[Freeipa-users] Cockpit with (Free)IPA admin users

Martin Štefany martin at stefany.eu
Tue Oct 20 21:25:56 UTC 2015 

Hello,

did anybody manage to get FreeIPA admin user (member of admins group,
full sudo access, etc.) to be also Cockpit user with administrative
privileges? I've already figured out that it's closely related to
Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... I
was not able to get a working configuration.

Some version / configuration details:
$ cat /etc/centos-release
CentOS Linux release 7.1.1503 (Core)

$ rpm -q ipa-client
ipa-client-4.1.0-18.el7.centos.4.x86_64

$ rpm -q cockpit   # from sgallagh's COPR repository
cockpit-0.80-1.el7.centos.x86_64

$ rpm -q polkit
polkit-0.112-5.el7.x86_64

$ sudo ls /etc/polkit-1/rules.d/
40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules

$ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
polkit.addAdminRule(function(action, subject) {
    return ["unix-group:admins", "unix-group:wheel"];
});

$ sudo ls /etc/polkit-1/localauthority.conf.d/
40-custom.conf

$ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
[Configuration]
AdminIdentities=unix-group:admins;unix-group:wheel

$ ipa user-show martin | grep groups
  Member of groups: trust admins, ipausers, admins, ...

Cockpit logs me in automatically using Kerberos (GSSAPI), but I can't
perform administrative tasks, cannot see journald, etc.

One thing that I thought to cause the issue is that pkexec is asking me
select user first, instead of asking/not asking for password:
$ pkexec cockpit-bridge
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/usr/bin/cockpit-bridge' as the super
user
Multiple identities can be used for authentication:
 1.  Martin Štefany (martin)
 2.  ...
 3.  ...
Choose identity to authenticate as (1-3): 1
Password: 
==== AUTHENTICATION COMPLETE ===
cockpit-bridge: no option specified

and documentation claims that sudo / pkexec should not ask for password
for particular user, but 1. I don't like that idea; 2. I have regular
1000:1000 user in wheel group for whom everything works just fine - sudo
and pkexec ask for password as expected, and still in cockpit admin
stuff works as expected.

Thank you!

Regards,
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5715 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151020/42fcb14f/attachment.bin>

More information about the Freeipa-users mailing list