====== NIS users unable to poweroff/reboot or manage printers ======

We experienced a problem with an **Ubuntu 20.04** Focal Fossa used as **NIS client**: some tasks were inhibited because the user - despite it was **logged-in locally** on the physical machine - it was considered **non interactive** one.

One symptom can be the following error message when you issue the **reboot** command into a terminal session:

<code>
Failed to set wall message, ignoring: Interactive authentication required.
Failed to power off system via logind: Interactive authentication required.
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.
</code>

Using the command **systemctl reboot -i** does not work either, producing the following error:
</code>

<code>
==== AUTHENTICATING FOR org.freedesktop.login1.reboot-multiple-sessions ===
Authentication is required for rebooting the system while other users are logged in.
</code>

Choosing to reboot or poweroff from the various **desktop applets** produces instead just a **session close**.


It turned out that the **[[https://wiki.debian.org/PolicyKit|PolicyKit]]** authorization manager is enabled, according to the default policies that problematic tasks are reserved to **local users** only, whereas users **authenticated by the NIS** server are considered somehow remote.

One solution is to create a file on the NIS client, name **/var/lib/polkit-1/localauthority/50-local.d/10-nis-users.pkla**. The ''/var/lib/polkit-1/localauthority/'' directory is intended for 3rd party packages, the ''50-local.d'' subdirectory is intended for local usage.

<file>
[Allow Printer administration for NIS users]
Identity=unix-group:lpadmin;unix-group:adm
Action=org.opensuse.cupspkhelper.mechanism.*
ResultAny=yes

[Allow halt power-off and reboot for NIS users]
Identity=unix-group:adm
Action=org.freedesktop.login1.halt*;org.freedesktop.login1.power-off*;org.freedesktop.login1.reboot*
ResultAny=yes
</file>

To make the new policy effective, issue the command:

<code>
systemctl restart polkit.service
</code>

The syntax of the file is explained into the **[[https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html|pklocalauthority man page]]**.

First of all usint the **Identity** option we select the users interested into that policy. For managing printers we required the user to belong to the **lpadmin** and **adm** groups. The first group is the standard Debian group to manage printers, whereas the **adm** group is an arbitrary group assigned to some users by the NIS server (see the page **[[https://wiki.debian.org/SystemGroups|Debian system groups]]**). In our case the groups are determined by the NIS server, via the **/var/yp/ypfiles/group** file.

For the **Action** part we had to discover the name of the printer management and the poweroff/halt/reboot. You can use the **pkaction** command and browse its output; also searching on the Net is a big resource. The **org.opensuse.cupspkhelper.mechanism.** is OpenSUSE and Ubuntu specific (I don't have it in my Debian box):

<code>
pkaction | grep cupspkhelper
org.opensuse.cupspkhelper.mechanism.all-edit
org.opensuse.cupspkhelper.mechanism.class-edit
org.opensuse.cupspkhelper.mechanism.devices-get
org.opensuse.cupspkhelper.mechanism.job-edit
org.opensuse.cupspkhelper.mechanism.job-not-owned-edit
org.opensuse.cupspkhelper.mechanism.printer-enable
org.opensuse.cupspkhelper.mechanism.printer-local-edit
org.opensuse.cupspkhelper.mechanism.printer-remote-edit
org.opensuse.cupspkhelper.mechanism.printer-set-default
org.opensuse.cupspkhelper.mechanism.printeraddremove
org.opensuse.cupspkhelper.mechanism.server-settings
</code>

For the reboot/poweroff/halt etc we have the following PolKit nodes:

<code>
org.freedesktop.login1.halt
org.freedesktop.login1.hibernate
org.freedesktop.login1.power-off
org.freedesktop.login1.reboot
org.freedesktop.login1.suspend
</code>

each of them have some sub-actions:

<code>
pkaction | grep org.freedesktop.login1.power-off
org.freedesktop.login1.power-off
org.freedesktop.login1.power-off-ignore-inhibit
org.freedesktop.login1.power-off-multiple-sessions
</code>

Finally the problem-solving option is **ResultAny**, which means that the policy is applicable for users logged-in in any status. The default policy is instead something like this:

<code>
ResultAny=no
ResultInactive=no
ResultActive=yes
</code>