[Freeipa-users] freeipa / sudo

Martin Kosek mkosek at redhat.com
Wed Dec 10 12:01:49 UTC 2014 

On 12/10/2014 12:57 PM, Chris Card wrote:
> Hi,
> I've installed freeipa 4.1.1 on Fedora 21, and successfully set up a freeipa server and a freeipa client machine.
> I've set up a user with ssh keys, and can successfully ssh onto the client machine.
> I'm trying to setup sudo rules so that if the user is in a given user group, then the user can run "sudo su -" on the client to become root.
> 
> Here is my setup:
> 
> [root at fedora21-freeipa log]# ipa user-show ccard
>   User login: ccard
>   First name: Chris
>   Last name: Card
>   Home directory: /home/ccard
>   Login shell: /bin/sh
>   Email address: ccard at testdomain21.com
>   UID: 1581000001
>   GID: 1581000001
>   Account disabled: False
>   Password: True
>   Member of groups: ipausers, cog_rw
>   Indirect Member of Sudo rule: All
>   Kerberos keys available: True
>   SSH public key fingerprint: 98:3D:15:93:A2:F7:79:A8:D6:F6:8B:5B:21:3F:E6:78 ccard (ssh-rsa)
> [root at fedora21-freeipa log]# ipa group-show cog_rw
>   Group name: cog_rw
>   GID: 1581000003
>   Member users: ccard
>   Member of Sudo rule: All
> [root at fedora21-freeipa log]# ipa sudorule-show All
>   Rule name: All
>   Enabled: TRUE
>   Host category: all
>   Command category: all
>   RunAs User category: all
>   RunAs Group category: all
>   User Groups: cog_rw
>   Sudo Option: !authenticate
> 
> I've found that this setup works eventually, but I have to wait for several minutes after changing the settings (through the freeipa gui), before it works. 
> I've found that changing entry_cache_sudo_timeout and stopping/starting sssd on the client machine helps, and that sss_cache doesn't support invalidating the sudo rules, which is annoying.
> 
> I've also tried making the sudo rule more restrictive by adding a host group e.g.
> 
> [root at fedora21-freeipa log]# ipa hostgroup-show
> Host-group: cog
>   Host-group: cog
>   Member hosts: ipaclient21.testdomain21.com
>   Member of Sudo rule: All
> [root at fedora21-freeipa log]# ipa sudorule-show All
>   Rule name: All
>   Enabled: TRUE
>   Command category: all
>   RunAs User category: all
>   RunAs Group category: all
>   User Groups: cog_rw
>   Host Groups: cog
>   Sudo Option: !authenticate
> 
> but this setup doesn't work, i.e. even though the user is in the user group and the client machine is in the host group, sudo su - fails. Is this a bug, or have I missed something?
> 
> Chris
> 
>  		 	   		  
> 

With FreeIPA 4.1.1, client sudo integration should be automatically configured,
so it should just work, including hostgroups. In your case, I would start with
investigating

http://www.freeipa.org/page/Troubleshooting#sudo_does_not_work_for_hostgroups

If that does not help, I bet SSSD devs will ask for logs.

Martin

More information about the Freeipa-users mailing list