xRDP – Can’t unlock users settings in Ubuntu 23.10

Hello World,

Since Ubuntu 23.10 has been released recently, we are also discovering the new features that come with it.  In the past, we have published a post about adding users in Ubuntu when remotely connected.  You should know by now that local sessions and remote sessions are treated differently by polkit and some exceptions might need to be implemented.  Before Ubuntu 23.10, you would follow the instructions in xRDP – System Policy prevents changes when trying to add user in Remote Session to allow remote users to manage users through the GUI.  

In Ubuntu 23.10, this approach is not valid anymore.  Indeed, as mentioned in our previous post xRDP – Some Behavior Changes in Ubuntu 23.10, Polkit engine has been upgraded to a more recent version and the way to create exceptions have slightly changed in Ubuntu 23.10.    We wrote this post because more and more people complains that the previous instructions are not working anymore against Ubuntu 23.10. 

So, let’s quickly update the instructions…. 

Overview

As mentioned earlier, Ubuntu 23.10 ships with a more recent version of Polkit engine.  Previous versions of Ubuntu were using an outdated version of the Polkit engine and you would need to create pkla files in order to bypass or tweak the polkit default behavior.  In Ubuntu 23.10, one of the latest version of Polkit is used.  This means that there the old pkla format cannot be used anymore. Instead, a new file format needs to be used.  

To be more precise, if you run from a Terminal console the following command 

pkaction --version

If the version of the PolKit is < 0.106, you need to create a .pkla file (and not a .conf file). 

Click on picture for better resolution

If the version of polkit is = or > to 0.106, you need to create a .rule file on your Ubuntu 23.10 system….

Click on Picture for better Resolution

Now that you know that Ubuntu 23.10 is shipping with a different version of polkit engine, we can now describe how to create a exception rule in order to add or remove users from the GUI when remotely connecte to your machine via xRDP Software. 

The new way ! 

Disclaimer

This guide and associated instructions are provided AS IS.  Use it at your own risk !!! 

Problem description

In our scenario, we are using an computer running Ubuntu 23.10.  We have installed the xRDP software package using our famous xrdp-installer script (https://www.c-nergy.be/products.html).  Using xRDP software, we are able to perform a remote connection to our Ubuntu 23.10.  So far, everything works as expected.  

It’s time for us to add a user on the system.  To perform this action, we open the System settings and locate users section.  As shown in the screenshot, you would need administrative rights to be able to add users into the system.  So far, the behavior between local and remote session are identical

Click on picture for better resolution

In the remote session, if you click on the unlock button, nothing will happens.  No authentication prompt will be displayed.  Nothing will show up. To enable this function, we need to tell Polkit that this action can be performed while remotely logged on…. keep reading  🙂 

Solution : Create your custom rules

Create your custom .rule file

To allow addition of users on your system via remote session,  we will need to create a text file under /etc/polkit-1/rules.d/.  You need administrative privileges in order to write in this location !  The name of the file can be anything.  We will be creating the text file 50-allow-useradmin.rules in this directory. 

To create our exception rule file, we have used the following code and command below 

sudo bash -c "cat >/etc/polkit-1/rules.d/50-allow-useradmin.rules" <<EOF
/* ----Allow user administration in remote Desktop------- */
polkit.addRule(function(action, subject) {
if ((action.id == "org.gnome.controlcenter.user-accounts.administration") &&
subject.isInGroup("sudo")) {
return polkit.Result.YES;
}
});
EOF

Note that in our exception file, we are telling that if the user is part of the sudo group, then he will be able to add users accordingly.  A user which is not part of the sudo group will not be able to perform the change.   If needed, you can change the group to be used. This is up to you.  In the screenshot below, we have used the group users.  This means that any users will be able to add users to your system 

Click on picture for better resolution

Note :

We think that it’s better to limit who can do this operation on an managed ubuntu machine. This is why we would recommend to use the group sudo instead of the users group. But again, the choice is up to you…

After the file has been created, you could also restart the polkit engine (but we do not think that this is required).  The changes are recognized almost immediately. 

Click on picture for better resolution

You are ready to try your configuration….. 

Testing your new rule 

Again, you have to perform a remote connection to your Ubuntu machine.  You will open again the System Settings, find the Users section.  Since the custom rule has been implemented, if you open the applet used to add users, you will see that nothing is now preventing you to add users as required. 

Click on picture for better resolution

Additional information

Using the code above, you will be able to add users when remotely connect to your ubuntu machine.  You would notice that no password prompt is required to perform this action.  Normally, you could modify the exception rules and set multiple control level.  The code below should prompt for password… However,  this code does not seems to work !!!  If time permits, we will investigate a little bit further

sudo bash -c "cat >/etc/polkit-1/rules.d/50-allow-useradmin.rules" <<EOF 
/* ----Allow user administration in remote Desktop------- */ 
polkit.addRule(function(action, subject) { 
    if ((action.id == "org.gnome.controlcenter.user-accounts.administration") 
    && subject.isInGroup("sudo")) { 
    return polkit.Result.AUTH_ADMIN; 
    } 
}); EOF

If you really want to have the same behavior in console and remote session,  we can also edit the actions file located in

/usr/share/polkit-1/actions/org.gnome.controlcenter.user-accounts.policy

This file contains the following code by default (this is just an extract of the file)

(...)
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.accounts.us> 
 (...)

To achieve the same behavior, you would need to update the file with this code 

(...)
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.accounts.us> 
 (...)

 

Another option : the command line 

As a side note,  note that’s always possible to create user account remotely or locally using the command line tool “adduser”.   If you use the command line approach, there is no need to create a custom rule file and no need to modify the polkit configuration….

To create user via command line, you simply need to issue the following command in a Terminal session 

sudo adduser <%UserName%>

Click on picture for better resolution

You will be prompted for a password.  Provide the password and answer the question asked by the utility and you will see that your account will be created accordingly

Click on picture for better resolution

Final Notes

This is it for this post ! 

Since Ubuntu 23.10 has updated the Polkit engine, we need to adapt the procedure we used to know and replace the old pkla files with new .rules format to allow specific actions when remotely connected to our Ubuntu machine.  So; it’s relatively easy to configure your system to allow users to create user account through the Graphical Interface when remotely connected using xRDP software. At first, this can look strange that a user has not the same authorization rules while logged on locally or logged remotely.   But when you understand what’s causing the behavior (i.e. Polkit technology),  you can configure your system accordingly and create some exceptions to allow actions when remotely connected.  

We hope that this information might be useful to you//: 

Till next time 

See ya  

Leave a Reply