[Freeipa-users] HBAC doesn't work issues

Tue Sep 20 00:23:24 UTC 2016

(redface)

It seems to be working.

Thanks

------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 20 September 2016 at 09:57, Lachlan Musicman <datakid at gmail.com> wrote:

> We have one "allow all" sudo rule (anyone, any host, any command).
>
> Matching Defaults entries for root on this host:
>     requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
>     PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
>     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>
> User root may run the following commands on this host:
>     (ALL) ALL
>
>
> My sssd.conf has:
>
> [domain/unixdev.etc]
> ...
> sudo_provider = ldap
> ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au
> ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au
> ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU
> krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au
>
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
> domains = unixdev.petermac.org.au
> debug_level = 6
>
> [sudo]
> debug_level = 6
>
> but only on the server - does that need to filter down to each client? The
> client side sssd.confs seem to be auto created when ipa-client-install is
> run, and are stripped down...
>
> cheers
> L.
>
> ------
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
> On 19 September 2016 at 18:21, Lukas Slebodnik <lslebodn at redhat.com>
> wrote:
>
>> On (19/09/16 16:43), Lachlan Musicman wrote:
>> >I must have made an error again:
>> >
>> >- ipa hbactest gives seemingly correct answer on both server and client
>> >- user can't actually use sudo on client?
>> >
>> >Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR
>> >
>> >>From the server:
>> >
>> >[root at vmdv-linuxidm1 ~]# ipa hbactest --user=lsimpson at petermac.org.au
>> >--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo
>> >--------------------
>> >Access granted: True
>> >--------------------
>> >  Matched rules: Cluster Admin Users (sudo)
>> >  Not matched rules: Cluster Users
>> >[root at vmdv-linuxidm1 ~]#
>> >
>> >
>> >>From the host in question:
>> >
>> >[root at vmts-linuxclient1 ~]# ipa hbactest --user lsimpson at petermac.org.au
>> >--host `hostname` --service sudo
>> >--------------------
>> >Access granted: True
>> >--------------------
>> >  Matched rules: Cluster Admin Users (sudo)
>> >  Not matched rules: Cluster Users
>> >[root at vmts-linuxclient1 ~]#
>> >
>> >
>> >[lsimpson at petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot
>> >[sudo] password for lsimpson at petermac.org.au:
>> >lsimpson at petermac.org.au is not allowed to run sudo on
>> vmts-linuxclient1.
>> >This incident will be reported.
>> >
>> Did you configure sudo rules for such user?
>> What is an output of "sudo -l"
>>
>> LS
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160920/e7dac470/attachment.htm>