(Created page with "{{QA/Test_Case |description= Offline access to sudo rules. |setup= * Make sure you have sudo 1.8.6 rc3 or later installed ([http://koji.fedoraproject.org/koji/buildinfo?bu...") |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 36: | Line 36: | ||
krb5_server = server.ipa.example.com | krb5_server = server.ipa.example.com | ||
... | ... | ||
Finally, restart SSSD: | |||
root@client# systemctl restart sssd.service | |||
=== Configure sudo === | |||
Configure sudo on <code>client.ipa.example.com</code> to use SSSD for sudoers in <code>/etc/nsswitch.conf</code>: | |||
sudoers: sss | |||
Note that after this setting, sudo will use SSSD sudoers only, <code>/etc/sudoers</code> will be ignored. | |||
=== Sudoers setup === | |||
First, authenticate as admin: | |||
user@server$ kinit admin | |||
Create a user: | |||
user@server$ ipa user-add sudouser --first Sudo --last User | |||
Set initial password for the user: | |||
user@server$ ipa passwd sudouser | |||
Create a sudo rule: | |||
user@server$ ipa sudorule-add testrule --hostcat all --cmdcat all --runasusercat all --runasgroupcat all | |||
Add the user to the sudo rule: | |||
user@server$ ipa sudorule-add-user testrule --users sudouser | |||
=== Sudo testing === | === Sudo testing === | ||
Log in as <code>sudouser</code>: | |||
user@client$ su - sudouser | |||
Note that you will be prompted to change the password. | |||
Verify that you are allowed to run sudo: | |||
sudouser@client$ sudo id | |||
We trust you have received the usual lecture from the local System | |||
Administrator. It usually boils down to these three things: | |||
#1) Respect the privacy of others. | |||
#2) Think before you type. | |||
#3) With great power comes great responsibility. | |||
[sudo] password for sudouser: | |||
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | |||
Now go offline. You can do that by disconnecting the client from network, shutting down the server, etc. | |||
After going offline, you should still be able to use sudo: | |||
sudouser@client$ sudo id | |||
[sudo] password for sudouser: | |||
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | |||
|results= | |results= |
Latest revision as of 08:29, 13 September 2012
Description
Offline access to sudo rules.
Setup
- Make sure you have sudo 1.8.6 rc3 or later installed (Koji build).
- Make sure you have SSSD 1.9.0beta7 or later installed (Koji build).
- Install FreeIPA server with DNS on one machine,
server.ipa.example.com
, and FreeIPA client on another machine,client.ipa.example.com
(see Basic installation tests).
How to test
Configure SSSD
On client.ipa.example.com
, you have to make some changes to /etc/sssd/sssd.conf
.
Make sure the sudo service is enabled in the [sssd]
section:
[sssd] ... services = nss, pam, ssh, sudo ...
In the FreeIPA domain section, you have to make the following changes (see man sssd-sudo
for more information):
[domain/IPA.EXAMPLE.COM] ... sudo_provider = ldap ldap_uri = ldap://server.ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/client.ipa.example.com ldap_sasl_realm = IPA.EXAMPLE.COM krb5_server = server.ipa.example.com ...
Finally, restart SSSD:
root@client# systemctl restart sssd.service
Configure sudo
Configure sudo on client.ipa.example.com
to use SSSD for sudoers in /etc/nsswitch.conf
:
sudoers: sss
Note that after this setting, sudo will use SSSD sudoers only, /etc/sudoers
will be ignored.
Sudoers setup
First, authenticate as admin:
user@server$ kinit admin
Create a user:
user@server$ ipa user-add sudouser --first Sudo --last User
Set initial password for the user:
user@server$ ipa passwd sudouser
Create a sudo rule:
user@server$ ipa sudorule-add testrule --hostcat all --cmdcat all --runasusercat all --runasgroupcat all
Add the user to the sudo rule:
user@server$ ipa sudorule-add-user testrule --users sudouser
Sudo testing
Log in as sudouser
:
user@client$ su - sudouser
Note that you will be prompted to change the password.
Verify that you are allowed to run sudo:
sudouser@client$ sudo id We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for sudouser: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Now go offline. You can do that by disconnecting the client from network, shutting down the server, etc.
After going offline, you should still be able to use sudo:
sudouser@client$ sudo id [sudo] password for sudouser: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Expected Results
All the test steps should end with the specified results.