password, NetworkManager ships a PolicyKit
configuration file which grants everyone in group "netdev" or "sudo" the
privilege to modify a system connection without prior authentication.
--8<---------------cut here---------------end--------------->8---

Indeed the PolicyKit configuration seems to be correct, but the
LDAP/SSSD user does not have access to it (which should not be a
problem):
=====
$ cat /etc/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla
cat: /etc/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla: Permission denied
$ su
Password:
# cat /etc/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla
[Adding or changing system-wide NetworkManager connections]
Identity=unix-group:netdev;unix-group:sudo
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=no
ResultInactive=no
ResultActive=yes
#
=====

What is strange is that the default user created by d-i (thus not
LDAP/SSSD) can control networking without any problem, thus I guess
there is something going wrong with SSSD.  I have anyway reported it to
network-manager since this is the only package I have had problems with
so far.

Thx, bye,
Gismo / Luca

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.7-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages network-manager depends on:
ii  adduser                3.113+nmu3
ii  dbus                   1.6.8-1
ii  dpkg                   1.16.9
ii  isc-dhcp-client        4.2.4-4
ii  libc6                  2.13-38
ii  libdbus-1-3            1.6.8-1
ii  libdbus-glib-1-2       0.100-1
ii  libgcrypt11            1.5.0-3
ii  libglib2.0-0           2.33.12+really2.32.4-5
ii  libgnutls26            2.12.20-4
ii  libgudev-1.0-0         175-7.1
ii  libnl-3-200            3.2.7-4
ii  libnl-genl-3-200       3.2.7-4
ii  libnl-route-3-200      3.2.7-4
ii  libnm-glib4            0.9.4.0-10
ii  libnm-util2            0.9.4.0-10
ii  libpolkit-gobject-1-0  0.105-3
ii  libuuid1               2.20.1-5.3
ii  lsb-base               4.1+Debian9
ii  udev                   175-7.1
ii  wpasupplicant          1.0-3+b2

Versions of packages network-manager recommends:
pn  crda          <none>
ii  dnsmasq-base  2.65-1
ii  iptables      1.4.16.3-4
ii  modemmanager  0.5.2.0-2
ii  policykit-1   0.105-3
ii  ppp           2.4.5-5.1+b1

Versions of packages network-manager suggests:
pn  avahi-autoipd  <none>

-- Configuration Files:
/etc/NetworkManager/NetworkManager.conf changed:
[main]
plugins=ifupdown,keyfile
[ifupdown]
managed=false

/etc/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla [Errno 13] Permission denied: u'/etc/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla'

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20130209/f38d6410/attachment-0001.pgp>

More information about the Pkg-utopia-maintainers mailing list