[Freeipa-users] Sudo privilege inheritance in FreeIPA (3.0.x branch)

sysadmin ofdoom nix125432512689712 at gmail.com
Mon Feb 1 19:04:02 UTC 2016 

Sorry for not defining the question.

The question for this is: Are sudo rules supposed to be inherited in the
same manner as HBAC rules?

>From the case above, all my HBAC rules are working fine with indirect
membership, but sudo only works with direct membership. I also saw the Tech
preview SSSD packages for RHEL 6.8. I tried those too and verified that the
issue is still present.



On Wed, Jan 27, 2016 at 9:36 AM, sysadmin ofdoom <
nix125432512689712 at gmail.com> wrote:

> I am trying to implement FreeIPA in a larger environment. Due to the
> complexity of the environment I've been constructing a user group structure
> such that i have groups at the following levels:
>
> project --> project_at_site --> project_site_vendor
>
> HBAC rules are defined at the lowest level (vendor at site) and associated
> with a host group at the same level.
>
> Each of the above user group levels will have a corresponding sudo group.
> (Used to provide a vendor access to servers  the vendor supports at a
> specific site at a moments notice)
>
> HBAC rules are propagating up the chain correctly.
>
> When a user is added to a top level group (e.g. project or project-sudo)
> the indirect membership shows up for both Sudo and HBAC rules.
>
> The problem is that I can't get the sudo privileges to work when the user
> shows indirect membership for the sudo rule. If i make the user a direct
> member of the sudo rule, i can use sudo.
>
> As I've looked at debug logs, i was able to see that the query used when i
> was identical when i was successful at using sudo and when i i got denied.
> The difference is  the failure would have a message like
> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [
> user at example.com]  The successes returned 2 rules.
>
> The only change made between the success and failure was making the user a
> direct member of the sudo rule where the failure was an indirect member.
>
> Thanks for any help!
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160201/6a1933b2/attachment.htm>

More information about the Freeipa-users mailing list