On Tue, 2012-10-16 at 09:53 +0300, Antti Peltonen wrote: > Hi all, > > > Just playing around with my setup that consists of two FreeIPA domain > controllers on CentOS6.3 so the version of FreeIPA in use there is > 2.2.0 > > > So now after setting up my test laptop with Fedora 17 I proceeded to > do an client installation and it seems freeipa-client version on F17 > is also 2.2.0 but such things as sudo and sssd are much more recent > than on CentOS. This caused few grey hairs until I got the sudo > configuration to work by manipulating sssd.conf. > > > Now that my user provisioned in FreeIPA domain can logon to my laptop, > use sudo etc to install software I noticed a one little issue with > policykit + packagekit combination. When through X I try to install an > RPM package or do anything that requires admin rights it keeps asking > for the root users password and not my sudo enabled FreeIPA users. > > > If I have understood correctly packagekit advertises its request for > admin rights through dbus to policykit which reads its policy files > for matching description about the request. In this case the file > seems to > be: /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy > > > In this policy file there is a lot of stuff which at this point makes > no sense to me at all except that I guess that the > lines: <allow_active>auth_admin</allow_active> describe that policykit > should require user to enter an administrative level users password. > Now on basic F17 installation where after first boot you create your > first normal user account and give it an password there is an checkbox > for "Administrator" or something similar which seems to add this user > to be created in "wheel" and "adm" posix groups. When policykit > requires an administrative users password it asks for this local users > password if it is member of those groups (I guess) and if not it asks > for the root users password. > > > However when I add my FreeIPA user to the adm and wheel groups (silly > since my sudo rules in FreeIPA give me already a full sudo rights) > policykit does not seem to make a sense out of this situation and keep > asking for the root users password.
Have you logged out and logged back in after you have done these changes ? Changes to group membership do not take effect until the user logs out and logs back in. > > Now after all this bad english and a load of factual errors the actual > question is: What needs to be configured and how to make FreeIPA > provisioned user to be "local administrator" in policykits mind? If > this is at all possible in current stage of development... It should make no difference where the user comes from, if it does it would be most likely a policykit bug/limitation/'feature' > > p.s. I use an PackageKit here as an example target for the PolicyKit > but I guess that anything to do with process rights elevation through > PolicyKit is affected - not just the PackageKit application. Understood, have you asked on policykit related mailing lists as well by chance ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users