Convert to wiki article on freeIPA.org.

So I just re-discovered this issue. To try and implement it I'd created a wheel group in FreeIPA, with the same gid the 'wheel' group usually gets on Fedora (10). We found this doesn't work with PolicyKit for $REASONS (which PK will deal with), but Simo says it's a bad idea anyway. He suggested that FreeIPA should grow support for dropping a PolicyKit config file onto clients which adds members of some FreeIPA-controlled group into PolicyKit's 'AdminIdentities' . (If you wanted to unify sudo and PK admins you could then just set up a sudo rule allowing unlimited sudo access on all hosts to members of that group).

This is still a open issue for me. I have setup all necessary for FreeIPA users to be able to login, use sudo, etc. Both on headless systems and on Fedora with GNOME Shell. But Fedora/PolicyKit doesn't recognize FreeIPA user as an system administrator, no matter the group or sudo configuration.

In All Settings -> Users -> FreeIPA user is shown as 'Standard', while local admin user is shown as Administrator, being in wheel group (but not adm). Without a the latest variation on 'work-around' FreeIPA user won't even be asked for sudo password while trying to do privileged action, password of local administrator will be asked. If such user is not present, I think it will be asking for root password.

Mentioned work-around following file needs to be created:

  $ cat /etc/polkit-1/rules.d/40-freeipa.rules
  polkit.addAdminRule(function(action, subject) {
      return ["unix-group:admins", "unix-group:wheel"];
  });

Using above, graphical sudo prompts start working, but user is still shown as 'Standard'.

Thanks for your note. This request is related to #5350. As far as I know, it should be solved by the planned NSS extension to merge FreeIPA groups (like "admins") to host's wheel group. More details are in #5350, for now, I will move this ticket to NEEDS TRIAGE as the NSS extension should happen rather sooner.

Stephen already has the required libc patches.

Community contribution to FreeIPA wiki page is welcome.

https://www.freeipa.org/page/Howto/FreeIPA_PolicyKit may cover this.