Re: [Freeipa-users] Cockpit with (Free)IPA admin users
Thank you very much! Petr^2 Spacek On 27.10.2015 22:26, Martin Štefany wrote: > On Ut, 2015-10-27 at 15:48 +0100, Petr Spacek wrote: >> On 20.10.2015 23:25, Martin Štefany wrote: >>> Hello, >>> >>> did anybody manage to get FreeIPA admin user (member of admins >>> group, >>> full sudo access, etc.) to be also Cockpit user with administrative >>> privileges? I've already figured out that it's closely related to >>> Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... >>> I >>> was not able to get a working configuration. >>> >>> Some version / configuration details: >>> $ cat /etc/centos-release >>> CentOS Linux release 7.1.1503 (Core) >>> >>> $ rpm -q ipa-client >>> ipa-client-4.1.0-18.el7.centos.4.x86_64 >>> >>> $ rpm -q cockpit # from sgallagh's COPR repository >>> cockpit-0.80-1.el7.centos.x86_64 >>> >>> $ rpm -q polkit >>> polkit-0.112-5.el7.x86_64 >>> >>> $ sudo ls /etc/polkit-1/rules.d/ >>> 40-freeipa.rules 49-polkit-pkla-compat.rules 50-default.rules >>> >>> $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules >>> polkit.addAdminRule(function(action, subject) { >>> return ["unix-group:admins", "unix-group:wheel"]; >>> }); >>> >>> $ sudo ls /etc/polkit-1/localauthority.conf.d/ >>> 40-custom.conf >>> >>> $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf >>> [Configuration] >>> AdminIdentities=unix-group:admins;unix-group:wheel >>> >>> $ ipa user-show martin | grep groups >>> Member of groups: trust admins, ipausers, admins, ... >>> >>> Cockpit logs me in automatically using Kerberos (GSSAPI), but I >>> can't >>> perform administrative tasks, cannot see journald, etc. >>> >>> One thing that I thought to cause the issue is that pkexec is asking >>> me >>> select user first, instead of asking/not asking for password: >>> $ pkexec cockpit-bridge >>> AUTHENTICATING FOR org.freedesktop.policykit.exec === >>> Authentication is needed to run `/usr/bin/cockpit-bridge' as the >>> super >>> user >>> Multiple identities can be used for authentication: >>> 1. Martin Štefany (martin) >>> 2. ... >>> 3. ... >>> Choose identity to authenticate as (1-3): 1 >>> Password: >>> AUTHENTICATION COMPLETE === >>> cockpit-bridge: no option specified >>> >>> and documentation claims that sudo / pkexec should not ask for >>> password >>> for particular user, but 1. I don't like that idea; 2. I have >>> regular >>> 1000:1000 user in wheel group for whom everything works just fine - >>> sudo >>> and pkexec ask for password as expected, and still in cockpit admin >>> stuff works as expected. >> >> I have seen your answer in the ticket >> https://fedorahosted.org/freeipa/ticket/3203#comment:6 >> >> Could you create a very short and concise how-to to >> http://www.freeipa.org/page/HowTos , please? >> >> Your Fedora login should allow you to create a new wiki page and to >> link it to >> http://www.freeipa.org/page/HowTos . >> >> Thank you for your time! >> > > Hello Petr, > > sure, done =) > > http://www.freeipa.org/page/Howto/FreeIPA_PolicyKit > > Thank you! > > Martin > -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cockpit with (Free)IPA admin users
On Tue, Oct 27, 2015 at 09:08:30PM +0100, Martin Štefany wrote: > On St, 2015-10-21 at 09:32 +0200, Jakub Hrozek wrote: > > On Tue, Oct 20, 2015 at 11:25:56PM +0200, Martin Štefany wrote: > > > Hello, > > > > > > did anybody manage to get FreeIPA admin user (member of admins > > > group, > > > full sudo access, etc.) to be also Cockpit user with administrative > > > privileges? I've already figured out that it's closely related to > > > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... > > > I > > > was not able to get a working configuration. > > > > > > Some version / configuration details: > > > $ cat /etc/centos-release > > > CentOS Linux release 7.1.1503 (Core) > > > > > > $ rpm -q ipa-client > > > ipa-client-4.1.0-18.el7.centos.4.x86_64 > > > > > > $ rpm -q cockpit # from sgallagh's COPR repository > > > cockpit-0.80-1.el7.centos.x86_64 > > > > > > $ rpm -q polkit > > > polkit-0.112-5.el7.x86_64 > > > > > > $ sudo ls /etc/polkit-1/rules.d/ > > > 40-freeipa.rules 49-polkit-pkla-compat.rules 50-default.rules > > > > > > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules > > > polkit.addAdminRule(function(action, subject) { > > > return ["unix-group:admins", "unix-group:wheel"]; > > > }); > > > > > > $ sudo ls /etc/polkit-1/localauthority.conf.d/ > > > 40-custom.conf > > > > > > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf > > > [Configuration] > > > AdminIdentities=unix-group:admins;unix-group:wheel > > > > > > $ ipa user-show martin | grep groups > > > Member of groups: trust admins, ipausers, admins, ... > > > > > > Cockpit logs me in automatically using Kerberos (GSSAPI), but I > > > can't > > > perform administrative tasks, cannot see journald, etc. > > > > > > One thing that I thought to cause the issue is that pkexec is asking > > > me > > > select user first, instead of asking/not asking for password: > > > $ pkexec cockpit-bridge > > > AUTHENTICATING FOR org.freedesktop.policykit.exec === > > > Authentication is needed to run `/usr/bin/cockpit-bridge' as the > > > super > > > user > > > Multiple identities can be used for authentication: > > > 1. Martin Štefany (martin) > > > 2. ... > > > 3. ... > > > Choose identity to authenticate as (1-3): 1 > > > Password: > > > AUTHENTICATION COMPLETE === > > > cockpit-bridge: no option specified > > > > > > and documentation claims that sudo / pkexec should not ask for > > > password > > > for particular user, but 1. I don't like that idea; 2. I have > > > regular > > > 1000:1000 user in wheel group for whom everything works just fine - > > > sudo > > > and pkexec ask for password as expected, and still in cockpit admin > > > stuff works as expected. > > > > Can you add the admin user to the wheel group on the Cockpit machine? > > > > But in general I think you're looking for: > > https://sourceware.org/glibc/wiki/Proposals/GroupMerging > > first round of patches is ready, although it still needs to go through > > upstream review (IIRC). > > > > Hello Jakub, > > adding specific user to local wheel group works, thank you. But it also > requires local intervention on the system(s), and on per-user basis. > > Only limitation detail I see now with PolicyKit is that user is granted > full admin rights via pkexec either when custom /etc/polkit-1/rules.d/40 > -freeipa.rules is defined or when glibc group merging is merged. If I > understand https://fedorahosted.org/freeipa/ticket/5350 correctly, this > will be sort-of addressed based on hostgroups, but it will still give > more control over the system than sudo would do, won't it? You'd get all the rights that the wheel group gives you. IPA #5350 also describes merging of a different group into local wheel/adm, but that's not implemented yet. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cockpit with (Free)IPA admin users
On 20.10.2015 23:25, Martin Štefany wrote: > Hello, > > did anybody manage to get FreeIPA admin user (member of admins group, > full sudo access, etc.) to be also Cockpit user with administrative > privileges? I've already figured out that it's closely related to > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... I > was not able to get a working configuration. > > Some version / configuration details: > $ cat /etc/centos-release > CentOS Linux release 7.1.1503 (Core) > > $ rpm -q ipa-client > ipa-client-4.1.0-18.el7.centos.4.x86_64 > > $ rpm -q cockpit # from sgallagh's COPR repository > cockpit-0.80-1.el7.centos.x86_64 > > $ rpm -q polkit > polkit-0.112-5.el7.x86_64 > > $ sudo ls /etc/polkit-1/rules.d/ > 40-freeipa.rules 49-polkit-pkla-compat.rules 50-default.rules > > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules > polkit.addAdminRule(function(action, subject) { > return ["unix-group:admins", "unix-group:wheel"]; > }); > > $ sudo ls /etc/polkit-1/localauthority.conf.d/ > 40-custom.conf > > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf > [Configuration] > AdminIdentities=unix-group:admins;unix-group:wheel > > $ ipa user-show martin | grep groups > Member of groups: trust admins, ipausers, admins, ... > > Cockpit logs me in automatically using Kerberos (GSSAPI), but I can't > perform administrative tasks, cannot see journald, etc. > > One thing that I thought to cause the issue is that pkexec is asking me > select user first, instead of asking/not asking for password: > $ pkexec cockpit-bridge > AUTHENTICATING FOR org.freedesktop.policykit.exec === > Authentication is needed to run `/usr/bin/cockpit-bridge' as the super > user > Multiple identities can be used for authentication: > 1. Martin Štefany (martin) > 2. ... > 3. ... > Choose identity to authenticate as (1-3): 1 > Password: > AUTHENTICATION COMPLETE === > cockpit-bridge: no option specified > > and documentation claims that sudo / pkexec should not ask for password > for particular user, but 1. I don't like that idea; 2. I have regular > 1000:1000 user in wheel group for whom everything works just fine - sudo > and pkexec ask for password as expected, and still in cockpit admin > stuff works as expected. I have seen your answer in the ticket https://fedorahosted.org/freeipa/ticket/3203#comment:6 Could you create a very short and concise how-to to http://www.freeipa.org/page/HowTos , please? Your Fedora login should allow you to create a new wiki page and to link it to http://www.freeipa.org/page/HowTos . Thank you for your time! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cockpit with (Free)IPA admin users
