(Created page with "{{QA/Test_Case |description= Offline access to sudo rules. |setup= * Make sure you have sudo 1.8.6 rc3 or later installed ([http://koji.fedoraproject.org/koji/buildinfo?bu...") |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 36: | Line 36: | ||
krb5_server = server.ipa.example.com | krb5_server = server.ipa.example.com | ||
... | ... | ||
Finally, restart SSSD: | |||
root@client# systemctl restart sssd.service | |||
=== Configure sudo === | |||
Configure sudo on <code>client.ipa.example.com</code> to use SSSD for sudoers in <code>/etc/nsswitch.conf</code>: | |||
sudoers: sss | |||
Note that after this setting, sudo will use SSSD sudoers only, <code>/etc/sudoers</code> will be ignored. | |||
=== Sudoers setup === | |||
First, authenticate as admin: | |||
user@server$ kinit admin | |||
Create a user: | |||
user@server$ ipa user-add sudouser --first Sudo --last User | |||
Set initial password for the user: | |||
user@server$ ipa passwd sudouser | |||
Create a sudo rule: | |||
user@server$ ipa sudorule-add testrule --hostcat all --cmdcat all --runasusercat all --runasgroupcat all | |||
Add the user to the sudo rule: | |||
user@server$ ipa sudorule-add-user testrule --users sudouser | |||
=== Sudo testing === | === Sudo testing === | ||
Log in as <code>sudouser</code>: | |||
user@client$ su - sudouser | |||
Note that you will be prompted to change the password. | |||
Verify that you are allowed to run sudo: | |||
sudouser@client$ sudo id | |||
We trust you have received the usual lecture from the local System | |||
Administrator. It usually boils down to these three things: | |||
#1) Respect the privacy of others. | |||
#2) Think before you type. | |||
#3) With great power comes great responsibility. | |||
[sudo] password for sudouser: | |||
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | |||
Now go offline. You can do that by disconnecting the client from network, shutting down the server, etc. | |||
After going offline, you should still be able to use sudo: | |||
sudouser@client$ sudo id | |||
[sudo] password for sudouser: | |||
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | |||
|results= | |results= | ||
Latest revision as of 08:29, 13 September 2012
Description
Offline access to sudo rules.
Setup
- Make sure you have sudo 1.8.6 rc3 or later installed (Koji build).
- Make sure you have SSSD 1.9.0beta7 or later installed (Koji build).
- Install FreeIPA server with DNS on one machine,
server.ipa.example.com, and FreeIPA client on another machine,client.ipa.example.com(see Basic installation tests).
How to test
Configure SSSD
On client.ipa.example.com, you have to make some changes to /etc/sssd/sssd.conf.
Make sure the sudo service is enabled in the [sssd] section:
[sssd] ... services = nss, pam, ssh, sudo ...
In the FreeIPA domain section, you have to make the following changes (see man sssd-sudo for more information):
[domain/IPA.EXAMPLE.COM] ... sudo_provider = ldap ldap_uri = ldap://server.ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/client.ipa.example.com ldap_sasl_realm = IPA.EXAMPLE.COM krb5_server = server.ipa.example.com ...
Finally, restart SSSD:
root@client# systemctl restart sssd.service
Configure sudo
Configure sudo on client.ipa.example.com to use SSSD for sudoers in /etc/nsswitch.conf:
sudoers: sss
Note that after this setting, sudo will use SSSD sudoers only, /etc/sudoers will be ignored.
Sudoers setup
First, authenticate as admin:
user@server$ kinit admin
Create a user:
user@server$ ipa user-add sudouser --first Sudo --last User
Set initial password for the user:
user@server$ ipa passwd sudouser
Create a sudo rule:
user@server$ ipa sudorule-add testrule --hostcat all --cmdcat all --runasusercat all --runasgroupcat all
Add the user to the sudo rule:
user@server$ ipa sudorule-add-user testrule --users sudouser
Sudo testing
Log in as sudouser:
user@client$ su - sudouser
Note that you will be prompted to change the password.
Verify that you are allowed to run sudo:
sudouser@client$ sudo id
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for sudouser:
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Now go offline. You can do that by disconnecting the client from network, shutting down the server, etc.
After going offline, you should still be able to use sudo:
sudouser@client$ sudo id [sudo] password for sudouser: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Expected Results
All the test steps should end with the specified results.