Using freeipa from RHEL8.1, I try to create sudo rules (from the GUI).
* "foo" and "bar" are ipa users * "ext" is a local user present on all machines
The rule
allow user "foo" to run "/bin/bash" on any host as user "bar"
works fine, i.e. I can log in as "foo" and run
# su - foo $ sudo -u bar /bin/bash -> OK
However, if I create a similar rule for the external user it does not work
allow external user "ext" to run "/bin/bash" on any host as user "bar"
=>
# su - ext $ sudo -u bar /bin/bash
-> denied
--
$ ipa sudorule-show test Rule name: test Enabled: TRUE Host category: all External User: ext Sudo Allow Commands: /bin/bash RuaAs Users: bar
What am I doing wrong?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
What does 'sudo -l -U ext' say?
On Thu, May 13, 2021 at 01:52:18PM -0000, Sam Morris via FreeIPA-users wrote:
What does 'sudo -l -U ext' say?
# sudo -l -U ext User ext is not allowed to run sudo on <host>
(Restarting sssd does not help.)
If I define a rule for that user with visudo, that works fine and is shown in the output of the command.
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
Can you check the sudo rule that sssd cached?
Something like:
# ldbsearch -H /var/lib/sss/db/cache_ipa.example.com.ldb -s base -b name=test,cn=sudorules,cn=custom,cn=ipa.example.com,cn=sysdb
If you can't find it, you can dump all sudo rules with:
# ldbsearch -H /var/lib/sss/db/cache_ipa.example.com.ldb -s one -b cn=sudorules,cn=custom,cn=ipa.example.com,cn=sysdb
I may be seeing the same problem as you; I've configured a sudo rule:
$ ipa sudorule-show 'sam ext test' --raw cn: sam ext test description: Rule to test application to external users ipaenabledflag: TRUE externaluser: samtest memberhost: fqdn=myhost.ipa.example.com,cn=computers,cn=accounts,dc=ipa,dc=example,dc=com ipasudorunas: uid=user5,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
... and in the SSSD cache I see:
# record 1 dn: name=sam ext test,cn=sudorules,cn=custom,cn=ipa.example.com,cn=sysdb cn: sam ext test dataExpireTimestamp: 1621359827 name: sam ext test objectClass: sudoRule sudoHost: myhost.ipa.example.com sudoRunAsUser: user5@ipa.example.com sudoUser: ext@ipa.example.com distinguishedName: name=sam ext test,cn=sudorules,cn=custom,cn=ipa.example.com,cn=sysdb
It looks like FreeIPA (or maybe just sssd?) is qualifying the name of the external user 'ext' to 'ext@ipa.example.com'. This is not desired, because the name of the user on the local system is simply 'ext'; there's no such user 'ext@ipa.example.com'.
Aha, might be getting somewhere. See https://access.redhat.com/solutions/2347541 which explains that you have to configure a 'files' (or with older sssd, a 'proxy') domain in sssd.conf in order for external users to work.
This is a bit of a pain, since the additional configuration has to be done locally in sssd.conf on the client system. In addition you have to nominate one of your FreeIPA servers to use in ldap_uri, which introduces a single point of failure (or else means you have to go and configure a load balancer pointed at all your FreeIPA servers...)
freeipa-users@lists.fedorahosted.org
-
Dominik Vogt -
Sam Morris