did anybody manage to get FreeIPA admin user (member of admins group,
full sudo access, etc.) to be also Cockpit user with administrative
privileges? I've already figured out that it's closely related to
Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... I
was not able to get a working configuration.

Some version / configuration details:
$ cat /etc/centos-release
CentOS Linux release 7.1.1503 (Core)

$ rpm -q ipa-client

$ rpm -q cockpit   # from sgallagh's COPR repository

$ rpm -q polkit

$ sudo ls /etc/polkit-1/rules.d/
40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules

$ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
polkit.addAdminRule(function(action, subject) {
    return ["unix-group:admins", "unix-group:wheel"];

$ sudo ls /etc/polkit-1/localauthority.conf.d/

$ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf

$ ipa user-show martin | grep groups
  Member of groups: trust admins, ipausers, admins, ...

Cockpit logs me in automatically using Kerberos (GSSAPI), but I can't
perform administrative tasks, cannot see journald, etc.

One thing that I thought to cause the issue is that pkexec is asking me
select user first, instead of asking/not asking for password:
$ pkexec cockpit-bridge
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/usr/bin/cockpit-bridge' as the super
Multiple identities can be used for authentication:
 1.  Martin Štefany (martin)
 2.  ...
 3.  ...
Choose identity to authenticate as (1-3): 1
cockpit-bridge: no option specified

and documentation claims that sudo / pkexec should not ask for password
for particular user, but 1. I don't like that idea; 2. I have regular
1000:1000 user in wheel group for whom everything works just fine - sudo
and pkexec ask for password as expected, and still in cockpit admin
stuff works as expected.

Thank you!


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to