Tony's ramblings on Open Source Software, Life and Photography

Ubuntu LDAP Admins and GUI Root Passwords

Here's a problem that has driven me crazy over the past year or so.

First, the Way it's Supposed to Work
In Ubuntu, you don't typically have a "root" user password. If a user needs to do something that requires administrator rights, they are placed in the "admin" group and when they try to say - edit the global network settings - it asks them for their password and uses "sudo" to do whatever they want.

Where it Goes Wrong
You'd think it decides this based on who has "sudoers" permission. Unfortunately, it doesn't. Enter LDAP authentication. If I have an LDAP group called "Domain Admins", and that group is in the "sudoers" file giving full access to root permissions, as far as anything in Ubuntu that uses the PolicyKit infrastructure is concerned, users in that group don't have administrator rights directly. It will ask those users for the system root account password, even though they could simply run the same command from a prompt prepended with "sudo" and it would work fine using their password.

How to fix it
I searched for the solution to this particular problem for over a year off and on and had never found a solution. This week a friend of mine was having a similar problem with a base Debian install but without the LDAP aspect. His was a KDE issue and completely different, but it got me thinking about the problem again.

Finally I stumbled on the PolicyKit infrastructure documentation for Ubuntu. As it turns out, all the GUI bits for Ubuntu ask PolicyKit if your account has administrator rights, and if not, it will then require a root password. Unfortunately PolicyKit doesn't look at /etc/sudoers - instead it uses a set group name located at:

/etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf

Here's what the file looks like:

[Configuration]
AdminIdentities=unix-group:admin

Simply add in your network group, separated by a semicolon:

[Configuration]
AdminIdentities=unix-group:admin;unix-group:Domain Admins

And you don't even need to log out and back in - it takes effect immediately. Of course replace the network group "Domain Admins" with whatever the name of your centrally managed administrator group is.

I made that quick tweak - deployed the file using our Puppet infrastructure, and voilà! Every computer on the network is fixed.