[Freeipa-users] freeipa / sudo
Martin Kosek
mkosek at redhat.com
Wed Dec 10 12:01:49 UTC 2014
On 12/10/2014 12:57 PM, Chris Card wrote:
> Hi,
> I've installed freeipa 4.1.1 on Fedora 21, and successfully set up a freeipa server and a freeipa client machine.
> I've set up a user with ssh keys, and can successfully ssh onto the client machine.
> I'm trying to setup sudo rules so that if the user is in a given user group, then the user can run "sudo su -" on the client to become root.
>
> Here is my setup:
>
> [root at fedora21-freeipa log]# ipa user-show ccard
> User login: ccard
> First name: Chris
> Last name: Card
> Home directory: /home/ccard
> Login shell: /bin/sh
> Email address: ccard at testdomain21.com
> UID: 1581000001
> GID: 1581000001
> Account disabled: False
> Password: True
> Member of groups: ipausers, cog_rw
> Indirect Member of Sudo rule: All
> Kerberos keys available: True
> SSH public key fingerprint: 98:3D:15:93:A2:F7:79:A8:D6:F6:8B:5B:21:3F:E6:78 ccard (ssh-rsa)
> [root at fedora21-freeipa log]# ipa group-show cog_rw
> Group name: cog_rw
> GID: 1581000003
> Member users: ccard
> Member of Sudo rule: All
> [root at fedora21-freeipa log]# ipa sudorule-show All
> Rule name: All
> Enabled: TRUE
> Host category: all
> Command category: all
> RunAs User category: all
> RunAs Group category: all
> User Groups: cog_rw
> Sudo Option: !authenticate
>
> I've found that this setup works eventually, but I have to wait for several minutes after changing the settings (through the freeipa gui), before it works.
> I've found that changing entry_cache_sudo_timeout and stopping/starting sssd on the client machine helps, and that sss_cache doesn't support invalidating the sudo rules, which is annoying.
>
> I've also tried making the sudo rule more restrictive by adding a host group e.g.
>
> [root at fedora21-freeipa log]# ipa hostgroup-show
> Host-group: cog
> Host-group: cog
> Member hosts: ipaclient21.testdomain21.com
> Member of Sudo rule: All
> [root at fedora21-freeipa log]# ipa sudorule-show All
> Rule name: All
> Enabled: TRUE
> Command category: all
> RunAs User category: all
> RunAs Group category: all
> User Groups: cog_rw
> Host Groups: cog
> Sudo Option: !authenticate
>
> but this setup doesn't work, i.e. even though the user is in the user group and the client machine is in the host group, sudo su - fails. Is this a bug, or have I missed something?
>
> Chris
>
>
>
With FreeIPA 4.1.1, client sudo integration should be automatically configured,
so it should just work, including hostgroups. In your case, I would start with
investigating
http://www.freeipa.org/page/Troubleshooting#sudo_does_not_work_for_hostgroups
If that does not help, I bet SSSD devs will ask for logs.
Martin
More information about the Freeipa-users
mailing list