OK now I need help w/ another aspect of sudo. I need to setup a rule so taht
certain users in a group can su - someuser, or sudo su - someuser.
I'm having difficulty researching this. Can anyone shed light on this?
On Wednesday, November 8, 2017 2:57 PM, Andrew Meyer via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
I tried to add to much to the rule. I added a RunAs or AuthAs option which
killed me.
On Wednesday, November 8, 2017 2:51 PM, Patrick Grove via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
What was the resolution?
Patrick Grove,
System Administrator, IT Infrastructure
NHK International
E-mail: patrick.gr...@nhkusa.com
Office #: 248 308 5624
----- Original Message -----
From: "Andrew Meyer via FreeIPA-users" <freeipa-users@lists.fedorahosted.org>
To: "Andrew Meyer" <andrewm...@yahoo.com>, "FreeIPA users list"
<freeipa-users@lists.fedorahosted.org>, "FreeIPA users list"
<freeipa-users@lists.fedorahosted.org>
Cc: "Rob Crittenden" <rcrit...@redhat.com>, "Andrew Meyer"
<andrewm...@yahoo.com>
Sent: Wednesday, November 8, 2017 3:47:42 PM
Subject: [Freeipa-users] Re: FreeIPA sudoers
Nm. I fixed it.
On Wednesday, November 8, 2017 2:28 PM, Andrew Meyer via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
so looking at the logs it find a rule:
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_cached_rules_by_user] (0x0400):
Replacing sudoUser attribute with sudoUser: #1154600003
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_query_cache] (0x0200):
Searching sysdb with
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=andrew.me...@mgt.stl.gatewaybl
end.net)(sudoUser=#1154600003)(sudoUser=%answers\20jira\20engine...@mgt.stl.example.net)(sudoUser=%answers\20jira\20adm...@mgt.stl.example.net)(sudoUser=%example-admins@mgt.s
tl.example.net)(sudoUser=%answers\20jira\20us...@mgt.stl.example.net)(sudoUser=%ipaus...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net)(sudoUser=%wheel@mgt.s
tl.example.net)(sudoUser=%ops_sudo...@mgt.stl.example.net)(sudoUser=%o...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net))))]
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
rules with higher-wins logic
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400):
Returning 1 rules for [andrew.me...@mgt.stl.example.net@mgt.stl.example.net]
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000):
error: [0]
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000):
rules_num: [0]
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): rule
[1]/[1]
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000):
cn:All
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000):
objectClass:sudoRule
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000):
sudoCommand:ALL
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000):
sudoHost:ALL
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000):
sudoOption:!authenticate
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000):
sudoRunAsUser:process
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000):
sudoUser:#1154600003
(Wed Nov 8 14:23:40 2017) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Wed Nov 8 14:23:40 2017) [sssd[sudo]] [client_close_fn] (0x2000): Terminated
client [0x55fce3abe990][18]
the sssd_hostname log is complaining about no SELinux maps...
On Wednesday, November 8, 2017 1:43 PM, Rob Crittenden via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
Andrew Meyer via FreeIPA-users wrote:
> Hello, i'm having some trouble getting sudoers to work.
>
> I have 5 machines joined to the FreeIPA domain and I have a user group
> called ops and ops_sudoers. Both have permission to full sudo.
>
>
> [ andrew.meyer@jira02 ~]$ ipa sudorule-find ALL
> -------------------
> 1 Sudo Rule matched
> -------------------
> Rule name: All
> Enabled: TRUE
> Host category: all
> Command category: all
> Sudo Option: !authenticate
> ----------------------------
> Number of entries returned 1
> ----------------------------
>
> [ andrew.meyer@jira02 ~]$ ipa sudorule-show ALL
> Rule name: All
> Enabled: TRUE
> Host category: all
> Command category: all
> