Polkit policy domain groups?

A

Andrey2021-12-08 16:19:55

linux

Andrey, 2021-12-08 16:19:55

Hello, can anyone come across, or tell me,
I’m doing a config for polkit (the meaning is that password requests are not displayed for AD users in RDP sessions)

spoiler

here either edit each policy for each application (which is not good) or you can create a file of this type

[Do anything you want]
Identity=unix-group:admin
Action=*
ResultActive=yes

and here, as it were, everything is clear Identity=unix- group:admin but my groups are not local, but domain ones - "domain users"
is there any syntax where instead of unix-group:admin I conditionally write pam-group-%domain users
can't find a solution

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Sergey Tarasov, 2021-12-08
@MoscowStyle

It depends on what action the password request provokes : you can look in the "details" in the request window, then it will come in handy
. /localauthority/xx-xxxx we create .pkla files, we take the name itself from the "information".
Specifically, in my case, it turned out to remove the root password requests for network manipulation (enable/disable PPTP) as follows: I added the following content to the
/etc/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla file
:

spoiler

[nm-applet]
Identity=unix-group:*
Action=org.freedesktop.NetworkManager.*
ResultActive=yes
ResultAny=yes
ResultInactive=yes

you can play around with the lines Identity=unix-group:* (instead of * any group of your choice)
and Action=org.freedesktop.NetworkManager.* (after = must match the request and file name)
after each manipulation with the configs, restart polkit