Thank you very much! Petr^2 Spacek
On 27.10.2015 22:26, Martin Štefany wrote: > On Ut, 2015-10-27 at 15:48 +0100, Petr Spacek wrote: >> On 20.10.2015 23:25, Martin Štefany wrote: >>> Hello, >>> >>> did anybody manage to get FreeIPA admin user (member of admins >>> group, >>> full sudo access, etc.) to be also Cockpit user with administrative >>> privileges? I've already figured out that it's closely related to >>> Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... >>> I >>> was not able to get a working configuration. >>> >>> Some version / configuration details: >>> $ cat /etc/centos-release >>> CentOS Linux release 7.1.1503 (Core) >>> >>> $ rpm -q ipa-client >>> ipa-client-4.1.0-18.el7.centos.4.x86_64 >>> >>> $ rpm -q cockpit # from sgallagh's COPR repository >>> cockpit-0.80-1.el7.centos.x86_64 >>> >>> $ rpm -q polkit >>> polkit-0.112-5.el7.x86_64 >>> >>> $ sudo ls /etc/polkit-1/rules.d/ >>> 40-freeipa.rules 49-polkit-pkla-compat.rules 50-default.rules >>> >>> $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules >>> polkit.addAdminRule(function(action, subject) { >>> return ["unix-group:admins", "unix-group:wheel"]; >>> }); >>> >>> $ sudo ls /etc/polkit-1/localauthority.conf.d/ >>> 40-custom.conf >>> >>> $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf >>> [Configuration] >>> AdminIdentities=unix-group:admins;unix-group:wheel >>> >>> $ ipa user-show martin | grep groups >>> Member of groups: trust admins, ipausers, admins, ... >>> >>> Cockpit logs me in automatically using Kerberos (GSSAPI), but I >>> can't >>> perform administrative tasks, cannot see journald, etc. >>> >>> One thing that I thought to cause the issue is that pkexec is asking >>> me >>> select user first, instead of asking/not asking for password: >>> $ pkexec cockpit-bridge >>> ==== AUTHENTICATING FOR org.freedesktop.policykit.exec === >>> Authentication is needed to run `/usr/bin/cockpit-bridge' as the >>> super >>> user >>> Multiple identities can be used for authentication: >>> 1. Martin Štefany (martin) >>> 2. ... >>> 3. ... >>> Choose identity to authenticate as (1-3): 1 >>> Password: >>> ==== AUTHENTICATION COMPLETE === >>> cockpit-bridge: no option specified >>> >>> and documentation claims that sudo / pkexec should not ask for >>> password >>> for particular user, but 1. I don't like that idea; 2. I have >>> regular >>> 1000:1000 user in wheel group for whom everything works just fine - >>> sudo >>> and pkexec ask for password as expected, and still in cockpit admin >>> stuff works as expected. >> >> I have seen your answer in the ticket >> https://fedorahosted.org/freeipa/ticket/3203#comment:6 >> >> Could you create a very short and concise how-to to >> http://www.freeipa.org/page/HowTos , please? >> >> Your Fedora login should allow you to create a new wiki page and to >> link it to >> http://www.freeipa.org/page/HowTos . >> >> Thank you for your time! >> > > Hello Petr, > > sure, done =) > > http://www.freeipa.org/page/Howto/FreeIPA_PolicyKit > > Thank you! > > Martin > -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project