IPA-SERVER - SUDO permissions not working on Ubuntu Servers
I have just installed my first IPA-Server (using CentOS) and it is already set as the LDAP server hosting the centralized credentials control from many users login on to many Ubuntu servers.
My problem is that I have tried to set a new group created in the IPA Server in order to assign SUDO permissions for the users login on to the Ubuntu servers using the LDAP accounts but it is still not working.
Does any expert has experience configuring IPA-SERVER.
My problem is that I have tried to set a new group created in the IPA Server in order to assign SUDO permissions for the users login on to the Ubuntu servers using the LDAP accounts but it is still not working.
Does any expert has experience configuring IPA-SERVER.
ASKER
I want to control it from the IPA SERVER and not from the file. From the server I created a SUDO rule allowing specific SUDO commands for a test user: user1. Despite of these configurations on the IPA-server in order to allow SUDO commands, these ones are the unique activities that I made on the client servers:
1. Install the package 'freeipa-client' on Ubuntu. After the package installation I run:
ipa-client-install
It asks the LDAP realm name, the credentials, and then the computer is in.
2. On the Ubuntu Machine modify the file /etc/nsswitch.conf. Specifically the line that says:
sudoers: files sss ---------------> sudoers: sss
With this changes the file /etc/sudoers is not used, and the computer is supposed to be forced to rely uniquely on SSSD (The LDAP Server using the freeipa-client).
So... I can loging correctly to the Ubuntu machines using my LDAP users, but if I try to execute SUDO commands it returns the error:
user1 is not allowed to run sudo on <myserver>. This incident will be reported.
1. Install the package 'freeipa-client' on Ubuntu. After the package installation I run:
ipa-client-install
It asks the LDAP realm name, the credentials, and then the computer is in.
2. On the Ubuntu Machine modify the file /etc/nsswitch.conf. Specifically the line that says:
sudoers: files sss ---------------> sudoers: sss
With this changes the file /etc/sudoers is not used, and the computer is supposed to be forced to rely uniquely on SSSD (The LDAP Server using the freeipa-client).
So... I can loging correctly to the Ubuntu machines using my LDAP users, but if I try to execute SUDO commands it returns the error:
user1 is not allowed to run sudo on <myserver>. This incident will be reported.
Not sure what sss, usually if you store your sudoers file in the LDAP, you should still have a basic /etc/sudoers file just in the event the LDAP server/s are inaccessible.
Nsswitch.conf usually should have
Sudoers: files ldap
The definition is the mechanism the system will use to search for info, you can not refer it to the LDAP server by name.
Do your passwd: files sss?
Are you able to run ldapsearch to list all users, systems.
Nsswitch.conf usually should have
Sudoers: files ldap
The definition is the mechanism the system will use to search for info, you can not refer it to the LDAP server by name.
Do your passwd: files sss?
Are you able to run ldapsearch to list all users, systems.
ASKER
I put it bash as:
file sss
However, it still cannot run the SUDO commands. The only difference now is that local users can make it too. But what I want to achieve at the end is to control the SUDO commands from SUDO rules on the IPA-SERVER despite the local file is user or not.
But like you say it could be a good point, in that way I can use sudo for local users when the LDAP servers are not available.
Here there is one small online presentation with details about it:
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
file sss
However, it still cannot run the SUDO commands. The only difference now is that local users can make it too. But what I want to achieve at the end is to control the SUDO commands from SUDO rules on the IPA-SERVER despite the local file is user or not.
But like you say it could be a good point, in that way I can use sudo for local users when the LDAP servers are not available.
Here there is one small online presentation with details about it:
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
The group you reference is local or on the LDAP?
Without the understanding of what you have it is hard to say what might be going on.