[Freeipa-users] Sudo privilege inheritance in FreeIPA (3.0.x branch)
sysadmin ofdoom
nix125432512689712 at gmail.com
Wed Jan 27 16:36:13 UTC 2016
I am trying to implement FreeIPA in a larger environment. Due to the
complexity of the environment I've been constructing a user group structure
such that i have groups at the following levels:
project --> project_at_site --> project_site_vendor
HBAC rules are defined at the lowest level (vendor at site) and associated
with a host group at the same level.
Each of the above user group levels will have a corresponding sudo group.
(Used to provide a vendor access to servers the vendor supports at a
specific site at a moments notice)
HBAC rules are propagating up the chain correctly.
When a user is added to a top level group (e.g. project or project-sudo)
the indirect membership shows up for both Sudo and HBAC rules.
The problem is that I can't get the sudo privileges to work when the user
shows indirect membership for the sudo rule. If i make the user a direct
member of the sudo rule, i can use sudo.
As I've looked at debug logs, i was able to see that the query used when i
was identical when i was successful at using sudo and when i i got denied.
The difference is the failure would have a message like
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [
user at example.com] The successes returned 2 rules.
The only change made between the success and failure was making the user a
direct member of the sudo rule where the failure was an indirect member.
Thanks for any help!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160127/9172fdcc/attachment.htm>
More information about the Freeipa-users
mailing list