[Freeipa-users] Cockpit with (Free)IPA admin users
Martin Štefany
martin at stefany.eu
Tue Oct 27 21:26:09 UTC 2015
On Ut, 2015-10-27 at 15:48 +0100, Petr Spacek wrote:
> On 20.10.2015 23:25, Martin Štefany wrote:
> > Hello,
> >
> > did anybody manage to get FreeIPA admin user (member of admins
> > group,
> > full sudo access, etc.) to be also Cockpit user with administrative
> > privileges? I've already figured out that it's closely related to
> > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet...
> > I
> > was not able to get a working configuration.
> >
> > Some version / configuration details:
> > $ cat /etc/centos-release
> > CentOS Linux release 7.1.1503 (Core)
> >
> > $ rpm -q ipa-client
> > ipa-client-4.1.0-18.el7.centos.4.x86_64
> >
> > $ rpm -q cockpit # from sgallagh's COPR repository
> > cockpit-0.80-1.el7.centos.x86_64
> >
> > $ rpm -q polkit
> > polkit-0.112-5.el7.x86_64
> >
> > $ sudo ls /etc/polkit-1/rules.d/
> > 40-freeipa.rules 49-polkit-pkla-compat.rules 50-default.rules
> >
> > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
> > polkit.addAdminRule(function(action, subject) {
> > return ["unix-group:admins", "unix-group:wheel"];
> > });
> >
> > $ sudo ls /etc/polkit-1/localauthority.conf.d/
> > 40-custom.conf
> >
> > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
> > [Configuration]
> > AdminIdentities=unix-group:admins;unix-group:wheel
> >
> > $ ipa user-show martin | grep groups
> > Member of groups: trust admins, ipausers, admins, ...
> >
> > Cockpit logs me in automatically using Kerberos (GSSAPI), but I
> > can't
> > perform administrative tasks, cannot see journald, etc.
> >
> > One thing that I thought to cause the issue is that pkexec is asking
> > me
> > select user first, instead of asking/not asking for password:
> > $ pkexec cockpit-bridge
> > ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
> > Authentication is needed to run `/usr/bin/cockpit-bridge' as the
> > super
> > user
> > Multiple identities can be used for authentication:
> > 1. Martin Štefany (martin)
> > 2. ...
> > 3. ...
> > Choose identity to authenticate as (1-3): 1
> > Password:
> > ==== AUTHENTICATION COMPLETE ===
> > cockpit-bridge: no option specified
> >
> > and documentation claims that sudo / pkexec should not ask for
> > password
> > for particular user, but 1. I don't like that idea; 2. I have
> > regular
> > 1000:1000 user in wheel group for whom everything works just fine -
> > sudo
> > and pkexec ask for password as expected, and still in cockpit admin
> > stuff works as expected.
>
> I have seen your answer in the ticket
> https://fedorahosted.org/freeipa/ticket/3203#comment:6
>
> Could you create a very short and concise how-to to
> http://www.freeipa.org/page/HowTos , please?
>
> Your Fedora login should allow you to create a new wiki page and to
> link it to
> http://www.freeipa.org/page/HowTos .
>
> Thank you for your time!
>
Hello Petr,
sure, done =)
http://www.freeipa.org/page/Howto/FreeIPA_PolicyKit
Thank you!
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5715 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151027/488bcb86/attachment.bin>
More information about the Freeipa-users
mailing list