<div dir="ltr">Note: sudo rule "testSudo" fails when using user group. But succeeds when using a directly defined user. <br> sudo rule "sudo-1" fails when user defined directly, but hosts are defined with host group. <br><br>The behaviour that I'm observing is: sudo rules are not functioning any time the user or host are not defined directly in the sudo rule. And yes I have set the nisdomainname. <br><br>My <br>Failing config:<br>====================<br>[root@freeipaserver ~]# ipa user-show<br>User login: aaaa<br> User login: aaaa<br> First name: bbbb<br> Last name: bbbb<br> Home directory: /home/aaaa<br> Login shell: /bin/bash<br> Email address: <a href="mailto:aaaa@example.com">aaaa@example.com</a><br> UID: 591700000<br> GID: 591700000<br> Account disabled: False<br> Password: True<br> Member of groups: ipausers, ug1-sudo<br> Indirect Member of Sudo rule: sudo-1, testSudo<br> Indirect Member of HBAC rule: hbac1<br> Kerberos keys available: True<br><br>[root@freeipaserver ~]# ipa sudorule-show<br>Rule name: sudo-1<br> Rule name: sudo-1<br> Description: Sudo privilege policy for HG1<br> Enabled: TRUE<br> Command category: all<br> RunAs User category: all<br> RunAs Group category: all<br> User Groups: ug1-sudo<br> Host Groups: hg1<br><br>[root@freeipaserver ~]# ipa sudorule-show<br>Rule name: testSudo<br> Rule name: testSudo<br> Enabled: TRUE<br> Command category: all<br> RunAs User category: all<br> RunAs Group category: all<br> User Groups: ug1-sudo<br> Hosts: <a href="http://ipaclient.city.state.example.com">ipaclient.city.state.example.com</a><br><br>[root@freeipaserver ~]# ipa hostgroup-show<br>Host-group: hg1<br> Host-group: hg1<br> Description: Host group 1 - Contains non hardened hosts<br> Member hosts: <a href="http://ipaclient.city.state.example.com">ipaclient.city.state.example.com</a><br> Member of Sudo rule: sudo-1<br> Member of HBAC rule: hbac1<br><br> <br>Working Config:<br>===================<br><br>[root@freeipaserver~]# ipa user-show<br>User login: aaaa<br> User login: aaaa<br> First name: bbbb<br> Last name: bbbb<br> Home directory: /home/aaaa<br> Login shell: /bin/bash<br> Email address: <a href="mailto:aaaa@charter.com">aaaa@charter.com</a><br> UID: 591700000<br> GID: 591700000<br> Account disabled: False<br> Password: True<br> Member of groups: ipausers, ug1-sudo<br> Member of Sudo rule: testSudo<br> Indirect Member of Sudo rule: sudo-1<br> Indirect Member of HBAC rule: hbac1<br> Kerberos keys available: True<br> <br>[root@freeipaserver ~]# ipa sudorule-show<br>Rule name: testSudo<br> Rule name: testSudo<br> Enabled: TRUE<br> Command category: all<br> RunAs User category: all<br> RunAs Group category: all<br> Users: aaaa<br> Hosts: <a href="http://ipaclient.city.state.example.com">ipaclient.city.state.example.com</a><br> <br><br><pre><br><br><br>On Wed, Jan 27, 2016 at 09:36:13AM -0700, sysadmin ofdoom wrote:
> I am trying to implement FreeIPA in a larger environment. Due to the
> complexity of the environment I've been constructing a user group structure
> such that i have groups at the following levels:
>
> project --> project_at_site --> project_site_vendor
I'm not sure the order of the hierarchy is correct, can you show an
example with ipa group-show?
>
> HBAC rules are defined at the lowest level (vendor at site) and associated
> with a host group at the same level.
>
> Each of the above user group levels will have a corresponding sudo group.
> (Used to provide a vendor access to servers the vendor supports at a
> specific site at a moments notice)
>
> HBAC rules are propagating up the chain correctly.
>
> When a user is added to a top level group (e.g. project or project-sudo)
> the indirect membership shows up for both Sudo and HBAC rules.
>
> The problem is that I can't get the sudo privileges to work when the user
> shows indirect membership for the sudo rule. If i make the user a direct
> member of the sudo rule, i can use sudo.
>
> As I've looked at debug logs, i was able to see that the query used when i
> was identical when i was successful at using sudo and when i i got denied.
> The difference is the failure would have a message like
> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [
> user example com] The successes returned 2 rules.
>
> The only change made between the success and failure was making the user a
> direct member of the sudo rule where the failure was an indirect member.
>
> Thanks for any help!
sudo uses the list of groups as returned by initgroups()/getgrouplist(),
so if the user is a member of that group (as reported by id $user), then
the sudo rule should match.</pre></div>