Hi all, Just playing around with my setup that consists of two FreeIPA domain controllers on CentOS6.3 so the version of FreeIPA in use there is 2.2.0
So now after setting up my test laptop with Fedora 17 I proceeded to do an client installation and it seems freeipa-client version on F17 is also 2.2.0 but such things as sudo and sssd are much more recent than on CentOS. This caused few grey hairs until I got the sudo configuration to work by manipulating sssd.conf. Now that my user provisioned in FreeIPA domain can logon to my laptop, use sudo etc to install software I noticed a one little issue with policykit + packagekit combination. When through X I try to install an RPM package or do anything that requires admin rights it keeps asking for the root users password and not my sudo enabled FreeIPA users. If I have understood correctly packagekit advertises its request for admin rights through dbus to policykit which reads its policy files for matching description about the request. In this case the file seems to be: /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy In this policy file there is a lot of stuff which at this point makes no sense to me at all except that I guess that the lines: <allow_active>auth_admin</allow_active> describe that policykit should require user to enter an administrative level users password. Now on basic F17 installation where after first boot you create your first normal user account and give it an password there is an checkbox for "Administrator" or something similar which seems to add this user to be created in "wheel" and "adm" posix groups. When policykit requires an administrative users password it asks for this local users password if it is member of those groups (I guess) and if not it asks for the root users password. However when I add my FreeIPA user to the adm and wheel groups (silly since my sudo rules in FreeIPA give me already a full sudo rights) policykit does not seem to make a sense out of this situation and keep asking for the root users password. Now after all this bad english and a load of factual errors the actual question is: What needs to be configured and how to make FreeIPA provisioned user to be "local administrator" in policykits mind? If this is at all possible in current stage of development... p.s. I use an PackageKit here as an example target for the PolicyKit but I guess that anything to do with process rights elevation through PolicyKit is affected - not just the PackageKit application. -- Antti Peltonen | Homo sapiens | planet Earth email antti.pelto...@iki.fi irc BCOW @ IRCNet | Twitter @BrainCOW "Ars longa, vita previs."
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users