Just playing around with my setup that consists of two FreeIPA domain
controllers on CentOS6.3 so the version of FreeIPA in use there is 2.2.0
So now after setting up my test laptop with Fedora 17 I proceeded to do an
client installation and it seems freeipa-client version on F17 is also
2.2.0 but such things as sudo and sssd are much more recent than on CentOS.
This caused few grey hairs until I got the sudo configuration to work by
Now that my user provisioned in FreeIPA domain can logon to my laptop, use
sudo etc to install software I noticed a one little issue with policykit +
packagekit combination. When through X I try to install an RPM package or
do anything that requires admin rights it keeps asking for the root users
password and not my sudo enabled FreeIPA users.
If I have understood correctly packagekit advertises its request for admin
rights through dbus to policykit which reads its policy files for matching
description about the request. In this case the file seems to
In this policy file there is a lot of stuff which at this point makes no
sense to me at all except that I guess that the
lines: <allow_active>auth_admin</allow_active> describe that policykit
should require user to enter an administrative level users password. Now on
basic F17 installation where after first boot you create your first normal
user account and give it an password there is an checkbox for
"Administrator" or something similar which seems to add this user to be
created in "wheel" and "adm" posix groups. When policykit requires an
administrative users password it asks for this local users password if it
is member of those groups (I guess) and if not it asks for the root users
However when I add my FreeIPA user to the adm and wheel groups (silly since
my sudo rules in FreeIPA give me already a full sudo rights) policykit does
not seem to make a sense out of this situation and keep asking for the root
Now after all this bad english and a load of factual errors the actual
question is: What needs to be configured and how to make FreeIPA
provisioned user to be "local administrator" in policykits mind? If this is
at all possible in current stage of development...
p.s. I use an PackageKit here as an example target for the PolicyKit but I
guess that anything to do with process rights elevation through PolicyKit
is affected - not just the PackageKit application.
Antti Peltonen | Homo sapiens | planet Earth
irc BCOW @ IRCNet | Twitter @BrainCOW
"Ars longa, vita previs."
Freeipa-users mailing list