On to, 06 touko 2021, Ash Ryder via FreeIPA-users wrote:
I have setup a HBAC rule for a specific AD group to be able to run
all
services on all hosts however i am unable to sudo once logged in. Im
sure it was working at some point.. but am not sure if it was because i
had a sudo rule in place which has now been removed. Do i need to run
Sudo rules alongside HBAC or should it just override?
When i run HBAC test for the sudo service on my host it shows "Access
Granted" but this doesn't reflect on the client when i try to use the
sudo command. Does it take some time to sync or is there a way for
refresh it manually? i dont know if i have made to many changes and
just need to wait for it to settle down.
You need both HBAC and SUDO rules.
HBAC rules define who can access SUDO binary, checked by the SUDO itself
with the help of PAM stack. This is where HBAC rules applied by SSSD if
pam_sss.so is in the PAM stack.
SUDO rules are evaluated by the SUDO itself once you are allowed to run
SUDO.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland