Re: [Freeipa-users] Cockpit with (Free)IPA admin users

2015-10-29 Thread Petr Spacek 
Thank you very much!

Petr^2 Spacek

On 27.10.2015 22:26, Martin Štefany wrote:
> On Ut, 2015-10-27 at 15:48 +0100, Petr Spacek wrote:
>> On 20.10.2015 23:25, Martin Štefany wrote:
>>> Hello,
>>>
>>> did anybody manage to get FreeIPA admin user (member of admins
>>> group,
>>> full sudo access, etc.) to be also Cockpit user with administrative
>>> privileges? I've already figured out that it's closely related to
>>> Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet...
>>> I
>>> was not able to get a working configuration.
>>>
>>> Some version / configuration details:
>>> $ cat /etc/centos-release
>>> CentOS Linux release 7.1.1503 (Core)
>>>
>>> $ rpm -q ipa-client
>>> ipa-client-4.1.0-18.el7.centos.4.x86_64
>>>
>>> $ rpm -q cockpit   # from sgallagh's COPR repository
>>> cockpit-0.80-1.el7.centos.x86_64
>>>
>>> $ rpm -q polkit
>>> polkit-0.112-5.el7.x86_64
>>>
>>> $ sudo ls /etc/polkit-1/rules.d/
>>> 40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules
>>>
>>> $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
>>> polkit.addAdminRule(function(action, subject) {
>>> return ["unix-group:admins", "unix-group:wheel"];
>>> });
>>>
>>> $ sudo ls /etc/polkit-1/localauthority.conf.d/
>>> 40-custom.conf
>>>
>>> $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
>>> [Configuration]
>>> AdminIdentities=unix-group:admins;unix-group:wheel
>>>
>>> $ ipa user-show martin | grep groups
>>>   Member of groups: trust admins, ipausers, admins, ...
>>>
>>> Cockpit logs me in automatically using Kerberos (GSSAPI), but I
>>> can't
>>> perform administrative tasks, cannot see journald, etc.
>>>
>>> One thing that I thought to cause the issue is that pkexec is asking
>>> me
>>> select user first, instead of asking/not asking for password:
>>> $ pkexec cockpit-bridge
>>>  AUTHENTICATING FOR org.freedesktop.policykit.exec ===
>>> Authentication is needed to run `/usr/bin/cockpit-bridge' as the
>>> super
>>> user
>>> Multiple identities can be used for authentication:
>>>  1.  Martin Štefany (martin)
>>>  2.  ...
>>>  3.  ...
>>> Choose identity to authenticate as (1-3): 1
>>> Password: 
>>>  AUTHENTICATION COMPLETE ===
>>> cockpit-bridge: no option specified
>>>
>>> and documentation claims that sudo / pkexec should not ask for
>>> password
>>> for particular user, but 1. I don't like that idea; 2. I have
>>> regular
>>> 1000:1000 user in wheel group for whom everything works just fine -
>>> sudo
>>> and pkexec ask for password as expected, and still in cockpit admin
>>> stuff works as expected.
>>
>> I have seen your answer in the ticket
>> https://fedorahosted.org/freeipa/ticket/3203#comment:6
>>
>> Could you create a very short and concise how-to to
>> http://www.freeipa.org/page/HowTos , please?
>>
>> Your Fedora login should allow you to create a new wiki page and to
>> link it to
>> http://www.freeipa.org/page/HowTos .
>>
>> Thank you for your time!
>>
> 
> Hello Petr,
> 
> sure, done =)
> 
> http://www.freeipa.org/page/Howto/FreeIPA_PolicyKit
> 
> Thank you!
> 
> Martin
> 


-- 
Petr Spacek  @  Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cockpit with (Free)IPA admin users

