'Unlock' button in admin utilities greyed out

If it matters:
-$ apt-cache policy policykit-gnome
policykit-gnome:
  Installed: 0.7-2ubuntu1
  Candidate: 0.7-2ubuntu1
  Version table:
 *** 0.7-2ubuntu1 0
        500 http://us.archive.ubuntu.com hardy/main Packages
        100 /var/lib/dpkg/status

Have you checked /etc/hosts. With hardy, the initial entry was something like:

127.0.0.1 localhost
127.0.1.1 aaa.bbb.com

when it should be

127.0.0.1 localhost
127.0.1.1 aaa.bbb.com <name of machine, e.g. ubuntu>

This solved it for me.

Thanks for the comment. Here's my /etc/hosts:

-$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 jake

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

If it doesn't work try to change it e.g. to

127.0.0.1 localhost
127.0.1.1 jake jake

or

127.0.0.1 localhost
127.0.1.1 jake localhost

or sth. similar.

... although to be safe I'd rather declare a domain as showed previously, e.g.

127.0.0.1 localhost
127.0.1.1 aaa.bbb.com jake

Playing with the hosts file is not for the faint-hearted ...

Somebody says

127.0.0.1 localhost <machinename>
127.0.1.1 <machinename>

works well. (https://bugs.launchpad.net/bugs/194496).

So it would be:

127.0.0.1 localhost jake
127.0.1.1 jake

I've found that this happens only when I connect to the Ubuntu machine using NX (with the "Desktop" setting set to Unix -> GNOME). If I log in locally or use the "Shadow" option of NX that connects to an existing console session, the unlock button works fine.

Through NX I get the same "Unable to look up session information for process" error when I launch network-admin from a terminal (I haven't tried users-admin) and have the "Unlock" button greyed out. Also, the /etc/hosts suggestions above didn't help me (although I tried them before trying to use network-admin locally, so it's possible that the hosts changes *and* logging in locally fixed it...).

Unfortunately the /etc/hosts modification had no effect. :(

*bump*

This bug also occurs when using LTSP as an administrator logged in from a thin client and not directly at the console.

I've come accross the same bug with freenx. I guess somehow gtk or gnome initialization fails. E.g. time-admin gives the following error message when started from a freenx desktop within a shell:

** (time-admin:6522): CRITICAL **: Unable to lookup session information for process '6522'

The error does not show up when time-admin ist run from a local gnome desktop. The behaviour is quite annoying as most of server administration comes remotely.

Hi,

The ltsp/NX problem is in bug 219473.

Thanks,

James

Is there really no fix for this problem? For a month now I can't use any of the Ubuntu admin utilities. This is very frustrating! :(

*bump*

i'm puzzled why this bug still has an "undecided" status.

i've tried a number of upgrades from gutsy to heron, and heron basically is unusable for many things because of this. the defaults for policykit seem to be totally wrong when upgrading from gutsy. so no wifi, no time setting, no auto-mount of external usb devices... all the things that used to work perfectly in gutsy stop working due to silly authentication errors, usually with no error message at all.

of course, i can connect to wifi with iwconfig and set time and mount devices from the command line, but that's hardly the point.

could you run "polkit-auth --show-obtainable" and "ck-list-sessions" and copy the logs to the bug?

sebastien bacher wrote:

> could you run "polkit-auth --show-obtainable" and "ck-list-sessions" and copy the logs to the bug?

ok, i ran it with the default /etc/PolicyKit/PolicyKit.conf file...
[....header comments.....]

<!-- See the manual page PolicyKit.conf(5) for file format -->

<config version="0.1">
    <match user="root">
        <return result="yes"/>
    </match>
</config>

$ polkit-auth --show-obtainable
org.gnome.clockapplet.mechanism.settimezone
org.freedesktop.policykit.read
org.freedesktop.policykit.revoke
org.freedesktop.hal.power-management.shutdown-multiple-sessions
org.freedesktop.hal.power-management.reboot-multiple-sessions
org.freedesktop.hal.storage.mount-fixed
org.freedesktop.hal.storage.unmount-others
org.freedesktop.hal.storage.crypto-setup-fixed

$ ck-list-sessions
Session1:
 uid = '1000'
 realname = 'Rishab Aiyer Ghosh,,,'
 seat = 'Seat1'
 session-type = ''
 active = TRUE
 x11-display = ':0'
 x11-display-device = '/dev/tty7'
 display-device = ''
 remote-host-name = ''
 is-local = TRUE
 on-since = '2008-06-08T22:27:08Z'

i did this after i'd tried to enable various things from polkit-gnome-authorization, by explicitly granting my user rights. i had to run polkit-gnome-authorization using sudo, or i couldn't change anything at all... not that anything _should_ have required changing, since most things, including time change, manage system configuration, were already set to implicit authorization for admin authentication. "mount file systems from removable devices" was also already set to implicit Yes for the active console without requiring authentication. anyway, adding myself explicitly to the authorize list made no difference. note that it says hal mount-fixed is obtainable not mount-removable, which is presumably already allowed.

