slek kus via FreeIPA-users wrote: > Hi, created an account which is meant to automate things with Ansible AWX. > Tried to grant this account sudo access to the linux clients but things seem > not to work out. > > Not sure why. hbactests returns OK. > > ---- > [root@idm01 ~]# ipa hbactest --user=ansible > --host=debclient1.linux.<redacted>.services --service=sshd > -------------------- > Access granted: True > -------------------- > Matched rules: allow_ansible_ssh2idm > Not matched rules: allow_systemd-user > Not matched rules: test_aduser > [root@idm01 ~]# ipa hbactest --user=ansible > --host=debclient1.linux.<redacted>.services --service=sudo-i > -------------------- > Access granted: True > -------------------- > Matched rules: allow_ansible_ssh2idm > Not matched rules: allow_systemd-user > Not matched rules: test_aduser > > > [root@idm01 ~]# ipa hostgroup-show all_clients_hg > Host-group: all_clients_hg > Description: This group contains all clients registered to this IdM. > Member hosts: debclient2.linux.<redacted>.services, > debclient1.linux.<redacted>.services > Member of HBAC rule: allow_ansible_ssh2idm, test_aduser > > [root@idm01 ~]# ipa hbacrule-show allow_ansible_ssh2idm > Rule name: allow_ansible_ssh2idm > Enabled: True > Users: ansible > Host Groups: ipaservers, all_clients_hg > HBAC Services: sshd, sudo, sudo-i > HBAC Service Groups: Sudo > ---- > > > I can login with user ansible onto debclient2, using a ssh pub key set in IDM > just fine. > But when trying to sudo, this is not allowed. Even though I have locally > enabled it in sudoers (which should't be nessecary). > > ---- > root@debclient2:~# su - ansible@linux.<redacted>.services > su: Permission denied > root@debclient2:~# getent passwd ansible@linux.<redacted>.services > ansible:*:996000008:996000008:Automation User:/home/ansible:/bin/bash > > ansible@debclient2:~$ sudo -i > [sudo] password for ansible: > ansible is not allowed to run sudo on debclient2. > ansible@debclient2:~$ id > uid=996000008(ansible) gid=996000008(ansible) groups=996000008(ansible)
sudo and hbac rules are cached by SSSD. I suspect that is probably the root cause. Does it work today? rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue