So after my FreeIPA upgrade I was playing around some more with the rules and accounts enabled on my cluster. In the HBAC rule panel I saw that I hadn’t yet disabled the allow_all rule which permits all users access to all servers using all methods. Pretty much it makes any other HBAC rule you set meaningless because it always matches and passes. I already had rules in place for graphical logins to my desktops and SSH/console access by the correct administrative groups to my servers so I thought it was time to disable allow_all. Went ahead and turned the rule off and generally forgot about it for a few hours until I went to update my desktop.

$ sudo pacman -Syu
Password:
sudo: PAM account management error: Permission denied

I double checked that I was typing my password correctly first before diving into what could have gone wrong. All of my desktop machines are grouped into a single host group in IPA, logically called desktops. I went ahead and checked that I could resolve the group members correctly:

$ getent netgroup desktops
desktops           (desktop.example.com,-,example.com)

No problem there. I have set up a rule that allows members of the desktop-admins group unrestricted sudo on any machine in the desktops group. My user is part of that group but perhaps my group membership isn’t getting pulled correctly. So I decided to double check that my groups are correct.

$ id -Gn
user desktop-admins desktop-users

That looked fine too. Searching around a little more found me this article by RedHat which described my problem pretty well. Apparently, sudo now executes the full PAM stack when it runs so a failure anywhere in there can cause the call to fail even if the sudoers permissions are correct. They suggested running the following test from one of the IPA master servers to confirm the access permissions.

$ ipa hbactest --user=user \
    --host=desktop.example.com \
    --service=sudo
--------------------
Access granted: False
--------------------
  Not matched rules: allow_admins_all
  Not matched rules: allow_desktop
  Not matched rules: allow_ovirt_admins_to_ovirt_nodes
  Not matched rules: allow_systemd-user

So it looks like the failure is actually in the HBAC rules, not the sudo ones at all. I went ahead and added a new HBAC rule to allow desktop administrators access via sudo and tried it again.

$ ipa hbactest --user=user \
    --host=desktop.example.com \
    --service=sudo
--------------------
Access granted: True
--------------------
  Matched rules: allow_desktop_admins_sudo
  Not matched rules: allow_admins_all
  Not matched rules: allow_desktop
  Not matched rules: allow_ovirt_admins_to_ovirt_nodes
  Not matched rules: allow_systemd-user

Viola! Access to sudo restored. I still have a lot of learning to do around FreeIPA but I still can’t get over how nice centralized authentication and authorization is for all of my different home server projects. So long as it talks LDAP I never have to worry about multiple password expirations again.