if i try to change /etc/PolicyKit/PolicyKit.conf to explicitly authorize me (user rishab) and also the hal mount-removable:
<!-- See the manual page PolicyKit.conf(5) for file format -->

<config version="0.1">
    <match user="root|rishab">
        <return result="yes"/>
    </match>
    <define_admin_auth group="admin"/>
    <match action="org.freedesktop.hal.storage.mount-removable">
 <return result="yes"/>
    </match>
</config>

now, "polkit-auth --show-obtainable" does nothing, presumably because everything is allowed.

i can now edit the wifi configuration, set date etc with no authentication, which is not really a safe situation. so i'll probably go back to the previous PolicyKit.conf, especially since even with this change hal still doesn't auto-mount (the drives show up in dmesg fine).

i also saw somewhere (not sure where, this polkit/hal problem seems to have been going on many threads) a suggestion to add to hal.conf:
  <policy group="plugdev">
    <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
  </policy>

i couldn't see the point of it since the hal.conf default context already allows these actions, but added it anyway, to no effect.

On Mon, 2008-06-09 at 09:09 +0000, rishab wrote:
> sebastien bacher wrote:
>
> > could you run "polkit-auth --show-obtainable" and "ck-list-sessions"
> and copy the logs to the bug?
>
> ok, i ran it with the default /etc/PolicyKit/PolicyKit.conf file...
> [....header comments.....]
>
> <!-- See the manual page PolicyKit.conf(5) for file format -->
>
> <config version="0.1">
> <match user="root">
> <return result="yes"/>
> </match>
> </config>
>

Hi,

If you add the line

  <define_admin_auth group="admin"/>

to this file (just under </match>) do you get a change in behaviour?

Also, can you confirm that your user is in the "admin" group? (Running
"groups" on the command line will list all groups you are a member of).

Thanks,

James

did you install a debian policykit version or something? it's weird that your configuration doesn't list the admin group where it should

no debian policykit. it was installed with hardy. it was just an upgrade from up-to-date gutsy to hardy. but there's lots of weird stuff with the upgrade, which (like with the upgrade to gutsy from feisty before) doesn't update many config settings, the menu bar, etc. and there seems no way to get a "standard config".

my user was not in the admin group. in fact, no user was. instead, it was in the "adm" group. i added it to the admin group. but

i'm not quite sure what's changed, since i've been trying many things, but although the PolicyKit.conf file looks the same (no "admin" line) now things that need a password to "unlock" seem to be working (network-admin and users-admin, for instance, and time change). i.e. "unlock" doesn't freeze and return with an error. i can't figure out why. these also work the same way for another user i created that's _not_ in the admin group.

adding the <define_admin_auth> line to PolicyKit.conf seems to make no difference either way.

also, running users-admin or network-admin with sudo still has a greyed-out "Unlock" button and gives the error " ** (users-admin:11074): CRITICAL **: Unable to lookup session information for process '11074'" (i.e. it can't look up session info for itself!). however, since PolicyKit inexplicably now prompts for the password instead of freezing when i press unlock after running the command without sudo, there's no need to run it with sudo.

$ polkit-auth --show-obtainable
org.freedesktop.systemtoolsbackends.set
org.freedesktop.systemtoolsbackends.self.set
org.gnome.clockapplet.mechanism.settimezone
org.gnome.clockapplet.mechanism.settime
org.gnome.clockapplet.mechanism.configurehwclock
org.freedesktop.policykit.read
org.freedesktop.policykit.revoke
org.freedesktop.policykit.grant
org.freedesktop.policykit.modify-defaults
org.freedesktop.hal.power-management.shutdown-multiple-sessions
org.freedesktop.hal.power-management.reboot-multiple-sessions
org.freedesktop.hal.storage.mount-fixed
org.freedesktop.hal.storage.unmount-others
org.freedesktop.hal.storage.crypto-setup-fixed

the difference between the previous output is only because i went and revoked all permissions i'd explicitly granted to my user "rishab" so there are a few more "obtainable" items.

i think there must be a problem with how PolicyKit is set up to check console activity, since the external USB drive installation was always authorised for the active console. hal detects the device fine, just doesn't auto-mount:

$ hal-device

0: udi = '/org/freedesktop/Hal/devices/volume_uuid_D207_0B13'
  volume.partition.type = '0x06' (string)
  volume.partition.label = '' (string)
  volume.partition.uuid = '' (string)
  volume.partition.flags = { 'boot' } (string list)
  volume.ignore = false (bool)
  linux.hotplug_type = 3 (0x3) (int)
  storage.model = '' (string)
  org.freedesktop.Hal.Device.Volume.method_names = { 'Mount', 'Unmount', 'Eject' } (string list)
  info.product = 'PKBACK# 001' (string)
  org.freedesktop.Hal.Device.Volume.method_signatures = { 'ssas', 'as', 'as' } (string list)
  info.capabilities = { 'volume', 'block' } (string list)
  info.udi = '/org/freedesktop/Hal/devices/volume_uuid_D207_0B13' (strin...