2015-10-28 Thread Jakub Hrozek 
On Tue, Oct 27, 2015 at 09:08:30PM +0100, Martin Štefany wrote:
> On St, 2015-10-21 at 09:32 +0200, Jakub Hrozek wrote:
> > On Tue, Oct 20, 2015 at 11:25:56PM +0200, Martin Štefany wrote:
> > > Hello,
> > > 
> > > did anybody manage to get FreeIPA admin user (member of admins
> > > group,
> > > full sudo access, etc.) to be also Cockpit user with administrative
> > > privileges? I've already figured out that it's closely related to
> > > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet...
> > > I
> > > was not able to get a working configuration.
> > > 
> > > Some version / configuration details:
> > > $ cat /etc/centos-release
> > > CentOS Linux release 7.1.1503 (Core)
> > > 
> > > $ rpm -q ipa-client
> > > ipa-client-4.1.0-18.el7.centos.4.x86_64
> > > 
> > > $ rpm -q cockpit   # from sgallagh's COPR repository
> > > cockpit-0.80-1.el7.centos.x86_64
> > > 
> > > $ rpm -q polkit
> > > polkit-0.112-5.el7.x86_64
> > > 
> > > $ sudo ls /etc/polkit-1/rules.d/
> > > 40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules
> > > 
> > > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
> > > polkit.addAdminRule(function(action, subject) {
> > > return ["unix-group:admins", "unix-group:wheel"];
> > > });
> > > 
> > > $ sudo ls /etc/polkit-1/localauthority.conf.d/
> > > 40-custom.conf
> > > 
> > > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
> > > [Configuration]
> > > AdminIdentities=unix-group:admins;unix-group:wheel
> > > 
> > > $ ipa user-show martin | grep groups
> > >   Member of groups: trust admins, ipausers, admins, ...
> > > 
> > > Cockpit logs me in automatically using Kerberos (GSSAPI), but I
> > > can't
> > > perform administrative tasks, cannot see journald, etc.
> > > 
> > > One thing that I thought to cause the issue is that pkexec is asking
> > > me
> > > select user first, instead of asking/not asking for password:
> > > $ pkexec cockpit-bridge
> > >  AUTHENTICATING FOR org.freedesktop.policykit.exec ===
> > > Authentication is needed to run `/usr/bin/cockpit-bridge' as the
> > > super
> > > user
> > > Multiple identities can be used for authentication:
> > >  1.  Martin Štefany (martin)
> > >  2.  ...
> > >  3.  ...
> > > Choose identity to authenticate as (1-3): 1
> > > Password: 
> > >  AUTHENTICATION COMPLETE ===
> > > cockpit-bridge: no option specified
> > > 
> > > and documentation claims that sudo / pkexec should not ask for
> > > password
> > > for particular user, but 1. I don't like that idea; 2. I have
> > > regular
> > > 1000:1000 user in wheel group for whom everything works just fine -
> > > sudo
> > > and pkexec ask for password as expected, and still in cockpit admin
> > > stuff works as expected.
> > 
> > Can you add the admin user to the wheel group on the Cockpit machine?
> > 
> > But in general I think you're looking for:
> > https://sourceware.org/glibc/wiki/Proposals/GroupMerging
> > first round of patches is ready, although it still needs to go through
> > upstream review (IIRC).
> > 
> 
> Hello Jakub,
> 
> adding specific user to local wheel group works, thank you. But it also
> requires local intervention on the system(s), and on per-user basis.
> 
> Only limitation detail I see now with PolicyKit is that user is granted
> full admin rights via pkexec either when custom /etc/polkit-1/rules.d/40
> -freeipa.rules is defined or when glibc group merging is merged. If I
> understand https://fedorahosted.org/freeipa/ticket/5350 correctly, this
> will be sort-of addressed based on hostgroups, but it will still give
> more control over the system than sudo would do, won't it?

You'd get all the rights that the wheel group gives you. IPA #5350 also
describes merging of a different group into local wheel/adm, but that's
not implemented yet.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cockpit with (Free)IPA admin users

2015-10-27 Thread Petr Spacek 
On 20.10.2015 23:25, Martin Štefany wrote:
> Hello,
> 
> did anybody manage to get FreeIPA admin user (member of admins group,
> full sudo access, etc.) to be also Cockpit user with administrative
> privileges? I've already figured out that it's closely related to
> Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... I
> was not able to get a working configuration.
> 
> Some version / configuration details:
> $ cat /etc/centos-release
> CentOS Linux release 7.1.1503 (Core)
> 
> $ rpm -q ipa-client
> ipa-client-4.1.0-18.el7.centos.4.x86_64
> 
> $ rpm -q cockpit   # from sgallagh's COPR repository
> cockpit-0.80-1.el7.centos.x86_64
> 
> $ rpm -q polkit
> polkit-0.112-5.el7.x86_64
> 
> $ sudo ls /etc/polkit-1/rules.d/
> 40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules
> 
> $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
> polkit.addAdminRule(function(action, subject) {
> return ["unix-group:admins", "unix-group:wheel"];
> });
> 
> $ sudo ls /etc/polkit-1/localauthority.conf.d/
> 40-custom.conf
> 
> $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
> [Configuration]
> AdminIdentities=unix-group:admins;unix-group:wheel
> 
> $ ipa user-show martin | grep groups
>   Member of groups: trust admins, ipausers, admins, ...
> 
> Cockpit logs me in automatically using Kerberos (GSSAPI), but I can't
> perform administrative tasks, cannot see journald, etc.
> 
> One thing that I thought to cause the issue is that pkexec is asking me
> select user first, instead of asking/not asking for password:
> $ pkexec cockpit-bridge
>  AUTHENTICATING FOR org.freedesktop.policykit.exec ===
> Authentication is needed to run `/usr/bin/cockpit-bridge' as the super
> user
> Multiple identities can be used for authentication:
>  1.  Martin Štefany (martin)
>  2.  ...
>  3.  ...
> Choose identity to authenticate as (1-3): 1
> Password: 
>  AUTHENTICATION COMPLETE ===
> cockpit-bridge: no option specified
> 
> and documentation claims that sudo / pkexec should not ask for password
> for particular user, but 1. I don't like that idea; 2. I have regular
> 1000:1000 user in wheel group for whom everything works just fine - sudo
> and pkexec ask for password as expected, and still in cockpit admin
> stuff works as expected.

I have seen your answer in the ticket
https://fedorahosted.org/freeipa/ticket/3203#comment:6

Could you create a very short and concise how-to to
http://www.freeipa.org/page/HowTos , please?

Your Fedora login should allow you to create a new wiki page and to link it to
http://www.freeipa.org/page/HowTos .

Thank you for your time!

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cockpit with (Free)IPA admin users

2015-10-27 Thread Martin Štefany 
On St, 2015-10-21 at 09:32 +0200, Jakub Hrozek wrote:
> On Tue, Oct 20, 2015 at 11:25:56PM +0200, Martin Štefany wrote:
> > Hello,
> > 
> > did anybody manage to get FreeIPA admin user (member of admins
> > group,
> > full sudo access, etc.) to be also Cockpit user with administrative
> > privileges? I've already figured out that it's closely related to
> > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet...
> > I
> > was not able to get a working configuration.
> > 
> > Some version / configuration details:
> > $ cat /etc/centos-release
> > CentOS Linux release 7.1.1503 (Core)
> > 
> > $ rpm -q ipa-client
> > ipa-client-4.1.0-18.el7.centos.4.x86_64
> > 
> > $ rpm -q cockpit   # from sgallagh's COPR repository
> > cockpit-0.80-1.el7.centos.x86_64
> > 
> > $ rpm -q polkit
> > polkit-0.112-5.el7.x86_64
> > 
> > $ sudo ls /etc/polkit-1/rules.d/
> > 40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules
> > 
> > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
> > polkit.addAdminRule(function(action, subject) {
> > return ["unix-group:admins", "unix-group:wheel"];
> > });
> > 
> > $ sudo ls /etc/polkit-1/localauthority.conf.d/
> > 40-custom.conf
> > 
> > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
> > [Configuration]
> > AdminIdentities=unix-group:admins;unix-group:wheel
> > 
> > $ ipa user-show martin | grep groups
> >   Member of groups: trust admins, ipausers, admins, ...
> > 
> > Cockpit logs me in automatically using Kerberos (GSSAPI), but I
> > can't
> > perform administrative tasks, cannot see journald, etc.
> > 
> > One thing that I thought to cause the issue is that pkexec is asking
> > me
> > select user first, instead of asking/not asking for password:
> > $ pkexec cockpit-bridge
> >  AUTHENTICATING FOR org.freedesktop.policykit.exec ===
> > Authentication is needed to run `/usr/bin/cockpit-bridge' as the
> > super
> > user
> > Multiple identities can be used for authentication:
> >  1.  Martin Štefany (martin)
> >  2.  ...
> >  3.  ...
> > Choose identity to authenticate as (1-3): 1
> > Password: 
> >  AUTHENTICATION COMPLETE ===
> > cockpit-bridge: no option specified
> > 
> > and documentation claims that sudo / pkexec should not ask for
> > password
> > for particular user, but 1. I don't like that idea; 2. I have
> > regular
> > 1000:1000 user in wheel group for whom everything works just fine -
> > sudo
> > and pkexec ask for password as expected, and still in cockpit admin
> > stuff works as expected.
> 
> Can you add the admin user to the wheel group on the Cockpit machine?
> 
> But in general I think you're looking for:
> https://sourceware.org/glibc/wiki/Proposals/GroupMerging
> first round of patches is ready, although it still needs to go through
> upstream review (IIRC).
> 

