10

I've really dug into Google and AskUbuntu this week, but I wasn't able to find a satisfactory answer to this issue I'm facing...

I've created a user with ADMIN permissions on my Ubuntu 18.04 using the available GUI from GNOME. Every time I access that interface, to be able to create a new user using that screen, I have first to click on UNLOCK button at the top of the screen, close to the X (close window) button. This procedure works very well when I'm logged onto console, locally.

But when I try to perform the exact same procedure when connected to my Ubuntu using a xRDP Session, I'm not able to click on that button. When I'm connected remotely, the UNLOCK button at the top of the screen is greyed out, and a message is displayed when I hover the cursor over the button: "System policy prevents changes."

What policy do I have to change on my Ubuntu installation in order to have the same behavior, at that screen, no matter if I'm logged at Console or remotely connected thru xRDP?

Overlord
  • 101
  • 1
  • 1
  • 5
  • Same happens for adding printers. In this case, just go to a terminal and sudo system-config-printer – Gustavo Sep 22 '21 at 16:41

3 Answers3

9

Creating /etc/polkit-1/localauthority/50-local.d/46-user-admin.pkla with the following content worked to me:

[user admin]  
Identity=unix-user:*  
Action=org.gnome.controlcenter.user-accounts.administration  
ResultAny=auth_admin_keep  
ResultInactive=no  
ResultActive=no
KetZoomer
  • 107
manrik
  • 91
6

The problem is related to Polkit technology. Different rights are granted when you are locally connected and remotely connected.

Please read till the end.....

You can see policies in place by browsing /usr/share/polkit-1/actions... in this directory; you have two files that might control the user account control panel... you have to look for org.gnome-controlcenter.users-account.policy. At the bottom of the file, you have something like

  <allow_any>no</allow_any>
  <allow_inactive>no</allow_inactive>
  <allow_active>auth_admin_keep</allow_active>

The allow_inactive value is the one controlling rights in remote session.... You can try to change value in this file and see if this is good for you....

A better way leave this file intact but create an additional file (*.pkla) that would contain the exception you want to apply..... example of pkla file content

to allow all users to perform user management.....

[Allow Users administration]
Identity=unix-user:*
Action=org.gnome-controlcenter.users-account.policy  
ResultAny=no 
ResultInactive=yes
ResultActive=yes

save this file under /etc/polkit-1/localauthority/50-local.d/

name it for example 46-user-admin.pkla

Then try again to see if you can perform the management of user within the xRDP session....

To be more restrictive, change the line

Identity=unix-user:*

Identity=unix-user:%name of a group%

so only the group will have the possibility to manage this feature...

I hope this is enough info for you to start and to look in the right direction....

we are preparing a post about this topic...When ready, we will link it to this comment as well so you might have a look into it if you still have issues

Hope this help

Till next time See ya

Griffon
  • 2,375
0

I had the issue where the unlock button wasnt working via xrdp or locally.

To fix it I did this:

Note: This basically got rid of the unlock button altogether on the user panel within ubuntu 20x gnome

Get a list of all defined polkit actions:

/bin/pkaction

Find actions related to user management:

org.freedesktop.accounts.change-own-password
org.freedesktop.accounts.change-own-user-data
org.freedesktop.accounts.set-login-option
org.freedesktop.accounts.user-administration
org.gnome.controlcenter.user-accounts.administration

Create override file to set the permissions you want instead of what polkit by default wants. Using the nano editor will create the file and put you into editing mode within nano:

sudo nano /etc/polkit-1/localauthority/50-local.d/46-user-admin.pkla

Note: the file name must be unique. the number defines the order of evaluation For more information see the polkit docs https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html

Add the override settings within the 46-user-admin.pkla file.

  1. First add something to describe what the settings will do:

Example:

[Authorize admin control of user settings]
  1. Identify who the override applies to. This can be a user/group, selected users/groups etc.. Use semi-colons to seperate multiple entries. The following entry defines as any user:

Example:

Identity=unix-user:*
  1. Referencing the list acquired from pkaction in regards to actions for user administration. Add entry/entries to associate the identities defined with the action(s). The following associates any org.freedesktop.accounts.* and any org.gnome.controlcenter.user-accounts.* actions with the defined Identity=unix-user:*

Example:

Action=org.freedesktop.accounts.*;org.gnome.controlcenter.user-accounts.*
  1. Define the conditions for when the rule applies. See the "AUTHORIZATION ENTRY" at https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html for more detailed information on what the ResultXXX statements pertain to.

Basically: ResultActive means for an active session, ResultInactive means for an inactive session and ResultAny means any session.

The final file will look like this:

[Authorize admin control of user settings]
Identity=unix-user:*
Action=org.freedesktop.accounts.*;org.gnome.controlcenter.user-accounts.*
ResultActive=yes
ResultInactive=yes
ResultAny=yes
  1. Save the file and exit
  2. Cleanest way to activate the change rather than simple kill/hup of polkitd is to reboot
ArionK
  • 1