Sorry for the delay - I've been on travel for several weeks and just now am getting back to troubleshooting this.

Per Sebastien Bacher's suggestion:

$ polkit-auth --show-obtainable
<doesn't output anything>

-$ ck-list-sessions
<doesn't output anything>

-$ cat /etc/PolicyKit/PolicyKit.conf
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">

<!-- See the manual page PolicyKit.conf(5) for file format -->

<config version="0.1">
    <match user="root">
        <return result="yes"/>
    </match>
    <define_admin_auth group="admin"/>
</config>

I ran network-admin with dbus-monitor running. I'm not sure if this offers any useful information, but here's the output:

signal sender=org.freedesktop.DBus -> dest=(null destination) path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameOwnerChanged
   string ":1.119"
   string ""
   string ":1.119"
method call sender=:1.119 -> dest=org.freedesktop.DBus path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=Hello
signal sender=org.freedesktop.DBus -> dest=(null destination) path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameOwnerChanged
   string ":1.120"
   string ""
   string ":1.120"
method call sender=:1.120 -> dest=org.freedesktop.DBus path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=Hello
method call sender=:1.120 -> dest=org.gtk.vfs.Daemon path=/org/gtk/vfs/mounttracker; interface=org.gtk.vfs.MountTracker; member=listMountableInfo
method return sender=:1.8 -> dest=:1.120 reply_serial=2
   array [
      struct {
         string "ftp"
         string "ftp"
         array [
         ]
         int32 21
         boolean true
      }
      struct {
         string "archive"
         string "archive"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "burn"
         string "burn"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "computer"
         string "computer"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "dav"
         string "dav"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "cdda"
         string "cdda"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "dns-sd"
         string "dns-sd"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "obex"
         string "obex"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "network"
         string "network"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "smb-share"
         string "smb"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "localtest"
         string "localtest"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "http"
         string "http"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "trash"
         string "trash"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "smb-server"
         string "smb"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "smb-network"
         string "smb"
         array [
         ]
         int32 0
         boolean false
      }
      struct {
         string "sftp"
         string "sftp"
         array [
            string "ssh"
         ...

there is something broken about your installation and that's not due to gnome-system-monitor, the comments show that you have no active consolekit session, what login manager do you use?

do you use non local applications? that could be bug #183673 or similar

Here's my output of the same:

root@www:~# polkit-auth --show-obtainable
[WARN 26160] kit-hash.c:206:kit_hash_insert(): key != NULL
 Not built with -rdynamic so unable to print a backtrace
[WARN 26160] kit-hash.c:294:kit_hash_lookup(): key != NULL
 Not built with -rdynamic so unable to print a backtrace
...and about 75 more lines of this.

root@www:~# ck-list-sessions
Session57:
 uid = '1004'
 realname = 'Real Username 1'
 seat = 'Seat57'
 session-type = ''
 active = TRUE
 x11-display = 'localhost:10.0'
 x11-display-device = ''
 display-device = '/dev/pts/0'
 remote-host-name = 'ws1-015'
 is-local = FALSE
 on-since = '2008-07-02T11:39:58Z'
Session58:
 uid = '1004'
 realname = 'Real Username 1'
 seat = 'Seat58'
 session-type = 'ck-launch-sessi'
 active = FALSE
 x11-display = 'localhost:11.0'
 x11-display-device = ''
 display-device = ''
 remote-host-name = ''
 is-local = FALSE
 on-since = '2008-07-02T11:39:59Z'
Session70:
 uid = '1059'
 realname = 'Real Username 2'
 seat = 'Seat70'
 session-type = ''
 active = TRUE
 x11-display = 'localhost:24.0'
 x11-display-device = ''
 display-device = '/dev/pts/10'
 remote-host-name = 'ws0-160'
 is-local = FALSE
 on-since = '2008-07-02T14:38:29Z'

...and 10 or 15 more users (All on LTSP terminals)

root@www:~# cat /etc/PolicyKit/PolicyKit.conf
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">

<!-- See the manual page PolicyKit.conf(5) for file format -->

<config version="0.1">
    <match user="root">
        <return result="yes"/>
    </match>
    <define_admin_auth group="admin"/>
</config>

Hi Michael,

Your problem seems to be the same as bug 219473.

Thanks,

James

Hi Sebastien,

I actually don't use any login manager. I start X simply using 'startx'.

