On Tue, 2012-10-16 at 09:53 +0300, Antti Peltonen wrote:
> Hi all,
> Just playing around with my setup that consists of two FreeIPA domain
> controllers on CentOS6.3 so the version of FreeIPA in use there is
> So now after setting up my test laptop with Fedora 17 I proceeded to
> do an client installation and it seems freeipa-client version on F17
> is also 2.2.0 but such things as sudo and sssd are much more recent
> than on CentOS. This caused few grey hairs until I got the sudo
> configuration to work by manipulating sssd.conf.
> Now that my user provisioned in FreeIPA domain can logon to my laptop,
> use sudo etc to install software I noticed a one little issue with
> policykit + packagekit combination. When through X I try to install an
> RPM package or do anything that requires admin rights it keeps asking
> for the root users password and not my sudo enabled FreeIPA users.
> If I have understood correctly packagekit advertises its request for
> admin rights through dbus to policykit which reads its policy files
> for matching description about the request. In this case the file
> seems to
> be: /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
> In this policy file there is a lot of stuff which at this point makes
> no sense to me at all except that I guess that the
> lines: <allow_active>auth_admin</allow_active> describe that policykit
> should require user to enter an administrative level users password.
> Now on basic F17 installation where after first boot you create your
> first normal user account and give it an password there is an checkbox
> for "Administrator" or something similar which seems to add this user
> to be created in "wheel" and "adm" posix groups. When policykit
> requires an administrative users password it asks for this local users
> password if it is member of those groups (I guess) and if not it asks
> for the root users password.
> However when I add my FreeIPA user to the adm and wheel groups (silly
> since my sudo rules in FreeIPA give me already a full sudo rights)
> policykit does not seem to make a sense out of this situation and keep
> asking for the root users password.
Have you logged out and logged back in after you have done these
Changes to group membership do not take effect until the user logs out
and logs back in.
> Now after all this bad english and a load of factual errors the actual
> question is: What needs to be configured and how to make FreeIPA
> provisioned user to be "local administrator" in policykits mind? If
> this is at all possible in current stage of development...
It should make no difference where the user comes from, if it does it
would be most likely a policykit bug/limitation/'feature'
> p.s. I use an PackageKit here as an example target for the PolicyKit
> but I guess that anything to do with process rights elevation through
> PolicyKit is affected - not just the PackageKit application.
Understood, have you asked on policykit related mailing lists as well by
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list