Hi, created an account which is meant to automate things with Ansible AWX. Tried to grant this account sudo access to the linux clients but things seem not to work out.
Not sure why. hbactests returns OK.
---- [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.<redacted>.services --service=sshd -------------------- Access granted: True -------------------- Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.<redacted>.services --service=sudo-i -------------------- Access granted: True -------------------- Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser
[root@idm01 ~]# ipa hostgroup-show all_clients_hg Host-group: all_clients_hg Description: This group contains all clients registered to this IdM. Member hosts: debclient2.linux.<redacted>.services, debclient1.linux.<redacted>.services Member of HBAC rule: allow_ansible_ssh2idm, test_aduser
[root@idm01 ~]# ipa hbacrule-show allow_ansible_ssh2idm Rule name: allow_ansible_ssh2idm Enabled: True Users: ansible Host Groups: ipaservers, all_clients_hg HBAC Services: sshd, sudo, sudo-i HBAC Service Groups: Sudo ----
I can login with user ansible onto debclient2, using a ssh pub key set in IDM just fine. But when trying to sudo, this is not allowed. Even though I have locally enabled it in sudoers (which should't be nessecary).
---- root@debclient2:~# su - ansible@linux.<redacted>.services su: Permission denied root@debclient2:~# getent passwd ansible@linux.<redacted>.services ansible:*:996000008:996000008:Automation User:/home/ansible:/bin/bash
ansible@debclient2:~$ sudo -i [sudo] password for ansible: ansible is not allowed to run sudo on debclient2. ansible@debclient2:~$ id uid=996000008(ansible) gid=996000008(ansible) groups=996000008(ansible) -----
slek kus via FreeIPA-users wrote:
Hi, created an account which is meant to automate things with Ansible AWX. Tried to grant this account sudo access to the linux clients but things seem not to work out.
Not sure why. hbactests returns OK.
[root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.<redacted>.services --service=sshd
Access granted: True
Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.<redacted>.services --service=sudo-i
Access granted: True
Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser
[root@idm01 ~]# ipa hostgroup-show all_clients_hg Host-group: all_clients_hg Description: This group contains all clients registered to this IdM. Member hosts: debclient2.linux.<redacted>.services, debclient1.linux.<redacted>.services Member of HBAC rule: allow_ansible_ssh2idm, test_aduser
[root@idm01 ~]# ipa hbacrule-show allow_ansible_ssh2idm Rule name: allow_ansible_ssh2idm Enabled: True Users: ansible Host Groups: ipaservers, all_clients_hg HBAC Services: sshd, sudo, sudo-i HBAC Service Groups: Sudo
I can login with user ansible onto debclient2, using a ssh pub key set in IDM just fine. But when trying to sudo, this is not allowed. Even though I have locally enabled it in sudoers (which should't be nessecary).
root@debclient2:~# su - ansible@linux.<redacted>.services su: Permission denied root@debclient2:~# getent passwd ansible@linux.<redacted>.services ansible:*:996000008:996000008:Automation User:/home/ansible:/bin/bash
ansible@debclient2:~$ sudo -i [sudo] password for ansible: ansible is not allowed to run sudo on debclient2. ansible@debclient2:~$ id uid=996000008(ansible) gid=996000008(ansible) groups=996000008(ansible)
sudo and hbac rules are cached by SSSD. I suspect that is probably the root cause. Does it work today?
rob
Hi Rob, unfortunally not. I am honestly out of options here. I must be missing something trivial or it is a configuration issue.
I am clearing the cache of the user on the idm server as the client. Even removed sssd cache, rebooted both client and idm controllers. Sudo permission is simply not granted.
----- [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.redacted.services --service=sshd -------------------- Access granted: True -------------------- Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.redacted.services --service=sudo -------------------- Access granted: True -------------------- Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.redacted.services --service=sudo-i -------------------- Access granted: True -------------------- Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser [root@idm01 ~]# sss_cache -u ansible@linux.redacted.services && systemctl restart sssd [root@idm01 ~]# getent passwd ansible@linux.redacted.services ansible:*:996000008:996000008:(TESTING-111111):/home/ansible:/bin/bash [root@idm01 ~]# ipa hbacrule-show allow_ansible_ssh2idm Rule name: allow_ansible_ssh2idm Host category: all Service category: all Enabled: True Users: ansible
root@debclient1:/var/log/sssd# sss_cache -u ansible@linux.redacted.services && systemctl restart sssd root@debclient1:/var/log/sssd# getent passwd ansible@linux.redacted.services ansible:*:996000008:996000008:(TESTING-111111):/home/ansible:/bin/bash ----
On the client:
---- ansible@debclient1:~$ sudo -i [sudo] password for ansible: ansible is not allowed to run sudo on debclient1. ----
Kind regards..
slek kus via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hi Rob, unfortunally not. I am honestly out of options here. I must be missing something trivial or it is a configuration issue.
