Hi, created an account which is meant to automate things with Ansible AWX. Tried to grant this account sudo access to the linux clients but things seem not to work out.
Not sure why. hbactests returns OK. ---- [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.<redacted>.services --service=sshd -------------------- Access granted: True -------------------- Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.<redacted>.services --service=sudo-i -------------------- Access granted: True -------------------- Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser [root@idm01 ~]# ipa hostgroup-show all_clients_hg Host-group: all_clients_hg Description: This group contains all clients registered to this IdM. Member hosts: debclient2.linux.<redacted>.services, debclient1.linux.<redacted>.services Member of HBAC rule: allow_ansible_ssh2idm, test_aduser [root@idm01 ~]# ipa hbacrule-show allow_ansible_ssh2idm Rule name: allow_ansible_ssh2idm Enabled: True Users: ansible Host Groups: ipaservers, all_clients_hg HBAC Services: sshd, sudo, sudo-i HBAC Service Groups: Sudo ---- I can login with user ansible onto debclient2, using a ssh pub key set in IDM just fine. But when trying to sudo, this is not allowed. Even though I have locally enabled it in sudoers (which should't be nessecary). ---- root@debclient2:~# su - ansible@linux.<redacted>.services su: Permission denied root@debclient2:~# getent passwd ansible@linux.<redacted>.services ansible:*:996000008:996000008:Automation User:/home/ansible:/bin/bash ansible@debclient2:~$ sudo -i [sudo] password for ansible: ansible is not allowed to run sudo on debclient2. ansible@debclient2:~$ id uid=996000008(ansible) gid=996000008(ansible) groups=996000008(ansible) ----- -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
