Hi Flo, thanks for the comments. #1 I think I was not being clear about what I had setup so far. The HBAC test does include a sudo component, so yes I had already setup a sudo rule. Though I do understand your point, sudo is a separate piece that must be setup for this to work. Here are the rules I had setup for your reference:
[root@ipa ~]# ipa sudorule-show "INFRA root(ALL)(ALL)" Rule name: INFRA root(ALL)(ALL) Description: Allows sudo permissions to INFRA host group Enabled: TRUE Command category: all User Groups: sudo-infra Host Groups: infra [root@ipa ~]# ipa group-find sudo-infra --------------- 1 group matched --------------- Group name: sudo-infra Description: User who can login to Infra servers (with elevated permissions) GID: 1299600035 ---------------------------- Number of entries returned 1 ---------------------------- As you can see from screenshots, xt-sg-infra is a member of sudo-infra and the external member [email protected] is a member of xt-sg-infra. [cid:3ac61de2-3d92-427b-90ef-ec63d35acbfc] [cid:1190d2e1-4392-4a3e-bbca-8f765ec1f865] The AD user in question is a member of the sg-infra group. Therefore, the user should be able to sudo while on the defined host. #2 I did answer my own question about the order of the nsswitch.conf. https://sssd.io/troubleshooting/sudo.html#obtaining-logs * /etc/nsswitch.conf must say that sss module is used for sudo service. Look for line like "sudoers: sss" (only SSSD is used), "sudoers: files sss" (local rules first, then SSSD) or similar. * #3 At this point, I think my issue is on the client side of things. I was able to get sssd_sudo.log and sssd_$domain.log but I am not feeling super comfortable with understanding everything. To troubleshoot the sudo issues would I be better off asking the freeipa list or sssd mailing list? I'm not sure how much overlap these two groups have. ________________________________ From: Florence Renaud <[email protected]> Sent: Monday, September 20, 2021 10:26 AM To: FreeIPA users list <[email protected]> Cc: Jeremy Tourville <[email protected]> Subject: Re: [Freeipa-users] Re: New IPA server and unable to sudo from client Hi, sudo is controlled with ipa sudorule-* commands, not with HBAC. You can follow freeipa workshop if you want to see how to use it: https://github.com/freeipa/freeipa/blob/master/doc/workshop/8-sudorule.rst HTH, flo On Sat, Sep 18, 2021 at 7:42 PM Jeremy Tourville via FreeIPA-users <[email protected]<mailto:[email protected]>> wrote: This is on CentOS Linux release 8.4.2105 for both the IPA server and client. The IPA version is 4/9/2 _______________________________________________ FreeIPA-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
