[Freeipa-users] CentOS6.3 + Fedora17 + PackageKit / PolicyKit "problem"

Tue Oct 16 12:28:18 UTC 2012

On Tue, 2012-10-16 at 09:53 +0300, Antti Peltonen wrote:
> Hi all,
> 
> 
> Just playing around with my setup that consists of two FreeIPA domain
> controllers on CentOS6.3 so the version of FreeIPA in use there is
> 2.2.0
> 
> 
> So now after setting up my test laptop with Fedora 17 I proceeded to
> do an client installation and it seems freeipa-client version on F17
> is also 2.2.0 but such things as sudo and sssd are much more recent
> than on CentOS. This caused few grey hairs until I got the sudo
> configuration to work by manipulating sssd.conf.
> 
> 
> Now that my user provisioned in FreeIPA domain can logon to my laptop,
> use sudo etc to install software I noticed a one little issue with
> policykit + packagekit combination. When through X I try to install an
> RPM package or do anything that requires admin rights it keeps asking
> for the root users password and not my sudo enabled FreeIPA users.
> 
> 
> If I have understood correctly packagekit advertises its request for
> admin rights through dbus to policykit which reads its policy files
> for matching description about the request. In this case the file
> seems to
> be: /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy 
> 
> 
> In this policy file there is a lot of stuff which at this point makes
> no sense to me at all except that I guess that the
> lines: <allow_active>auth_admin</allow_active> describe that policykit
> should require user to enter an administrative level users password.
> Now on basic F17 installation where after first boot you create your
> first normal user account and give it an password there is an checkbox
> for "Administrator" or something similar which seems to add this user
> to be created in "wheel" and "adm" posix groups. When policykit
> requires an administrative users password it asks for this local users
> password if it is member of those groups (I guess) and if not it asks
> for the root users password. 
> 
> 
> However when I add my FreeIPA user to the adm and wheel groups (silly
> since my sudo rules in FreeIPA give me already a full sudo rights)
> policykit does not seem to make a sense out of this situation and keep
> asking for the root users password.

Have you logged out and logged back in after you have done these
changes ?

Changes to group membership do not take effect until the user logs out
and logs back in.

> 
> Now after all this bad english and a load of factual errors the actual
> question is: What needs to be configured and how to make FreeIPA
> provisioned user to be "local administrator" in policykits mind? If
> this is at all possible in current stage of development...

It should make no difference where the user comes from, if it does it
would be most likely a policykit bug/limitation/'feature'
> 
> p.s. I use an PackageKit here as an example target for the PolicyKit
> but I guess that anything to do with process rights elevation through
> PolicyKit is affected - not just the PackageKit application.

Understood, have you asked on policykit related mailing lists as well by
chance ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York