m (Test case is not ready for F19) |
(Editing the domain is not needed starting with 1.10 beta1) |
||
Line 17: | Line 17: | ||
... | ... | ||
services = nss, pam, ssh, sudo | services = nss, pam, ssh, sudo | ||
... | ... | ||
Latest revision as of 13:26, 6 May 2013
The necessary infrastructure for realmd integration of sudo is not yet complete. This is not expected to be integrated in Fedora 19. See: https://fedorahosted.org/freeipa/ticket/3358
Description
Verify FreeIPA's sudo management using realmd to join the current machine to a FreeIPA domain.
Setup
- If you have not already done so, run through the test case to join the domain.
How to test
Configure SSSD
On client.ipa.example.org
, you have to make some changes to /etc/sssd/sssd.conf
.
Make sure the sudo service is enabled in the [sssd]
section:
[sssd] ... services = nss, pam, ssh, sudo ...
Finally, restart SSSD:
root@client# systemctl restart sssd.service
Configure sudo
Configure sudo on client.ipa.example.org
to use SSSD for sudoers in /etc/nsswitch.conf
:
sudoers: sss
Note that after this setting, sudo will use SSSD sudoers only, /etc/sudoers
will be ignored.
Sudoers setup
First, authenticate as admin:
user@server$ kinit admin
Create a user:
user@server$ ipa user-add sudouser --first Sudo --last User
Set initial password for the user:
user@server$ ipa passwd sudouser
Create a sudo rule:
user@server$ ipa sudorule-add testrule --hostcat all --cmdcat all --runasusercat all --runasgroupcat all
Add the user to the sudo rule:
user@server$ ipa sudorule-add-user testrule --users sudouser
Sudo testing
Log in as sudouser
:
user@client$ su - sudouser@IPA.EXAMPLE.ORG
Note that you will be prompted to change the password.
Verify that you are allowed to run sudo:
sudouser@client$ sudo id We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for sudouser: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Now go offline. You can do that by disconnecting the client from network, shutting down the server, etc.
After going offline, you should still be able to use sudo:
sudouser@client$ sudo id [sudo] password for sudouser: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Expected Results
All the test steps should end with the specified results.
Troubleshooting
Known Issue: sudo id does not work. It may be caused by missing libsss_sudo package. Workaround:
yum install libsss_sudo