No edit summary |
No edit summary |
||
| Line 2: | Line 2: | ||
|description=Verify FreeIPA's sudo management using realmd to join the current machine to a FreeIPA domain. | |description=Verify FreeIPA's sudo management using realmd to join the current machine to a FreeIPA domain. | ||
|setup= | |setup= | ||
# | # If you have not already done so, run through the [[QA:Testcase_FreeIPA_realmd_join|test case to join the domain]]. | ||
|actions= | |actions= | ||
| Line 8: | Line 8: | ||
=== Configure SSSD === | === Configure SSSD === | ||
On <code>client.ipa.example. | On <code>client.ipa.example.org</code>, you have to make some changes to <code>/etc/sssd/sssd.conf</code>. | ||
Make sure the sudo service is enabled in the <code>[sssd]</code> section: | Make sure the sudo service is enabled in the <code>[sssd]</code> section: | ||
| Line 19: | Line 19: | ||
In the FreeIPA domain section, you have to make the following changes (see <code>man sssd-sudo</code> for more information): | In the FreeIPA domain section, you have to make the following changes (see <code>man sssd-sudo</code> for more information): | ||
[domain/IPA.EXAMPLE. | [domain/IPA.EXAMPLE.ORG] | ||
... | ... | ||
sudo_provider = ldap | sudo_provider = ldap | ||
ldap_uri = ldap://server.ipa.example. | ldap_uri = ldap://server.ipa.example.org | ||
ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com | ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com | ||
ldap_sasl_mech = GSSAPI | ldap_sasl_mech = GSSAPI | ||
ldap_sasl_authid = host/client.ipa.example. | ldap_sasl_authid = host/client.ipa.example.org | ||
ldap_sasl_realm = IPA.EXAMPLE. | ldap_sasl_realm = IPA.EXAMPLE.ORG | ||
krb5_server = server.ipa.example. | krb5_server = server.ipa.example.org | ||
... | ... | ||
| Line 36: | Line 36: | ||
=== Configure sudo === | === Configure sudo === | ||
Configure sudo on <code>client.ipa.example. | Configure sudo on <code>client.ipa.example.org</code> to use SSSD for sudoers in <code>/etc/nsswitch.conf</code>: | ||
sudoers: sss | sudoers: sss | ||
| Line 68: | Line 68: | ||
Log in as <code>sudouser</code>: | Log in as <code>sudouser</code>: | ||
user@client$ su - sudouser@IPA.EXAMPLE. | user@client$ su - sudouser@IPA.EXAMPLE.ORG | ||
Note that you will be prompted to change the password. | Note that you will be prompted to change the password. | ||
Revision as of 23:50, 17 April 2013
Description
Verify FreeIPA's sudo management using realmd to join the current machine to a FreeIPA domain.
Setup
- If you have not already done so, run through the test case to join the domain.
How to test
Configure SSSD
On client.ipa.example.org, you have to make some changes to /etc/sssd/sssd.conf.
Make sure the sudo service is enabled in the [sssd] section:
[sssd] ... services = nss, pam, ssh, sudo ...
In the FreeIPA domain section, you have to make the following changes (see man sssd-sudo for more information):
[domain/IPA.EXAMPLE.ORG] ... sudo_provider = ldap ldap_uri = ldap://server.ipa.example.org ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/client.ipa.example.org ldap_sasl_realm = IPA.EXAMPLE.ORG krb5_server = server.ipa.example.org ...
Finally, restart SSSD:
root@client# systemctl restart sssd.service
Configure sudo
Configure sudo on client.ipa.example.org to use SSSD for sudoers in /etc/nsswitch.conf:
sudoers: sss
Note that after this setting, sudo will use SSSD sudoers only, /etc/sudoers will be ignored.
Sudoers setup
First, authenticate as admin:
user@server$ kinit admin
Create a user:
user@server$ ipa user-add sudouser --first Sudo --last User
Set initial password for the user:
user@server$ ipa passwd sudouser
Create a sudo rule:
user@server$ ipa sudorule-add testrule --hostcat all --cmdcat all --runasusercat all --runasgroupcat all
Add the user to the sudo rule:
user@server$ ipa sudorule-add-user testrule --users sudouser
Sudo testing
Log in as sudouser:
user@client$ su - sudouser@IPA.EXAMPLE.ORG
Note that you will be prompted to change the password.
Verify that you are allowed to run sudo:
sudouser@client$ sudo id
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for sudouser:
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Now go offline. You can do that by disconnecting the client from network, shutting down the server, etc.
After going offline, you should still be able to use sudo:
sudouser@client$ sudo id [sudo] password for sudouser: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Expected Results
All the test steps should end with the specified results.
Troubleshooting
Known Issue: sudo id does not work. It may be caused by missing libsss_sudo package. Workaround:
yum install libsss_sudo