slek kus via FreeIPA-users wrote:
Hi, created an account which is meant to automate things with Ansible AWX. Tried to grant this account sudo access to the linux clients but things seem not to work out.
Not sure why. hbactests returns OK.
[root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.<redacted>.services --service=sshd
Access granted: True
Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.<redacted>.services --service=sudo-i
Access granted: True
Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser
[root@idm01 ~]# ipa hostgroup-show all_clients_hg Host-group: all_clients_hg Description: This group contains all clients registered to this IdM. Member hosts: debclient2.linux.<redacted>.services, debclient1.linux.<redacted>.services Member of HBAC rule: allow_ansible_ssh2idm, test_aduser
[root@idm01 ~]# ipa hbacrule-show allow_ansible_ssh2idm Rule name: allow_ansible_ssh2idm Enabled: True Users: ansible Host Groups: ipaservers, all_clients_hg HBAC Services: sshd, sudo, sudo-i HBAC Service Groups: Sudo
I can login with user ansible onto debclient2, using a ssh pub key set in IDM just fine. But when trying to sudo, this is not allowed. Even though I have locally enabled it in sudoers (which should't be nessecary).
root@debclient2:~# su - ansible@linux.<redacted>.services su: Permission denied root@debclient2:~# getent passwd ansible@linux.<redacted>.services ansible:*:996000008:996000008:Automation User:/home/ansible:/bin/bash
ansible@debclient2:~$ sudo -i [sudo] password for ansible: ansible is not allowed to run sudo on debclient2. ansible@debclient2:~$ id uid=996000008(ansible) gid=996000008(ansible) groups=996000008(ansible)
sudo and hbac rules are cached by SSSD. I suspect that is probably the root cause. Does it work today?
rob