On Tue, Feb 26, 2019 at 10:35:55AM +0100, Davide Principi wrote:
> I faced a strange behavior with cockpit login and root privilege escalation
> but I can't say if it's a bug or not. I hope somebody can help me and shed
> some light on it!
This question would probably be better answered at the freeipa-users
mailing list:
https://lists.fedorahosted.org/admin/lists/freeipa-users.lists.fedorahosted.org/
We're probably going to ask for sssd debugging information:
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
>
>
> **Steps to reproduce**
>
> - installed centos 7 minimal and cockpit 183, realmd and deps
> - joined AD (Windows Server 2012 R2) with realmd
> - added "default_domain_suffix = adnethesis.it" to sssd.conf, because I'd
> like to login without domain suffix
> - I put "[email protected]" into the wheel group so it can become
> root with pkexec or sudo
> - At cockpit login, set "Reuse my password for privileged tasks"
>
> The sssd.conf man page states about "default_domain_suffix":
>
> > The option allows those users to log in just with their user name without
> giving a domain name as well
>
> Good, but the line below seems to contradict it:
>
> > Please note that if this option is set all users from the primary domain
> have to use their fully qualified name, e.g. [email protected], to log in.
>
> ...I'm not sure my expectation is correct anymore (!)
>
Thus just means you need to use [email protected] to reach IPA users.
_______________________________________________
cockpit-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
