From Fedora Project Wiki

(Editing the domain is not needed starting with 1.10 beta1)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
The necessary infrastructure for realmd integration of sudo is not yet complete. This is not expected to be integrated in Fedora 19. See: https://fedorahosted.org/freeipa/ticket/3358
 +
 
{{QA/Test_Case
 
{{QA/Test_Case
 
|description=Verify FreeIPA's sudo management using realmd to join the current machine to a FreeIPA domain.
 
|description=Verify FreeIPA's sudo management using realmd to join the current machine to a FreeIPA domain.
 
|setup=
 
|setup=
# Run through the [[QA:Testcase_FreeIPA_realmd_join|test case to join the domain]].
+
# If you have not already done so, run through the [[QA:Testcase_FreeIPA_realmd_join|test case to join the domain]].
  
 
|actions=
 
|actions=
Line 8: Line 10:
 
=== Configure SSSD ===
 
=== Configure SSSD ===
  
On <code>client.ipa.example.com</code>, you have to make some changes to <code>/etc/sssd/sssd.conf</code>.
+
On <code>client.ipa.example.org</code>, you have to make some changes to <code>/etc/sssd/sssd.conf</code>.
  
 
Make sure the sudo service is enabled in the <code>[sssd]</code> section:
 
Make sure the sudo service is enabled in the <code>[sssd]</code> section:
Line 15: Line 17:
 
  ...
 
  ...
 
  services = nss, pam, ssh, sudo
 
  services = nss, pam, ssh, sudo
...
 
 
In the FreeIPA domain section, you have to make the following changes (see <code>man sssd-sudo</code> for more information):
 
 
[domain/IPA.EXAMPLE.COM]
 
...
 
sudo_provider = ldap
 
ldap_uri = ldap://server.ipa.example.com
 
ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com
 
ldap_sasl_mech = GSSAPI
 
ldap_sasl_authid = host/client.ipa.example.com
 
ldap_sasl_realm = IPA.EXAMPLE.COM
 
krb5_server = server.ipa.example.com
 
 
  ...
 
  ...
  
Line 36: Line 25:
 
=== Configure sudo ===
 
=== Configure sudo ===
  
Configure sudo on <code>client.ipa.example.com</code> to use SSSD for sudoers in <code>/etc/nsswitch.conf</code>:
+
Configure sudo on <code>client.ipa.example.org</code> to use SSSD for sudoers in <code>/etc/nsswitch.conf</code>:
  
 
  sudoers: sss
 
  sudoers: sss
Line 68: Line 57:
 
Log in as <code>sudouser</code>:
 
Log in as <code>sudouser</code>:
  
  user@client$ su - sudouser
+
  user@client$ su - sudouser@IPA.EXAMPLE.ORG
  
 
Note that you will be prompted to change the password.
 
Note that you will be prompted to change the password.
Line 99: Line 88:
 
}}
 
}}
  
[[Category:Active_Directory_Test_Cases]]
+
== Troubleshooting ==
 +
 
 +
'''Known Issue:''' sudo id does not work. It may be caused by missing libsss_sudo package. Workaround:
 +
<pre>yum install libsss_sudo</pre>
 +
 
 +
[[Category:FreeIPA_Test_Cases]]

Latest revision as of 13:26, 6 May 2013

The necessary infrastructure for realmd integration of sudo is not yet complete. This is not expected to be integrated in Fedora 19. See: https://fedorahosted.org/freeipa/ticket/3358


Description

Verify FreeIPA's sudo management using realmd to join the current machine to a FreeIPA domain.

Setup

  1. If you have not already done so, run through the test case to join the domain.

How to test

Configure SSSD

On client.ipa.example.org, you have to make some changes to /etc/sssd/sssd.conf.

Make sure the sudo service is enabled in the [sssd] section:

[sssd]
...
services = nss, pam, ssh, sudo
...

Finally, restart SSSD:

root@client# systemctl restart sssd.service

Configure sudo

Configure sudo on client.ipa.example.org to use SSSD for sudoers in /etc/nsswitch.conf:

sudoers: sss

Note that after this setting, sudo will use SSSD sudoers only, /etc/sudoers will be ignored.

Sudoers setup

First, authenticate as admin:

user@server$ kinit admin

Create a user:

user@server$ ipa user-add sudouser --first Sudo --last User

Set initial password for the user:

user@server$ ipa passwd sudouser

Create a sudo rule:

user@server$ ipa sudorule-add testrule --hostcat all --cmdcat all --runasusercat all --runasgroupcat all

Add the user to the sudo rule:

user@server$ ipa sudorule-add-user testrule --users sudouser

Sudo testing

Log in as sudouser:

user@client$ su - sudouser@IPA.EXAMPLE.ORG

Note that you will be prompted to change the password.

Verify that you are allowed to run sudo:

sudouser@client$ sudo id
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for sudouser: 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Now go offline. You can do that by disconnecting the client from network, shutting down the server, etc.

After going offline, you should still be able to use sudo:

sudouser@client$ sudo id
[sudo] password for sudouser: 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Expected Results

All the test steps should end with the specified results.



Troubleshooting

Known Issue: sudo id does not work. It may be caused by missing libsss_sudo package. Workaround:

yum install libsss_sudo