Hi,
I've installed freeipa 4.1.1 on Fedora 21, and successfully set up a freeipa 
server and a freeipa client machine.
I've set up a user with ssh keys, and can successfully ssh onto the client 
machine.
I'm trying to setup sudo rules so that if the user is in a given user group, 
then the user can run "sudo su -" on the client to become root.

Here is my setup:

[root@fedora21-freeipa log]# ipa user-show ccard
  User login: ccard
  First name: Chris
  Last name: Card
  Home directory: /home/ccard
  Login shell: /bin/sh
  Email address: cc...@testdomain21.com
  UID: 1581000001
  GID: 1581000001
  Account disabled: False
  Password: True
  Member of groups: ipausers, cog_rw
  Indirect Member of Sudo rule: All
  Kerberos keys available: True
  SSH public key fingerprint: 98:3D:15:93:A2:F7:79:A8:D6:F6:8B:5B:21:3F:E6:78 
ccard (ssh-rsa)
[root@fedora21-freeipa log]# ipa group-show cog_rw
  Group name: cog_rw
  GID: 1581000003
  Member users: ccard
  Member of Sudo rule: All
[root@fedora21-freeipa log]# ipa sudorule-show All
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: cog_rw
  Sudo Option: !authenticate

I've found that this setup works eventually, but I have to wait for several 
minutes after changing the settings (through the freeipa gui), before it works. 
I've found that changing entry_cache_sudo_timeout and stopping/starting sssd on 
the client machine helps, and that sss_cache doesn't support invalidating the 
sudo rules, which is annoying.

I've also tried making the sudo rule more restrictive by adding a host group 
e.g.

[root@fedora21-freeipa log]# ipa hostgroup-show
Host-group: cog
  Host-group: cog
  Member hosts: ipaclient21.testdomain21.com
  Member of Sudo rule: All
[root@fedora21-freeipa log]# ipa sudorule-show All
  Rule name: All
  Enabled: TRUE
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: cog_rw
  Host Groups: cog
  Sudo Option: !authenticate

but this setup doesn't work, i.e. even though the user is in the user group and 
the client machine is in the host group, sudo su - fails. Is this a bug, or 
have I missed something?

Chris

                                          

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to