Description
Verify FreeIPA's sudo management using realmd to join the current machine to a FreeIPA domain.
Setup
- Run through the test case to join the domain.
How to test
Configure SSSD
On client.ipa.example.com
, you have to make some changes to /etc/sssd/sssd.conf
.
Make sure the sudo service is enabled in the [sssd]
section:
[sssd] ... services = nss, pam, ssh, sudo ...
In the FreeIPA domain section, you have to make the following changes (see man sssd-sudo
for more information):
[domain/IPA.EXAMPLE.COM] ... sudo_provider = ldap ldap_uri = ldap://server.ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/client.ipa.example.com ldap_sasl_realm = IPA.EXAMPLE.COM krb5_server = server.ipa.example.com ...
Finally, restart SSSD:
root@client# systemctl restart sssd.service
Configure sudo
Configure sudo on client.ipa.example.com
to use SSSD for sudoers in /etc/nsswitch.conf
:
sudoers: sss
Note that after this setting, sudo will use SSSD sudoers only, /etc/sudoers
will be ignored.
Sudoers setup
First, authenticate as admin:
user@server$ kinit admin
Create a user:
user@server$ ipa user-add sudouser --first Sudo --last User
Set initial password for the user:
user@server$ ipa passwd sudouser
Create a sudo rule:
user@server$ ipa sudorule-add testrule --hostcat all --cmdcat all --runasusercat all --runasgroupcat all
Add the user to the sudo rule:
user@server$ ipa sudorule-add-user testrule --users sudouser
Sudo testing
Log in as sudouser
:
user@client$ su - sudouser@IPA.EXAMPLE.COM
Note that you will be prompted to change the password.
Verify that you are allowed to run sudo:
sudouser@client$ sudo id We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for sudouser: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Now go offline. You can do that by disconnecting the client from network, shutting down the server, etc.
After going offline, you should still be able to use sudo:
sudouser@client$ sudo id [sudo] password for sudouser: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Expected Results
All the test steps should end with the specified results.
Troubleshooting
Known Issue: sudo id does not work. It may be caused by missing libsss_sudo package. Workaround:
yum install libsss_sudo