[Freeipa-users] freeipa / sudo
Chris Card
ctcard at hotmail.com
Wed Dec 10 12:57:35 UTC 2014
> On 12/10/2014 12:57 PM, Chris Card wrote:
thanks Martin,
>> I've installed freeipa 4.1.1 on Fedora 21, and successfully set up a freeipa server and a freeipa client machine.
>> I've set up a user with ssh keys, and can successfully ssh onto the client machine.
>> I'm trying to setup sudo rules so that if the user is in a given user group, then the user can run "sudo su -" on the client to become root.
<snip>
>> [root at fedora21-freeipa log]# ipa hostgroup-show
>> Host-group: cog
>> Host-group: cog
>> Member hosts: ipaclient21.testdomain21.com
>> Member of Sudo rule: All
>> [root at fedora21-freeipa log]# ipa sudorule-show All
>> Rule name: All
>> Enabled: TRUE
>> Command category: all
>> RunAs User category: all
>> RunAs Group category: all
>> User Groups: cog_rw
>> Host Groups: cog
>> Sudo Option: !authenticate
>>
>> but this setup doesn't work, i.e. even though the user is in the user group and the client machine is in the host group, sudo su - fails. Is this a bug, or have I missed something?
>>
>> Chris
>>
>>
>>
>
> With FreeIPA 4.1.1, client sudo integration should be automatically configured,
> so it should just work, including hostgroups. In your case, I would start with
> investigating
>
> http://www.freeipa.org/page/Troubleshooting#sudo_does_not_work_for_hostgroups
>
> If that does not help, I bet SSSD devs will ask for logs.
>
I've done the troubleshooting steps:
[root at ipaclient21 log]# nisdomainname
testdomain21.com
[root at ipaclient21 log]# getent netgroup cog
cog (ipaclient21.testdomain21.com,-,testdomain21.com)
I tried adding sudoers_debug 2 to /etc/sudo-ldap.conf on the client machine, but I'm not sure if that's the right file (it didn't exist before).
I have debug_level set to 9 in /etc/sssd/sssd.conf, so I can see some stuff in /var/log/sssd/sssd_testdomain21.com.log but no obvious error messages.
Chris
More information about the Freeipa-users
mailing list