[Freeipa-users] Cockpit with (Free)IPA admin users

Petr Spacek pspacek at redhat.com
Thu Oct 29 08:48:44 UTC 2015 

Thank you very much!

Petr^2 Spacek

On 27.10.2015 22:26, Martin Štefany wrote:
> On Ut, 2015-10-27 at 15:48 +0100, Petr Spacek wrote:
>> On 20.10.2015 23:25, Martin Štefany wrote:
>>> Hello,
>>>
>>> did anybody manage to get FreeIPA admin user (member of admins
>>> group,
>>> full sudo access, etc.) to be also Cockpit user with administrative
>>> privileges? I've already figured out that it's closely related to
>>> Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet...
>>> I
>>> was not able to get a working configuration.
>>>
>>> Some version / configuration details:
>>> $ cat /etc/centos-release
>>> CentOS Linux release 7.1.1503 (Core)
>>>
>>> $ rpm -q ipa-client
>>> ipa-client-4.1.0-18.el7.centos.4.x86_64
>>>
>>> $ rpm -q cockpit   # from sgallagh's COPR repository
>>> cockpit-0.80-1.el7.centos.x86_64
>>>
>>> $ rpm -q polkit
>>> polkit-0.112-5.el7.x86_64
>>>
>>> $ sudo ls /etc/polkit-1/rules.d/
>>> 40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules
>>>
>>> $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
>>> polkit.addAdminRule(function(action, subject) {
>>>     return ["unix-group:admins", "unix-group:wheel"];
>>> });
>>>
>>> $ sudo ls /etc/polkit-1/localauthority.conf.d/
>>> 40-custom.conf
>>>
>>> $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
>>> [Configuration]
>>> AdminIdentities=unix-group:admins;unix-group:wheel
>>>
>>> $ ipa user-show martin | grep groups
>>>   Member of groups: trust admins, ipausers, admins, ...
>>>
>>> Cockpit logs me in automatically using Kerberos (GSSAPI), but I
>>> can't
>>> perform administrative tasks, cannot see journald, etc.
>>>
>>> One thing that I thought to cause the issue is that pkexec is asking
>>> me
>>> select user first, instead of asking/not asking for password:
>>> $ pkexec cockpit-bridge
>>> ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
>>> Authentication is needed to run `/usr/bin/cockpit-bridge' as the
>>> super
>>> user
>>> Multiple identities can be used for authentication:
>>>  1.  Martin Štefany (martin)
>>>  2.  ...
>>>  3.  ...
>>> Choose identity to authenticate as (1-3): 1
>>> Password: 
>>> ==== AUTHENTICATION COMPLETE ===
>>> cockpit-bridge: no option specified
>>>
>>> and documentation claims that sudo / pkexec should not ask for
>>> password
>>> for particular user, but 1. I don't like that idea; 2. I have
>>> regular
>>> 1000:1000 user in wheel group for whom everything works just fine -
>>> sudo
>>> and pkexec ask for password as expected, and still in cockpit admin
>>> stuff works as expected.
>>
>> I have seen your answer in the ticket
>> https://fedorahosted.org/freeipa/ticket/3203#comment:6
>>
>> Could you create a very short and concise how-to to
>> http://www.freeipa.org/page/HowTos , please?
>>
>> Your Fedora login should allow you to create a new wiki page and to
>> link it to
>> http://www.freeipa.org/page/HowTos .
>>
>> Thank you for your time!
>>
> 
> Hello Petr,
> 
> sure, done =)
> 
> http://www.freeipa.org/page/Howto/FreeIPA_PolicyKit
> 
> Thank you!
> 
> Martin
> 


-- 
Petr Spacek  @  Red Hat

More information about the Freeipa-users mailing list