On Чцв, 11 сту 2024, Dmitry Krasov via FreeIPA-users wrote:
Is this user ('desktop') a member of any administrative groups?
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_eval_user_element] (0x1000): [RID#101] [2]
groups for [desktop(a)dom.loc]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_eval_user_element] (0x1000): [RID#101] Added
group [ipausers] for user [desktop]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_eval_user_element] (0x1000): [RID#101] Added
group [desktop22043] for user [desktop]
....
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_req_debug_print] (0x2000): [RID#98] REQUEST:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98]
service [gdm-password]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98]
service_group (none)
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98]
user [desktop]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98]
user_group:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98]
[ipausers]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98]
[desktop22043]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98]
targethost [desktop22043.dom.loc]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98]
targethost_group:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98]
[desktop22043]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] (0x2000): [RID#98]
srchost_group (none)
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_req_debug_print] (0x2000): [RID#98]
request time 2024-01-11 15:01:26
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98]
RULE [allow_all] [ENABLED]:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98]
services:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): [RID#98]
category [0x1] [ALL]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98]
users:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): [RID#98]
category [0x1] [ALL]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98]
targethosts:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): [RID#98]
category [0x1] [ALL]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98]
srchosts:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): [RID#98]
category [0x1] [ALL]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_evaluate] (0x0100): [RID#98] ALLOWED by rule
[allow_all].
It seems it is a member of only two groups.
From your previous log, polkit was unable to authorize access using own
rules:
16:33:38 desktop22043.dom.loc polkitd(authority=local)[587]: Operator of unix-session:4
FAILED to authenticate to gain authorization for action org.fortinet.fortitray.quit for
unix-process:3948:18923 [sh -c pkexec /bin/bash /opt/forticlient/stop-forticlient.sh]
(owned by unix-user:desktop)
IIRC, if you didn't modify them, polkit default configuration is to
allow only administrative users to operate as another user
(allow_active=auth_admin in polkit actions, see
https://manpages.ubuntu.com/manpages/jammy/man8/polkit.8.html for
details). The meaning of an administrative user is defined in polkit
rules. For example,
https://www.freeipa.org/page/Howto/FreeIPA_PolicyKit
describes how you can add a rule that matches a certain IPA group
(really, any group membership known on the system).
You can check which actions are allowed for your user 'desktop' by
running
$ pkaction
as that user in their logged-in session.
See
https://www.admin-magazine.com/Articles/Assigning-Privileges-with-sudo-an...
for somewhat detailed explanation how this all works -- this is general
enough to work with or without FreeIPA.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland