We experienced a problem with an Ubuntu 20.04 Focal Fossa used as NIS client: some tasks were inhibited because the user - despite it was logged-in locally on the physical machine - it was considered non interactive one.
One symptom can be the following error message when you issue the reboot command into a terminal session:
Failed to set wall message, ignoring: Interactive authentication required. Failed to power off system via logind: Interactive authentication required. Failed to open initctl fifo: Permission denied Failed to talk to init daemon.
Using the command systemctl reboot -i does not work either, producing the following error: </code>
==== AUTHENTICATING FOR org.freedesktop.login1.reboot-multiple-sessions === Authentication is required for rebooting the system while other users are logged in.
Choosing to reboot or poweroff from the various desktop applets produces instead just a session close.
It turned out that the PolicyKit authorization manager is enabled, according to the default policies that problematic tasks are reserved to local users only, whereas users authenticated by the NIS server are considered somehow remote.
One solution is to create a file on the NIS client, name /var/lib/polkit-1/localauthority/50-local.d/10-nis-users.pkla. The /var/lib/polkit-1/localauthority/
directory is intended for 3rd party packages, the 50-local.d
subdirectory is intended for local usage.
[Allow Printer administration for NIS users] Identity=unix-group:lpadmin;unix-group:adm Action=org.opensuse.cupspkhelper.mechanism.* ResultAny=yes [Allow halt power-off and reboot for NIS users] Identity=unix-group:adm Action=org.freedesktop.login1.halt*;org.freedesktop.login1.power-off*;org.freedesktop.login1.reboot* ResultAny=yes
To make the new policy effective, issue the command:
systemctl restart polkit.service
The syntax of the file is explained into the pklocalauthority man page.
First of all usint the Identity option we select the users interested into that policy. For managing printers we required the user to belong to the lpadmin and adm groups. The first group is the standard Debian group to manage printers, whereas the adm group is an arbitrary group assigned to some users by the NIS server (see the page Debian system groups). In our case the groups are determined by the NIS server, via the /var/yp/ypfiles/group file.
For the Action part we had to discover the name of the printer management and the poweroff/halt/reboot. You can use the pkaction command and browse its output; also searching on the Net is a big resource. The org.opensuse.cupspkhelper.mechanism. is OpenSUSE and Ubuntu specific (I don't have it in my Debian box):
pkaction | grep cupspkhelper org.opensuse.cupspkhelper.mechanism.all-edit org.opensuse.cupspkhelper.mechanism.class-edit org.opensuse.cupspkhelper.mechanism.devices-get org.opensuse.cupspkhelper.mechanism.job-edit org.opensuse.cupspkhelper.mechanism.job-not-owned-edit org.opensuse.cupspkhelper.mechanism.printer-enable org.opensuse.cupspkhelper.mechanism.printer-local-edit org.opensuse.cupspkhelper.mechanism.printer-remote-edit org.opensuse.cupspkhelper.mechanism.printer-set-default org.opensuse.cupspkhelper.mechanism.printeraddremove org.opensuse.cupspkhelper.mechanism.server-settings
For the reboot/poweroff/halt etc we have the following PolKit nodes:
org.freedesktop.login1.halt org.freedesktop.login1.hibernate org.freedesktop.login1.power-off org.freedesktop.login1.reboot org.freedesktop.login1.suspend
each of them have some sub-actions:
pkaction | grep org.freedesktop.login1.power-off org.freedesktop.login1.power-off org.freedesktop.login1.power-off-ignore-inhibit org.freedesktop.login1.power-off-multiple-sessions
Finally the problem-solving option is ResultAny, which means that the policy is applicable for users logged-in in any status. The default policy is instead something like this:
ResultAny=no ResultInactive=no ResultActive=yes