[Freeipa-users] HBAC doesn't work issues
Lachlan Musicman
datakid at gmail.com
Mon Sep 19 06:43:05 UTC 2016
I must have made an error again:
- ipa hbactest gives seemingly correct answer on both server and client
- user can't actually use sudo on client?
Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR
>From the server:
[root at vmdv-linuxidm1 ~]# ipa hbactest --user=lsimpson at petermac.org.au
--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo
--------------------
Access granted: True
--------------------
Matched rules: Cluster Admin Users (sudo)
Not matched rules: Cluster Users
[root at vmdv-linuxidm1 ~]#
>From the host in question:
[root at vmts-linuxclient1 ~]# ipa hbactest --user lsimpson at petermac.org.au
--host `hostname` --service sudo
--------------------
Access granted: True
--------------------
Matched rules: Cluster Admin Users (sudo)
Not matched rules: Cluster Users
[root at vmts-linuxclient1 ~]#
[lsimpson at petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot
[sudo] password for lsimpson at petermac.org.au:
lsimpson at petermac.org.au is not allowed to run sudo on vmts-linuxclient1.
This incident will be reported.
On the client, in the sssd_sudo.log I can see (debug_level=6) a number of
lines, most notably three that start "Searching sysdb with" and then follow
with all my ipa and AD groups - both groups that would give me HBAC sudo
are listed in those log entries.
What should I try next?
cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160919/c14b292b/attachment.htm>
More information about the Freeipa-users
mailing list