[Freeipa-users] freeipa / sudo

Chris Card ctcard at hotmail.com
Wed Dec 10 15:54:59 UTC 2014 


>
>> On 12/10/2014 12:57 PM, Chris Card wrote:
> thanks Martin,
>>> I've installed freeipa 4.1.1 on Fedora 21, and successfully set up a freeipa server and a freeipa client machine.
>>> I've set up a user with ssh keys, and can successfully ssh onto the client machine.
>>> I'm trying to setup sudo rules so that if the user is in a given user group, then the user can run "sudo su -" on the client to become root.
> <snip>
>>> [root at fedora21-freeipa log]# ipa hostgroup-show
>>> Host-group: cog
>>> Host-group: cog
>>> Member hosts: ipaclient21.testdomain21.com
>>> Member of Sudo rule: All
>>> [root at fedora21-freeipa log]# ipa sudorule-show All
>>> Rule name: All
>>> Enabled: TRUE
>>> Command category: all
>>> RunAs User category: all
>>> RunAs Group category: all
>>> User Groups: cog_rw
>>> Host Groups: cog
>>> Sudo Option: !authenticate
>>>
>>> but this setup doesn't work, i.e. even though the user is in the user group and the client machine is in the host group, sudo su - fails. Is this a bug, or have I missed something?
>>>
>>> Chris
>>>
>>>
>>>
>>
>> With FreeIPA 4.1.1, client sudo integration should be automatically configured,
>> so it should just work, including hostgroups. In your case, I would start with
>> investigating
>>
>> http://www.freeipa.org/page/Troubleshooting#sudo_does_not_work_for_hostgroups
>>
>> If that does not help, I bet SSSD devs will ask for logs.
>>
> I've done the troubleshooting steps:
>
> [root at ipaclient21 log]# nisdomainname
> testdomain21.com
> [root at ipaclient21 log]# getent netgroup cog
> cog (ipaclient21.testdomain21.com,-,testdomain21.com)
>
> I tried adding sudoers_debug 2 to /etc/sudo-ldap.conf on the client machine, but I'm not sure if that's the right file (it didn't exist before).
> I have debug_level set to 9 in /etc/sssd/sssd.conf, so I can see some stuff in /var/log/sssd/sssd_testdomain21.com.log but no obvious error messages.

I worked out how to set up debug for sudo. sudoers_debug is deprecated now, but I created /etc/sssd.conf with a line

Debug sudo /var/log/sudo_debug all at debug

and I saw this in the debug output:

Dec 10 15:42:57 sudo[10046] -> sudo_sss_check_host @ ./sssd.c:557
Dec 10 15:42:57 sudo[10046] val[0]=+cog 
Dec 10 15:42:57 sudo[10046] -> addr_matches @ ./match_addr.c:189
Dec 10 15:42:57 sudo[10046] -> addr_matches_if @ ./match_addr.c:61
Dec 10 15:42:57 sudo[10046] <- addr_matches_if @ ./match_addr.c:99 := false
Dec 10 15:42:57 sudo[10046] <- addr_matches @ ./match_addr.c:199 := false
Dec 10 15:42:57 sudo[10046] -> netgr_matches @ ./match.c:899
Dec 10 15:42:57 sudo[10046] <- netgr_matches @ ./match.c:918 := false
Dec 10 15:42:57 sudo[10046] -> hostname_matches @ ./match.c:758
Dec 10 15:42:57 sudo[10046] <- hostname_matches @ ./match.c:769 := false
Dec 10 15:42:57 sudo[10046] sssd/ldap sudoHost '+cog' ... not

The problem is that the hostname command on the client was returning a short hostname, ipaclient21, instead of a FQDN, ipaclient21.testdomain21.com and when I forced the hostname to be the FQDN the sudo command worked.

The short hostname comes from the fact that the client machine is an openstack instance, and that appears to be a feature of openstack instances :(

Chris

More information about the Freeipa-users mailing list