[Freeipa-users] freeipa / sudo

Chris Card ctcard at hotmail.com
Wed Dec 10 11:57:26 UTC 2014 

Hi,
I've installed freeipa 4.1.1 on Fedora 21, and successfully set up a freeipa server and a freeipa client machine.
I've set up a user with ssh keys, and can successfully ssh onto the client machine.
I'm trying to setup sudo rules so that if the user is in a given user group, then the user can run "sudo su -" on the client to become root.

Here is my setup:

[root at fedora21-freeipa log]# ipa user-show ccard
  User login: ccard
  First name: Chris
  Last name: Card
  Home directory: /home/ccard
  Login shell: /bin/sh
  Email address: ccard at testdomain21.com
  UID: 1581000001
  GID: 1581000001
  Account disabled: False
  Password: True
  Member of groups: ipausers, cog_rw
  Indirect Member of Sudo rule: All
  Kerberos keys available: True
  SSH public key fingerprint: 98:3D:15:93:A2:F7:79:A8:D6:F6:8B:5B:21:3F:E6:78 ccard (ssh-rsa)
[root at fedora21-freeipa log]# ipa group-show cog_rw
  Group name: cog_rw
  GID: 1581000003
  Member users: ccard
  Member of Sudo rule: All
[root at fedora21-freeipa log]# ipa sudorule-show All
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: cog_rw
  Sudo Option: !authenticate

I've found that this setup works eventually, but I have to wait for several minutes after changing the settings (through the freeipa gui), before it works. 
I've found that changing entry_cache_sudo_timeout and stopping/starting sssd on the client machine helps, and that sss_cache doesn't support invalidating the sudo rules, which is annoying.

I've also tried making the sudo rule more restrictive by adding a host group e.g.

[root at fedora21-freeipa log]# ipa hostgroup-show
Host-group: cog
  Host-group: cog
  Member hosts: ipaclient21.testdomain21.com
  Member of Sudo rule: All
[root at fedora21-freeipa log]# ipa sudorule-show All
  Rule name: All
  Enabled: TRUE
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: cog_rw
  Host Groups: cog
  Sudo Option: !authenticate

but this setup doesn't work, i.e. even though the user is in the user group and the client machine is in the host group, sudo su - fails. Is this a bug, or have I missed something?

Chris

More information about the Freeipa-users mailing list