Hi, I've installed freeipa 4.1.1 on Fedora 21, and successfully set up a freeipa server and a freeipa client machine. I've set up a user with ssh keys, and can successfully ssh onto the client machine. I'm trying to setup sudo rules so that if the user is in a given user group, then the user can run "sudo su -" on the client to become root.
Here is my setup: [root@fedora21-freeipa log]# ipa user-show ccard User login: ccard First name: Chris Last name: Card Home directory: /home/ccard Login shell: /bin/sh Email address: cc...@testdomain21.com UID: 1581000001 GID: 1581000001 Account disabled: False Password: True Member of groups: ipausers, cog_rw Indirect Member of Sudo rule: All Kerberos keys available: True SSH public key fingerprint: 98:3D:15:93:A2:F7:79:A8:D6:F6:8B:5B:21:3F:E6:78 ccard (ssh-rsa) [root@fedora21-freeipa log]# ipa group-show cog_rw Group name: cog_rw GID: 1581000003 Member users: ccard Member of Sudo rule: All [root@fedora21-freeipa log]# ipa sudorule-show All Rule name: All Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all User Groups: cog_rw Sudo Option: !authenticate I've found that this setup works eventually, but I have to wait for several minutes after changing the settings (through the freeipa gui), before it works. I've found that changing entry_cache_sudo_timeout and stopping/starting sssd on the client machine helps, and that sss_cache doesn't support invalidating the sudo rules, which is annoying. I've also tried making the sudo rule more restrictive by adding a host group e.g. [root@fedora21-freeipa log]# ipa hostgroup-show Host-group: cog Host-group: cog Member hosts: ipaclient21.testdomain21.com Member of Sudo rule: All [root@fedora21-freeipa log]# ipa sudorule-show All Rule name: All Enabled: TRUE Command category: all RunAs User category: all RunAs Group category: all User Groups: cog_rw Host Groups: cog Sudo Option: !authenticate but this setup doesn't work, i.e. even though the user is in the user group and the client machine is in the host group, sudo su - fails. Is this a bug, or have I missed something? Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project