...
On the client:
ansible@debclient1:~$ sudo -i [sudo] password for ansible: ansible is not allowed to run sudo on debclient1.
Let's see how the client is configured and what's in the logs.
- /etc/nsswitch.conf should have this line: sudoers: files sss
- What's in /etc/pam.d/sudo* ?
- What says "sudo -l"?
- something useful in /var/log/sssd/sssd_<domain>.log and /var/log/auth.log?
Troubleshooting docs are here: https://docs.pagure.org/sssd.sssd/users/sudo_troubleshooting.html
Jochen
Hi Jochen, nsswitch.conf checks local files and sss. Below is the contents of etc/pam.d/sudo:
---- #%PAM-1.0
# Set up user limits from /etc/security/limits.conf. session required pam_limits.so
@include common-auth @include common-account @include common-session-noninteractive ----
sudo -l:
---- ansible@debclient1:~$ sudo -l [sudo] password for ansible: Sorry, user ansible may not run sudo on debclient1. ----
sssd_[domain].log: https://privatebin.net/?e841ce0e62791e1b#CU9EhpDrajzQXEihhp2jmjbD92RtG8YZ6Sw...
sssd_sudo.log: https://privatebin.net/?40e60858ff984c15#HcQQK2u8wCTYzA6tcttnaiQMsoQ1mVbjCnA...
I have created a new testuser, placed this one in the same hbac rules group. also no sudo access. Added this new test user to the local sudo group, and access has been granted. It shouldn't be nessecary to add IPA users to local groups, or am I wrong here.
kind regards.
slek kus via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hi Jochen, nsswitch.conf checks local files and sss. Below is the contents of etc/pam.d/sudo:
sssd_[domain].log: https://privatebin.net/?e841ce0e62791e1b#CU9EhpDrajzQXEihhp2jmjbD92RtG8YZ6Sw...
I think that sssd is ok here. I didn't verify the RBAC rule in detail, but ALLOWED looks ok for me.
Did you have a look at https://docs.pagure.org/sssd.sssd/users/sudo_troubleshooting.html ?
Verify the sssd.conf file as described at the start of the page and then produce debug logs:
How do I get sudo logs?
Open /etc/sudo.conf and put down the following lines:
Debug sudo /var/log/sudo_debug all@debug Debug sudoers.so /var/log/sudo_debug all@debug
Run sudo
File /var/log/sudo_debug contains sudo logs
My current guess is that sudo is at fault here - take a look at the debug log.
Jochen
Sent with Proton Mail secure email.
On Friday, February 2nd, 2024 at 10:36, slek kus via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi Jochen, nsswitch.conf checks local files and sss. Below is the contents of etc/pam.d/sudo:
#%PAM-1.0
# Set up user limits from /etc/security/limits.conf. session required pam_limits.so
@include common-auth @include common-account @include common-session-noninteractive
sudo -l:
ansible@debclient1:~$ sudo -l [sudo] password for ansible: Sorry, user ansible may not run sudo on debclient1.
sssd_[domain].log: https://privatebin.net/?e841ce0e62791e1b#CU9EhpDrajzQXEihhp2jmjbD92RtG8YZ6Sw...
sssd_sudo.log: https://privatebin.net/?40e60858ff984c15#HcQQK2u8wCTYzA6tcttnaiQMsoQ1mVbjCnA...
I have created a new testuser, placed this one in the same hbac rules group. also no sudo access. Added this new test user to the local sudo group, and access has been granted. It shouldn't be nessecary to add IPA users to local groups, or am I wrong here.
kind regards.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Jochen, thanks for taking the time to help. While done the sudo debug and not finding anything, I tried and enabled the default "allow_all" rule and it worked. Then disabled allow_all again and it continued working as there's a dedicated policy. No idea why it functions now. Issue has been solved and today it still is OK.
kind regards.
I do see this in sssd_sudo.log, not sure if it is the problem. fqdn is repeated and says it has retrevied 0 rules and then disconnects.
---- (2024-02-02 10:10:47): [sudo] [sudosrv_fetch_rules] (0x0400): [CID#3] Returning 0 rules for [ansible@linux.redacted.services@linux.redacted.services] (2024-02-02 10:10:47): [sudo] [sudosrv_build_response] (0x2000): [CID#3] error: [0] (2024-02-02 10:10:47): [sudo] [sudosrv_build_response] (0x2000): [CID#3] rules_num: [0] (2024-02-02 10:10:50): [sudo] [client_recv] (0x0200): [CID#3] Client disconnected! (2024-02-02 10:10:50): [sudo] [client_close_fn] (0x2000): [CID#3] Terminated client [0x5612c24216f0][18]
freeipa-users@lists.fedorahosted.org