-$ cat ~/.xinitrc
gkrellm &
exec dbus-launch --exit-with-session gnome-session

that's likely the reason why that's not working, nothing is setting the session correctly

Yeah if I run 'sudo /etc/init.d/gdm start' from the console, everything works OK with PolicyKit/ConsoleKit.

Now I'm trying to remember how I disabled gdm in the first place so I can have it start up automatically when I boot up the computer.

Alternatively, maybe there's a way to do it with .xinitrc?

Thanks,
Adam

On Wed, 2008-07-02 at 16:53 +0000, irotas wrote:
> Yeah if I run 'sudo /etc/init.d/gdm start' from the console, everything
> works OK with PolicyKit/ConsoleKit.
>
> Now I'm trying to remember how I disabled gdm in the first place so I
> can have it start up automatically when I boot up the computer.
>
> Alternatively, maybe there's a way to do it with .xinitrc?

Hi,

You may want to use the "ck-launch-session" command to start a
consolekit session in your .xinitrc. At a guess

  exec ck-launch-session dbus-launch --exit-with-session gnome-session

may do what you want.

Otherwise working out how you disabled gdm may be easier.

Thanks,

James

OK I re-enabled gdm using 'System --> Administration --> Services' and now it starts up automatically when my system boots up. This gives me a workaround so that my admin utilities now allow me to authenticate with the 'Unlock' button. However, I would still like to know how to fix the bug without using gdm.

Thanks again for all your help!

This bug hit me with a fresh installation of Ubuntu Hardy and 2 things were noticeable:

1. USB volumes did not automount (that includes iPods and stuff)
2. all the *-admin utilities would not allow me to authenticate. The button was just gray-out.

To fix this I did:

1. start in single-user-mode
2. dpkg --force-all -P policykit-gnome
3. mv /var/lib/PolicyKit/user-haldaemon.auths /root
4. rm -fr /var/lib/PolicyKit/
5. apt-get --reinstall install policykit-gnome consolekit
6. mv /root/user-haldaemon.auths /var/lib/PolicyKit/
7. make sure /etc/hosts matches my hostname correctly for 127.0.x.x IP
8. make sure that the content of /etc/PolicyKit/PolicyKit.conf was:
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">

<!-- See the manual page PolicyKit.conf(5) for file format -->

<config version="0.1">
    <match user="root">
        <return result="yes"/>
    </match>
    <define_admin_auth group="admin"/>
</config>

After this everything worked fine.

Hopefully this will help somebody out there. And please make sure this does not happen as this is very annoying and hard to troubleshoot.

On Wed, 2008-07-09 at 15:18 +0000, LuisMondesi wrote:
> This bug hit me with a fresh installation of Ubuntu Hardy and 2 things
> were noticeable:
>
> 1. USB volumes did not automount (that includes iPods and stuff)
> 2. all the *-admin utilities would not allow me to authenticate. The button was just gray-out.

Hi,

Thanks for looking at it. Do you know what it was that was
stopping it from working prior to the fixes you made?

Did you have to modify /etc/hosts or /etc/PolicyKit/PolicyKit.conf,
or were they already correct?

Thanks,

James

Hi,

Apparently this is a problem with consolekit being
able to look-up the XDG_SESSION_COOKIE.

Could someone who has the problem and gets the message
'Unable to lookup session information for process' please run
"users-admin" from a terminal, and then "cat /proc/<number>/environ"
where "<number>" is the number printed at the end of the error
message, and then attach the output to the bug?

Also, could you run "echo $XDG_SESSION_COOKIE" from the terminal
and report any output here.

Thanks,

James

This is on Hardy Heron, from an LTSP terminal. I ran sudo users-admin and received the message:

** (users-admin:15898): CRITICAL **: Unable to lookup session information for process '15898'

In a separate terminal, I looked up in the information:

MYUSERNAME@www:~$ sudo cat /proc/15898/environ
[sudo] password for MYUSERNAME:
TERM=xtermLS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.svgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/binMAIL=/var/mail/MYUSERNAMELANG=en_US.UTF-8HOME=/home/MYUSERNAMEDISPLAY=192.168.1.15:6.0COLORTERM=gnome-terminalSHELL=/bin/bashLOGNAME=rootUSER=rootUSERNAME=rootSUDO_COMMAND=/usr/bin/users-adminSUDO_USER=MYUSERNAMESUDO_UID=1004SUDO_GID=1004

Thanks James,
 Michael

Confirming. I can reproduce this on Hardy and there are duplicates.

I have experienced this bug both on 8.04 Hardy and still on 9.04 Jaunty.
Administrator cannot unlock System->Administration->Users & Groups while login in from a remote desktop such as XDMCP or NX.

We are evaluating Linux solutions with remote desktops & thin clients.
This bug is very serious for us since it stops the possibility for many people to use Ubuntu on business enterprise envinronments.