During our evaluation phase we're facing following problem. One particular user were granted sudo permission with the help of a sudo rule. The user can successfully access the host via SSH and switched to user root by using the sudo command, which was enabled for the user with the sudo rule. After that the sudo rule was disabled and the user tried to login again and switching to root was still possible.
After deleting the SSSD cache files and restarting the service sudo did not work anymore, as excepted. How long does it take until the sudo rules are refreshed in SSSD cache? I know that there are three different refresh mechanism (full, smart, rule). Full and smart refresh mechanism are performed periodically dependent on the settings in SSSD configuration file and rule method should refresh the users's specific rules after each login, what apparently was not the case for my test scenario. Please correct me if i'm wrong. Of course I can set the interval for smart refresh to a minimum of 10 seconds, but this would cause a lot of traffic. How can I configure SSSD to update the rules during each login of the user? Following components are used: - FreeIPA server freeipa-server.x86_64 3.3.2-1.fc19 - FreeIPA client on CentosOS ipa-client.x86_64 3.0.0-26.el6_4.4 - SSSD sudo integration --- /etc/sssd/sssd.conf --- [domain/example.info] debug_level = 0xFFF0 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.info id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = chef01.example.info chpass_provider = ipa ipa_server = _srv_, ipa01.example.info ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipa01.example.info ldap_sudo_search_base = ou=sudoers,dc=example,dc=info ldap_schema=IPA ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/chef01.example.info ldap_sasl_realm = EXAMPLE.INFO krb5_server = ipa01.example.info [sssd] debug_level = 0x0400 services = nss, pam, ssh, sudo config_file_version = 2 domains = example.info [nss] [pam] [sudo] debug_level = 0xFFF0 [autofs] [ssh] [pac] --- /etc/sssd/sssd.conf --- I tested the test scenario with very small intervals and the rules were properly updated. ldap_sudo_full_refresh_interval = 30 ldap_sudo_smart_refresh_interval = 15 Is this a proper solution or can configure SSSD in a way that rules were updated during each uses's login? I appreciate any help and thanking you in advance. Cheers, David _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
