From Fedora Project Wiki

Revision as of 20:32, 17 April 2013 by Pkis (talk | contribs)

Description

Verify FreeIPA's sudo management using realmd to join the current machine to a FreeIPA domain.

Setup

  1. Run through the test case to join the domain.

How to test

Configure SSSD

On client.ipa.example.com, you have to make some changes to /etc/sssd/sssd.conf.

Make sure the sudo service is enabled in the [sssd] section:

[sssd]
...
services = nss, pam, ssh, sudo
...

In the FreeIPA domain section, you have to make the following changes (see man sssd-sudo for more information):

[domain/IPA.EXAMPLE.COM]
...
sudo_provider = ldap
ldap_uri = ldap://server.ipa.example.com
ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/client.ipa.example.com
ldap_sasl_realm = IPA.EXAMPLE.COM
krb5_server = server.ipa.example.com
...

Finally, restart SSSD:

root@client# systemctl restart sssd.service

Configure sudo

Configure sudo on client.ipa.example.com to use SSSD for sudoers in /etc/nsswitch.conf:

sudoers: sss

Note that after this setting, sudo will use SSSD sudoers only, /etc/sudoers will be ignored.

Sudoers setup

First, authenticate as admin:

user@server$ kinit admin

Create a user:

user@server$ ipa user-add sudouser --first Sudo --last User

Set initial password for the user:

user@server$ ipa passwd sudouser

Create a sudo rule:

user@server$ ipa sudorule-add testrule --hostcat all --cmdcat all --runasusercat all --runasgroupcat all

Add the user to the sudo rule:

user@server$ ipa sudorule-add-user testrule --users sudouser

Sudo testing

Log in as sudouser:

user@client$ su - sudouser@IPA.EXAMPLE.COM

Note that you will be prompted to change the password.

Verify that you are allowed to run sudo:

sudouser@client$ sudo id
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for sudouser: 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Now go offline. You can do that by disconnecting the client from network, shutting down the server, etc.

After going offline, you should still be able to use sudo:

sudouser@client$ sudo id
[sudo] password for sudouser: 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Expected Results

All the test steps should end with the specified results.



Troubleshooting

Known Issue: sudo id does not work. It may be caused by missing libsss_sudo package. Workaround:

yum install libsss_sudo