On Tue, Oct 20, 2015 at 11:25:56PM +0200, Martin Štefany wrote:
> Hello,
> 
> did anybody manage to get FreeIPA admin user (member of admins group,
> full sudo access, etc.) to be also Cockpit user with administrative
> privileges? I've already figured out that it's closely related to
> Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... I
> was not able to get a working configuration.
> 
> Some version / configuration details:
> $ cat /etc/centos-release
> CentOS Linux release 7.1.1503 (Core)
> 
> $ rpm -q ipa-client
> ipa-client-4.1.0-18.el7.centos.4.x86_64
> 
> $ rpm -q cockpit   # from sgallagh's COPR repository
> cockpit-0.80-1.el7.centos.x86_64
> 
> $ rpm -q polkit
> polkit-0.112-5.el7.x86_64
> 
> $ sudo ls /etc/polkit-1/rules.d/
> 40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules
> 
> $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
> polkit.addAdminRule(function(action, subject) {
>     return ["unix-group:admins", "unix-group:wheel"];
> });
> 
> $ sudo ls /etc/polkit-1/localauthority.conf.d/
> 40-custom.conf
> 
> $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
> [Configuration]
> AdminIdentities=unix-group:admins;unix-group:wheel
> 
> $ ipa user-show martin | grep groups
>   Member of groups: trust admins, ipausers, admins, ...
> 
> Cockpit logs me in automatically using Kerberos (GSSAPI), but I can't
> perform administrative tasks, cannot see journald, etc.
> 
> One thing that I thought to cause the issue is that pkexec is asking me
> select user first, instead of asking/not asking for password:
> $ pkexec cockpit-bridge
> ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
> Authentication is needed to run `/usr/bin/cockpit-bridge' as the super
> user
> Multiple identities can be used for authentication:
>  1.  Martin Štefany (martin)
>  2.  ...
>  3.  ...
> Choose identity to authenticate as (1-3): 1
> Password: 
> ==== AUTHENTICATION COMPLETE ===
> cockpit-bridge: no option specified
> 
> and documentation claims that sudo / pkexec should not ask for password
> for particular user, but 1. I don't like that idea; 2. I have regular
> 1000:1000 user in wheel group for whom everything works just fine - sudo
> and pkexec ask for password as expected, and still in cockpit admin
> stuff works as expected.

Can you add the admin user to the wheel group on the Cockpit machine?

But in general I think you're looking for:
    https://sourceware.org/glibc/wiki/Proposals/GroupMerging
first round of patches is ready, although it still needs to go through
upstream review (IIRC).

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to