[Freeipa-users] HBAC doesn't work issues
Lukas Slebodnik
lslebodn at redhat.com
Mon Sep 19 08:21:17 UTC 2016
On (19/09/16 16:43), Lachlan Musicman wrote:
>I must have made an error again:
>
>- ipa hbactest gives seemingly correct answer on both server and client
>- user can't actually use sudo on client?
>
>Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR
>
>>From the server:
>
>[root at vmdv-linuxidm1 ~]# ipa hbactest --user=lsimpson at petermac.org.au
>--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo
>--------------------
>Access granted: True
>--------------------
> Matched rules: Cluster Admin Users (sudo)
> Not matched rules: Cluster Users
>[root at vmdv-linuxidm1 ~]#
>
>
>>From the host in question:
>
>[root at vmts-linuxclient1 ~]# ipa hbactest --user lsimpson at petermac.org.au
>--host `hostname` --service sudo
>--------------------
>Access granted: True
>--------------------
> Matched rules: Cluster Admin Users (sudo)
> Not matched rules: Cluster Users
>[root at vmts-linuxclient1 ~]#
>
>
>[lsimpson at petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot
>[sudo] password for lsimpson at petermac.org.au:
>lsimpson at petermac.org.au is not allowed to run sudo on vmts-linuxclient1.
>This incident will be reported.
>
Did you configure sudo rules for such user?
What is an output of "sudo -l"
LS
More information about the Freeipa-users
mailing list