So after my FreeIPA upgrade I was playing around some more with
the rules and accounts enabled on my cluster. In the HBAC rule panel I saw that
I hadn’t yet disabled the
allow_all rule which permits all users access to all
servers using all methods. Pretty much it makes any other HBAC rule you set
meaningless because it always matches and passes. I already had rules in place
for graphical logins to my desktops and SSH/console access by the correct administrative
groups to my servers so I thought it was time to disable
allow_all. Went ahead
and turned the rule off and generally forgot about it for a few hours until I
went to update my desktop.
$ sudo pacman -Syu Password: sudo: PAM account management error: Permission denied
I double checked that I was typing my password correctly first before diving into
what could have gone wrong. All of my desktop machines are grouped into a single
host group in IPA, logically called
desktops. I went ahead and checked that I
could resolve the group members correctly:
$ getent netgroup desktops desktops (desktop.example.com,-,example.com)
No problem there. I have set up a rule that allows members of the
sudo on any machine in the
desktops group. My user is part
of that group but perhaps my group membership isn’t getting pulled correctly.
So I decided to double check that my groups are correct.
$ id -Gn user desktop-admins desktop-users
That looked fine too. Searching around a little more found me this article by RedHat
which described my problem pretty well. Apparently,
sudo now executes the full
PAM stack when it runs so a failure anywhere in there can cause the call to fail
even if the
sudoers permissions are correct. They suggested running the following
test from one of the IPA master servers to confirm the access permissions.
$ ipa hbactest --user=user \ --host=desktop.example.com \ --service=sudo -------------------- Access granted: False -------------------- Not matched rules: allow_admins_all Not matched rules: allow_desktop Not matched rules: allow_ovirt_admins_to_ovirt_nodes Not matched rules: allow_systemd-user
So it looks like the failure is actually in the HBAC rules, not the
sudo ones at
all. I went ahead and added a new HBAC rule to allow desktop administrators access
sudo and tried it again.
$ ipa hbactest --user=user \ --host=desktop.example.com \ --service=sudo -------------------- Access granted: True -------------------- Matched rules: allow_desktop_admins_sudo Not matched rules: allow_admins_all Not matched rules: allow_desktop Not matched rules: allow_ovirt_admins_to_ovirt_nodes Not matched rules: allow_systemd-user
Viola! Access to
sudo restored. I still have a lot of learning to do around
FreeIPA but I still can’t get over how nice centralized authentication and
authorization is for all of my different home server projects. So long as it
talks LDAP I never have to worry about multiple password expirations again.