After all the trouble with fixing a botched upgrade I decided it was easier to build a new IPA Server. Now that I have it up and running I am running into an issue with my ipa enrolled clients. I am unable to sudo. The client says: <user>@<host> is not allowed to run sudo on <host>. This incident will be reported.
The HBAC test in the GUI tells me "ACCESS GRANTED" so my policy is setup correctly.
I looked at /etc/nsswitch on the client and see a line:
sudoers: files sss
Shouldn't sss be listed first? Stopping, clearing sssd cache and restarting again doesn't fix it, I presume because the order is wrong.
This is happening on two of my ipa clients so far and I hate to go any further until I figure put what the issue is. Is there something on the server side that controls the nsswitch config or do I need to change the config on the client?
This is on CentOS Linux release 8.4.2105 for both the IPA server and client. The IPA version is 4/9/2
Hi, sudo is controlled with ipa sudorule-* commands, not with HBAC. You can follow freeipa workshop if you want to see how to use it: https://github.com/freeipa/freeipa/blob/master/doc/workshop/8-sudorule.rst
HTH, flo
On Sat, Sep 18, 2021 at 7:42 PM Jeremy Tourville via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
This is on CentOS Linux release 8.4.2105 for both the IPA server and client. The IPA version is 4/9/2 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi Flo, thanks for the comments.
#1 I think I was not being clear about what I had setup so far. The HBAC test does include a sudo component, so yes I had already setup a sudo rule. Though I do understand your point, sudo is a separate piece that must be setup for this to work. Here are the rules I had setup for your reference:
[root@ipa ~]# ipa sudorule-show "INFRA root(ALL)(ALL)" Rule name: INFRA root(ALL)(ALL) Description: Allows sudo permissions to INFRA host group Enabled: TRUE Command category: all User Groups: sudo-infra Host Groups: infra
[root@ipa ~]# ipa group-find sudo-infra --------------- 1 group matched --------------- Group name: sudo-infra Description: User who can login to Infra servers (with elevated permissions) GID: 1299600035 ---------------------------- Number of entries returned 1 ----------------------------
As you can see from screenshots, xt-sg-infra is a member of sudo-infra and the external member sg-infra@ad.nac-issa.org is a member of xt-sg-infra.
[cid:3ac61de2-3d92-427b-90ef-ec63d35acbfc] [cid:1190d2e1-4392-4a3e-bbca-8f765ec1f865] The AD user in question is a member of the sg-infra group. Therefore, the user should be able to sudo while on the defined host.
#2 I did answer my own question about the order of the nsswitch.conf. https://sssd.io/troubleshooting/sudo.html#obtaining-logs
* /etc/nsswitch.conf must say that sss module is used for sudo service. Look for line like "sudoers: sss" (only SSSD is used), "sudoers: files sss" (local rules first, then SSSD) or similar. *
#3 At this point, I think my issue is on the client side of things. I was able to get sssd_sudo.log and sssd_$domain.log but I am not feeling super comfortable with understanding everything.
To troubleshoot the sudo issues would I be better off asking the freeipa list or sssd mailing list? I'm not sure how much overlap these two groups have.
________________________________ From: Florence Renaud flo@redhat.com Sent: Monday, September 20, 2021 10:26 AM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Jeremy Tourville jeremy_tourville@hotmail.com Subject: Re: [Freeipa-users] Re: New IPA server and unable to sudo from client
Hi, sudo is controlled with ipa sudorule-* commands, not with HBAC. You can follow freeipa workshop if you want to see how to use it: https://github.com/freeipa/freeipa/blob/master/doc/workshop/8-sudorule.rst
HTH, flo
On Sat, Sep 18, 2021 at 7:42 PM Jeremy Tourville via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote: This is on CentOS Linux release 8.4.2105 for both the IPA server and client. The IPA version is 4/9/2 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org
-
Florence Renaud -
Jeremy Tourville