Hello Jakub,

adding specific user to local wheel group works, thank you. But it also
requires local intervention on the system(s), and on per-user basis.

Only limitation detail I see now with PolicyKit is that user is granted
full admin rights via pkexec either when custom /etc/polkit-1/rules.d/40
-freeipa.rules is defined or when glibc group merging is merged. If I
understand https://fedorahosted.org/freeipa/ticket/5350 correctly, this
will be sort-of addressed based on hostgroups, but it will still give
more control over the system than sudo would do, won't it?

Thank you.
Martin










smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cockpit with (Free)IPA admin users

2015-10-27 Thread Martin Štefany 
On Ut, 2015-10-27 at 15:48 +0100, Petr Spacek wrote:
> On 20.10.2015 23:25, Martin Štefany wrote:
> > Hello,
> > 
> > did anybody manage to get FreeIPA admin user (member of admins
> > group,
> > full sudo access, etc.) to be also Cockpit user with administrative
> > privileges? I've already figured out that it's closely related to
> > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet...
> > I
> > was not able to get a working configuration.
> > 
> > Some version / configuration details:
> > $ cat /etc/centos-release
> > CentOS Linux release 7.1.1503 (Core)
> > 
> > $ rpm -q ipa-client
> > ipa-client-4.1.0-18.el7.centos.4.x86_64
> > 
> > $ rpm -q cockpit   # from sgallagh's COPR repository
> > cockpit-0.80-1.el7.centos.x86_64
> > 
> > $ rpm -q polkit
> > polkit-0.112-5.el7.x86_64
> > 
> > $ sudo ls /etc/polkit-1/rules.d/
> > 40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules
> > 
> > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
> > polkit.addAdminRule(function(action, subject) {
> > return ["unix-group:admins", "unix-group:wheel"];
> > });
> > 
> > $ sudo ls /etc/polkit-1/localauthority.conf.d/
> > 40-custom.conf
> > 
> > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
> > [Configuration]
> > AdminIdentities=unix-group:admins;unix-group:wheel
> > 
> > $ ipa user-show martin | grep groups
> >   Member of groups: trust admins, ipausers, admins, ...
> > 
> > Cockpit logs me in automatically using Kerberos (GSSAPI), but I
> > can't
> > perform administrative tasks, cannot see journald, etc.
> > 
> > One thing that I thought to cause the issue is that pkexec is asking
> > me
> > select user first, instead of asking/not asking for password:
> > $ pkexec cockpit-bridge
> >  AUTHENTICATING FOR org.freedesktop.policykit.exec ===
> > Authentication is needed to run `/usr/bin/cockpit-bridge' as the
> > super
> > user
> > Multiple identities can be used for authentication:
> >  1.  Martin Štefany (martin)
> >  2.  ...
> >  3.  ...
> > Choose identity to authenticate as (1-3): 1
> > Password: 
> >  AUTHENTICATION COMPLETE ===
> > cockpit-bridge: no option specified
> > 
> > and documentation claims that sudo / pkexec should not ask for
> > password
> > for particular user, but 1. I don't like that idea; 2. I have
> > regular
> > 1000:1000 user in wheel group for whom everything works just fine -
> > sudo
> > and pkexec ask for password as expected, and still in cockpit admin
> > stuff works as expected.
> 
> I have seen your answer in the ticket
> https://fedorahosted.org/freeipa/ticket/3203#comment:6
> 
> Could you create a very short and concise how-to to
> http://www.freeipa.org/page/HowTos , please?
> 
> Your Fedora login should allow you to create a new wiki page and to
> link it to
> http://www.freeipa.org/page/HowTos .
> 
> Thank you for your time!
> 

