Hello, did anybody manage to get FreeIPA admin user (member of admins group, full sudo access, etc.) to be also Cockpit user with administrative privileges? I've already figured out that it's closely related to Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... I was not able to get a working configuration.
Some version / configuration details: $ cat /etc/centos-release CentOS Linux release 7.1.1503 (Core) $ rpm -q ipa-client ipa-client-4.1.0-18.el7.centos.4.x86_64 $ rpm -q cockpit # from sgallagh's COPR repository cockpit-0.80-1.el7.centos.x86_64 $ rpm -q polkit polkit-0.112-5.el7.x86_64 $ sudo ls /etc/polkit-1/rules.d/ 40-freeipa.rules 49-polkit-pkla-compat.rules 50-default.rules $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules polkit.addAdminRule(function(action, subject) { return ["unix-group:admins", "unix-group:wheel"]; }); $ sudo ls /etc/polkit-1/localauthority.conf.d/ 40-custom.conf $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf [Configuration] AdminIdentities=unix-group:admins;unix-group:wheel $ ipa user-show martin | grep groups Member of groups: trust admins, ipausers, admins, ... Cockpit logs me in automatically using Kerberos (GSSAPI), but I can't perform administrative tasks, cannot see journald, etc. One thing that I thought to cause the issue is that pkexec is asking me select user first, instead of asking/not asking for password: $ pkexec cockpit-bridge ==== AUTHENTICATING FOR org.freedesktop.policykit.exec === Authentication is needed to run `/usr/bin/cockpit-bridge' as the super user Multiple identities can be used for authentication: 1. Martin Štefany (martin) 2. ... 3. ... Choose identity to authenticate as (1-3): 1 Password: ==== AUTHENTICATION COMPLETE === cockpit-bridge: no option specified and documentation claims that sudo / pkexec should not ask for password for particular user, but 1. I don't like that idea; 2. I have regular 1000:1000 user in wheel group for whom everything works just fine - sudo and pkexec ask for password as expected, and still in cockpit admin stuff works as expected. Thank you! Regards, Martin
smime.p7s
Description: S/MIME cryptographic signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project