NIS users unable to poweroff/reboot or manage printers

We experienced a problem with an Ubuntu 20.04 Focal Fossa used as NIS client: some tasks were inhibited because the user - despite it was logged-in locally on the physical machine - it was considered non interactive one.

One symptom can be the following error message when you issue the reboot command into a terminal session:

Failed to set wall message, ignoring: Interactive authentication required.
Failed to power off system via logind: Interactive authentication required.
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.

Using the command systemctl reboot -i does not work either, producing the following error: </code>

==== AUTHENTICATING FOR org.freedesktop.login1.reboot-multiple-sessions ===
Authentication is required for rebooting the system while other users are logged in.

Choosing to reboot or poweroff from the various desktop applets produces instead just a session close.

It turned out that the PolicyKit authorization manager is enabled, according to the default policies that problematic tasks are reserved to local users only, whereas users authenticated by the NIS server are considered somehow remote.

One solution is to create a file on the NIS client, name /var/lib/polkit-1/localauthority/50-local.d/10-nis-users.pkla. The /var/lib/polkit-1/localauthority/ directory is intended for 3rd party packages, the 50-local.d subdirectory is intended for local usage.

[Allow Printer administration for NIS users]
Identity=unix-group:lpadmin;unix-group:adm
Action=org.opensuse.cupspkhelper.mechanism.*
ResultAny=yes

[Allow halt power-off and reboot for NIS users]
Identity=unix-group:adm
Action=org.freedesktop.login1.halt*;org.freedesktop.login1.power-off*;org.freedesktop.login1.reboot*
ResultAny=yes

To make the new policy effective, issue the command:

systemctl restart polkit.service

The syntax of the file is explained into the pklocalauthority man page.

First of all usint the Identity option we select the users interested into that policy. For managing printers we required the user to belong to the lpadmin and adm groups. The first group is the standard Debian group to manage printers, whereas the adm group is an arbitrary group assigned to some users by the NIS server (see the page Debian system groups). In our case the groups are determined by the NIS server, via the /var/yp/ypfiles/group file.

For the Action part we had to discover the name of the printer management and the poweroff/halt/reboot. You can use the pkaction command and browse its output; also searching on the Net is a big resource. The org.opensuse.cupspkhelper.mechanism. is OpenSUSE and Ubuntu specific (I don't have it in my Debian box):

pkaction | grep cupspkhelper
org.opensuse.cupspkhelper.mechanism.all-edit
org.opensuse.cupspkhelper.mechanism.class-edit
org.opensuse.cupspkhelper.mechanism.devices-get
org.opensuse.cupspkhelper.mechanism.job-edit
org.opensuse.cupspkhelper.mechanism.job-not-owned-edit
org.opensuse.cupspkhelper.mechanism.printer-enable
org.opensuse.cupspkhelper.mechanism.printer-local-edit
org.opensuse.cupspkhelper.mechanism.printer-remote-edit
org.opensuse.cupspkhelper.mechanism.printer-set-default
org.opensuse.cupspkhelper.mechanism.printeraddremove
org.opensuse.cupspkhelper.mechanism.server-settings

For the reboot/poweroff/halt etc we have the following PolKit nodes:

org.freedesktop.login1.halt
org.freedesktop.login1.hibernate
org.freedesktop.login1.power-off
org.freedesktop.login1.reboot
org.freedesktop.login1.suspend

each of them have some sub-actions:

pkaction | grep org.freedesktop.login1.power-off
org.freedesktop.login1.power-off
org.freedesktop.login1.power-off-ignore-inhibit
org.freedesktop.login1.power-off-multiple-sessions

Finally the problem-solving option is ResultAny, which means that the policy is applicable for users logged-in in any status. The default policy is instead something like this:

ResultAny=no
ResultInactive=no
ResultActive=yes