Hello Petr,

sure, done =)

http://www.freeipa.org/page/Howto/FreeIPA_PolicyKit

Thank you!

Martin

smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cockpit with (Free)IPA admin users

2015-10-21 Thread Jakub Hrozek 
On Tue, Oct 20, 2015 at 11:25:56PM +0200, Martin Štefany wrote:
> Hello,
> 
> did anybody manage to get FreeIPA admin user (member of admins group,
> full sudo access, etc.) to be also Cockpit user with administrative
> privileges? I've already figured out that it's closely related to
> Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... I
> was not able to get a working configuration.
> 
> Some version / configuration details:
> $ cat /etc/centos-release
> CentOS Linux release 7.1.1503 (Core)
> 
> $ rpm -q ipa-client
> ipa-client-4.1.0-18.el7.centos.4.x86_64
> 
> $ rpm -q cockpit   # from sgallagh's COPR repository
> cockpit-0.80-1.el7.centos.x86_64
> 
> $ rpm -q polkit
> polkit-0.112-5.el7.x86_64
> 
> $ sudo ls /etc/polkit-1/rules.d/
> 40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules
> 
> $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
> polkit.addAdminRule(function(action, subject) {
> return ["unix-group:admins", "unix-group:wheel"];
> });
> 
> $ sudo ls /etc/polkit-1/localauthority.conf.d/
> 40-custom.conf
> 
> $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
> [Configuration]
> AdminIdentities=unix-group:admins;unix-group:wheel
> 
> $ ipa user-show martin | grep groups
>   Member of groups: trust admins, ipausers, admins, ...
> 
> Cockpit logs me in automatically using Kerberos (GSSAPI), but I can't
> perform administrative tasks, cannot see journald, etc.
> 
> One thing that I thought to cause the issue is that pkexec is asking me
> select user first, instead of asking/not asking for password:
> $ pkexec cockpit-bridge
>  AUTHENTICATING FOR org.freedesktop.policykit.exec ===
> Authentication is needed to run `/usr/bin/cockpit-bridge' as the super
> user
> Multiple identities can be used for authentication:
>  1.  Martin Štefany (martin)
>  2.  ...
>  3.  ...
> Choose identity to authenticate as (1-3): 1
> Password: 
>  AUTHENTICATION COMPLETE ===
> cockpit-bridge: no option specified
> 
> and documentation claims that sudo / pkexec should not ask for password
> for particular user, but 1. I don't like that idea; 2. I have regular
> 1000:1000 user in wheel group for whom everything works just fine - sudo
> and pkexec ask for password as expected, and still in cockpit admin
> stuff works as expected.

Can you add the admin user to the wheel group on the Cockpit machine?

But in general I think you're looking for:
https://sourceware.org/glibc/wiki/Proposals/GroupMerging
first round of patches is ready, although it still needs to go through
upstream review (IIRC).

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project