I've really dug into Google and AskUbuntu this week, but I wasn't able to find a satisfactory answer to this issue I'm facing...
I've created a user with ADMIN permissions on my Ubuntu 18.04 using the available GUI from GNOME. Every time I access that interface, to be able to create a new user using that screen, I have first to click on UNLOCK button at the top of the screen, close to the X (close window) button. This procedure works very well when I'm logged onto console, locally.
But when I try to perform the exact same procedure when connected to my Ubuntu using a xRDP Session, I'm not able to click on that button. When I'm connected remotely, the UNLOCK button at the top of the screen is greyed out, and a message is displayed when I hover the cursor over the button: "System policy prevents changes."
What policy do I have to change on my Ubuntu installation in order to have the same behavior, at that screen, no matter if I'm logged at Console or remotely connected thru xRDP?
Creating /etc/polkit-1/localauthority/50-local.d/46-user-admin.pkla with the following content worked to me:
[user admin]
Identity=unix-user:*
Action=org.gnome.controlcenter.user-accounts.administration
ResultAny=auth_admin_keep
ResultInactive=no
ResultActive=no
The problem is related to Polkit technology. Different rights are granted when you are locally connected and remotely connected.
Please read till the end.....
You can see policies in place by browsing /usr/share/polkit-1/actions... in this directory; you have two files that might control the user account control panel... you have to look for org.gnome-controlcenter.users-account.policy. At the bottom of the file, you have something like
The allow_inactive value is the one controlling rights in remote session.... You can try to change value in this file and see if this is good for you....
A better way leave this file intact but create an additional file (*.pkla) that would contain the exception you want to apply..... example of pkla file content
to allow all users to perform user management.....
save this file under /etc/polkit-1/localauthority/50-local.d/
name it for example 46-user-admin.pkla
Then try again to see if you can perform the management of user within the xRDP session....
To be more restrictive, change the line
Identity=unix-user:*
Identity=unix-user:%name of a group%
so only the group will have the possibility to manage this feature...
I hope this is enough info for you to start and to look in the right direction....
we are preparing a post about this topic...When ready, we will link it to this comment as well so you might have a look into it if you still have issues
Hope this help
Till next time See ya
I had the issue where the unlock button wasnt working via xrdp or locally.
To fix it I did this:
Note: This basically got rid of the unlock button altogether on the user panel within ubuntu 20x gnome
Get a list of all defined polkit actions:
Find actions related to user management:
Create override file to set the permissions you want instead of what polkit by default wants. Using the nano editor will create the file and put you into editing mode within nano:
Note: the file name must be unique. the number defines the order of evaluation For more information see the polkit docs https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html
Add the override settings within the 46-user-admin.pkla file.
Example:
Example:
Example:
Basically: ResultActive means for an active session, ResultInactive means for an inactive session and ResultAny means any session.
The final file will look like this: