[Freeipa-users] HBAC doesn't work issues

Mon Sep 19 23:57:38 UTC 2016

We have one "allow all" sudo rule (anyone, any host, any command).

Matching Defaults entries for root on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User root may run the following commands on this host:
    (ALL) ALL

My sssd.conf has:

[domain/unixdev.etc]
...
sudo_provider = ldap
ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au
ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au
ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU
krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = unixdev.petermac.org.au
debug_level = 6

[sudo]
debug_level = 6

but only on the server - does that need to filter down to each client? The
client side sssd.confs seem to be auto created when ipa-client-install is
run, and are stripped down...

cheers
L.

------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 19 September 2016 at 18:21, Lukas Slebodnik <lslebodn at redhat.com> wrote:

> On (19/09/16 16:43), Lachlan Musicman wrote:
> >I must have made an error again:
> >
> >- ipa hbactest gives seemingly correct answer on both server and client
> >- user can't actually use sudo on client?
> >
> >Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR
> >
> >>From the server:
> >
> >[root at vmdv-linuxidm1 ~]# ipa hbactest --user=lsimpson at petermac.org.au
> >--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo
> >--------------------
> >Access granted: True
> >--------------------
> >  Matched rules: Cluster Admin Users (sudo)
> >  Not matched rules: Cluster Users
> >[root at vmdv-linuxidm1 ~]#
> >
> >
> >>From the host in question:
> >
> >[root at vmts-linuxclient1 ~]# ipa hbactest --user lsimpson at petermac.org.au
> >--host `hostname` --service sudo
> >--------------------
> >Access granted: True
> >--------------------
> >  Matched rules: Cluster Admin Users (sudo)
> >  Not matched rules: Cluster Users
> >[root at vmts-linuxclient1 ~]#
> >
> >
> >[lsimpson at petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot
> >[sudo] password for lsimpson at petermac.org.au:
> >lsimpson at petermac.org.au is not allowed to run sudo on vmts-linuxclient1.
> >This incident will be reported.
> >
> Did you configure sudo rules for such user?
> What is an output of "sudo -l"
>
> LS
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160920/142406f3/attachment.htm>