Hello everybody! We`re trying to use Mate in MS AD environment. We joined to domain (realm, sssd, all is fine). But there is a big question with administrative rights for domain users and groups.
In terminal all OK - /etc/sudoers helps us. But in Mate?
Is there any way to add domain group to administrators of Mate? So that logging user of this group has administrative rights in Mate?
Hello, @Scamp and welcome to the Ubuntu MATE Community!
A person with sudo privileges is an administrator in terminal session or not. GUI desktop environment does not change the fact. There is no castе of Mate administrators.
sudoers file format allows granting permission to a group.
I.e. the actual question is which groups (if any) AD admins receive automagically when they log in. Frankly, I do not remember the answer. I vaguely remember that group membeship manipulations required realm and/or nsswitchmanipulations.
I added AD group to sudoers file. Then i login by AD user in this group into Mate, run terminal, run something about sudo rm / and it worked. User in sudoers, OK.
But when i want for example change time settings in mate, it requies to elevate.
Ok. There is a possibility, that standard Mate priv.elevation toolkit fails on AD users. To verify this hypothesis you may want to login as local sudoer and repeat the attempt.
Another possibility is that the fault is inherent to time applet only. Neworking settings are worth to be tried as well. BTW, Synaptic explicitly asks for sudoer's password. How would it behave?
Eugene, is it possible that what @Scamp is facing is a scenario where he needs to "launch" using the pkexec such as for MATE Terminal, per the following example:
pkexec mate-terminal --geometry=120x28+0+275 -e "nice -n -19 bash"
If I understand correctly, he could drop a specific instance of the launcher, for any of the tools he needs that Admin priviledge for, onto his Panel and edit the "Command", in the same manner as we see here below:
I have two such instances of Launchers with. and without, pkexec: Mate-Terminal and Caja.
User and admin rights in mate is something strange for me.
For example: i created local user, without sudo rights. Then i login mate. And i can edit network settings! When i try to change system time settings, or add user in user manager, i need priveleges and password of root or admin user.
OK, i add this user in sudoers, in terminal sudo works fine. In mate i have exactly the same situation: can change network, can`t change system time and users in mate user manager.
I need any ĐĽechanism to grant defined local and domain users/groups full rights for the system. And no rights to change network settings and other to other users.
(Sorry for my english).
Actually, you are asking two questions.
Users/groups are granted unrestricted "root" access via sudo configuration. That is the final answer and there is no another option.
You see, Linux GUI DE is a bit strange beast. In a sense, it is a thin layer above conventional system. It is assembled from a number of components. And more often than not such the components may have alternative implementation.
As far as I remember, LMDE network configuration applet prohibited non administrative user from configuring network settings. And UM's Network Manager does not care. You may want to check anothe DE's behaviour or try replace Network Manager with another tool and investigate.
How can it be true, if i login to Mate by user in sudoers, and i can`t change a lot of things in GUI without knowing the root password? This user in mate user manager tagged as “Standart'“, non “admin”.
Is there any documentation about it? Maybe it can be configured via dconf?
I opened POLKIT for myself! Will study it. 
Looks like you have a lot to discover yet. First, as a security measure, Ubuntu has root account disabled. It is impossible to login as root at all. There is no root's password by default. Second, a sudoer enters his own password. Third, a user listed in sudoers has a privilege to execute sudo <something> command which in turn elevates <something>'s execution privileges. That is all about it. Except for the given case, a sudoer is an ordinary, regular user and does enjoy no special permissions.
I don`t use Ubuntu, I just don't know where else to ask about Mate. And i have root enabled.
Second and Third i know.
My question was “How to provide admin rights in Mate Gui to domain group”. I found answer - use polkit rules.
As Eugene said, if you give any user sudoer privilege, you essentially open up the entire system to that user, with NO restrictions.
However, there appears to be some customization of the system, which you can discover, if you enter the following "search string" in Google Search, the AI Assistant will oultine a sequence which seems to be sudo only and no polkit usage:
how to restrict modification of network settings by sudoers on linux
There also appears to be more discussion on that approach in this StackExchange posting.
All that seems a bit too complex for me, so I am glad that I don't need to pursue anything of the sort.
But, that may be just what you need for your context!
If you insist on pursuing the polkit approach, you may wish to look over the process outlined by the following:
which seems to give a well documented process for using that approach and, if not, can offer some insights on the WHYs and WHEREFOREs.