On St, 2015-10-21 at 09:32 +0200, Jakub Hrozek wrote: > On Tue, Oct 20, 2015 at 11:25:56PM +0200, Martin Štefany wrote: > > Hello, > > > > did anybody manage to get FreeIPA admin user (member of admins > > group, > > full sudo access, etc.) to be also Cockpit user with administrative > > privileges? I've already figured out that it's closely related to > > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... > > I > > was not able to get a working configuration. > > > > Some version / configuration details: > > $ cat /etc/centos-release > > CentOS Linux release 7.1.1503 (Core) > > > > $ rpm -q ipa-client > > ipa-client-4.1.0-18.el7.centos.4.x86_64 > > > > $ rpm -q cockpit # from sgallagh's COPR repository > > cockpit-0.80-1.el7.centos.x86_64 > > > > $ rpm -q polkit > > polkit-0.112-5.el7.x86_64 > > > > $ sudo ls /etc/polkit-1/rules.d/ > > 40-freeipa.rules 49-polkit-pkla-compat.rules 50-default.rules > > > > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules > > polkit.addAdminRule(function(action, subject) { > > return ["unix-group:admins", "unix-group:wheel"]; > > }); > > > > $ sudo ls /etc/polkit-1/localauthority.conf.d/ > > 40-custom.conf > > > > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf > > [Configuration] > > AdminIdentities=unix-group:admins;unix-group:wheel > > > > $ ipa user-show martin | grep groups > > Member of groups: trust admins, ipausers, admins, ... > > > > Cockpit logs me in automatically using Kerberos (GSSAPI), but I > > can't > > perform administrative tasks, cannot see journald, etc. > > > > One thing that I thought to cause the issue is that pkexec is asking > > me > > select user first, instead of asking/not asking for password: > > $ pkexec cockpit-bridge > > AUTHENTICATING FOR org.freedesktop.policykit.exec === > > Authentication is needed to run `/usr/bin/cockpit-bridge' as the > > super > > user > > Multiple identities can be used for authentication: > > 1. Martin Štefany (martin) > > 2. ... > > 3. ... > > Choose identity to authenticate as (1-3): 1 > > Password: > > AUTHENTICATION COMPLETE === > > cockpit-bridge: no option specified > > > > and documentation claims that sudo / pkexec should not ask for > > password > > for particular user, but 1. I don't like that idea; 2. I have > > regular > > 1000:1000 user in wheel group for whom everything works just fine - > > sudo > > and pkexec ask for password as expected, and still in cockpit admin > > stuff works as expected. > > Can you add the admin user to the wheel group on the Cockpit machine? > > But in general I think you're looking for: > https://sourceware.org/glibc/wiki/Proposals/GroupMerging > first round of patches is ready, although it still needs to go through > upstream review (IIRC). > Hello Jakub, adding specific user to local wheel group works, thank you. But it also requires local intervention on the system(s), and on per-user basis. Only limitation detail I see now with PolicyKit is that user is granted full admin rights via pkexec either when custom /etc/polkit-1/rules.d/40 -freeipa.rules is defined or when glibc group merging is merged. If I understand https://fedorahosted.org/freeipa/ticket/5350 correctly, this will be sort-of addressed based on hostgroups, but it will still give more control over the system than sudo would do, won't it? Thank you. Martin smime.p7s Description: S/MIME cryptographic signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cockpit with (Free)IPA admin users
On Ut, 2015-10-27 at 15:48 +0100, Petr Spacek wrote: > On 20.10.2015 23:25, Martin Štefany wrote: > > Hello, > > > > did anybody manage to get FreeIPA admin user (member of admins > > group, > > full sudo access, etc.) to be also Cockpit user with administrative > > privileges? I've already figured out that it's closely related to > > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... > > I > > was not able to get a working configuration. > > > > Some version / configuration details: > > $ cat /etc/centos-release > > CentOS Linux release 7.1.1503 (Core) > > > > $ rpm -q ipa-client > > ipa-client-4.1.0-18.el7.centos.4.x86_64 > > > > $ rpm -q cockpit # from sgallagh's COPR repository > > cockpit-0.80-1.el7.centos.x86_64 > > > > $ rpm -q polkit > > polkit-0.112-5.el7.x86_64 > > > > $ sudo ls /etc/polkit-1/rules.d/ > > 40-freeipa.rules 49-polkit-pkla-compat.rules 50-default.rules > > > > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules > > polkit.addAdminRule(function(action, subject) { > > return ["unix-group:admins", "unix-group:wheel"]; > > }); > > > > $ sudo ls /etc/polkit-1/localauthority.conf.d/ > > 40-custom.conf > > > > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf > > [Configuration] > > AdminIdentities=unix-group:admins;unix-group:wheel > > > > $ ipa user-show martin | grep groups > > Member of groups: trust admins, ipausers, admins, ... > > > > Cockpit logs me in automatically using Kerberos (GSSAPI), but I > > can't > > perform administrative tasks, cannot see journald, etc. > > > > One thing that I thought to cause the issue is that pkexec is asking > > me > > select user first, instead of asking/not asking for password: > > $ pkexec cockpit-bridge > > AUTHENTICATING FOR org.freedesktop.policykit.exec === > > Authentication is needed to run `/usr/bin/cockpit-bridge' as the > > super > > user > > Multiple identities can be used for authentication: > > 1. Martin Štefany (martin) > > 2. ... > > 3. ... > > Choose identity to authenticate as (1-3): 1 > > Password: > > AUTHENTICATION COMPLETE === > > cockpit-bridge: no option specified > > > > and documentation claims that sudo / pkexec should not ask for > > password > > for particular user, but 1. I don't like that idea; 2. I have > > regular > > 1000:1000 user in wheel group for whom everything works just fine - > > sudo > > and pkexec ask for password as expected, and still in cockpit admin > > stuff works as expected. > > I have seen your answer in the ticket > https://fedorahosted.org/freeipa/ticket/3203#comment:6 > > Could you create a very short and concise how-to to > http://www.freeipa.org/page/HowTos , please? > > Your Fedora login should allow you to create a new wiki page and to > link it to > http://www.freeipa.org/page/HowTos . > > Thank you for your time! > Hello Petr, sure, done =) http://www.freeipa.org/page/Howto/FreeIPA_PolicyKit Thank you! Martin smime.p7s Description: S/MIME cryptographic signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cockpit with (Free)IPA admin users
On Tue, Oct 20, 2015 at 11:25:56PM +0200, Martin Štefany wrote: > Hello, > > did anybody manage to get FreeIPA admin user (member of admins group, > full sudo access, etc.) to be also Cockpit user with administrative > privileges? I've already figured out that it's closely related to > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... I > was not able to get a working configuration. > > Some version / configuration details: > $ cat /etc/centos-release > CentOS Linux release 7.1.1503 (Core) > > $ rpm -q ipa-client > ipa-client-4.1.0-18.el7.centos.4.x86_64 > > $ rpm -q cockpit # from sgallagh's COPR repository > cockpit-0.80-1.el7.centos.x86_64 > > $ rpm -q polkit > polkit-0.112-5.el7.x86_64 > > $ sudo ls /etc/polkit-1/rules.d/ > 40-freeipa.rules 49-polkit-pkla-compat.rules 50-default.rules > > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules > polkit.addAdminRule(function(action, subject) { > return ["unix-group:admins", "unix-group:wheel"]; > }); > > $ sudo ls /etc/polkit-1/localauthority.conf.d/ > 40-custom.conf > > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf > [Configuration] > AdminIdentities=unix-group:admins;unix-group:wheel > > $ ipa user-show martin | grep groups > Member of groups: trust admins, ipausers, admins, ... > > Cockpit logs me in automatically using Kerberos (GSSAPI), but I can't > perform administrative tasks, cannot see journald, etc. > > One thing that I thought to cause the issue is that pkexec is asking me > select user first, instead of asking/not asking for password: > $ pkexec cockpit-bridge > AUTHENTICATING FOR org.freedesktop.policykit.exec === > Authentication is needed to run `/usr/bin/cockpit-bridge' as the super > user > Multiple identities can be used for authentication: > 1. Martin Štefany (martin) > 2. ... > 3. ... > Choose identity to authenticate as (1-3): 1 > Password: > AUTHENTICATION COMPLETE === > cockpit-bridge: no option specified > > and documentation claims that sudo / pkexec should not ask for password > for particular user, but 1. I don't like that idea; 2. I have regular > 1000:1000 user in wheel group for whom everything works just fine - sudo > and pkexec ask for password as expected, and still in cockpit admin > stuff works as expected. Can you add the admin user to the wheel group on the Cockpit machine? But in general I think you're looking for: https://sourceware.org/glibc/wiki/Proposals/GroupMerging first round of patches is ready, although it still needs to go through upstream review (IIRC). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project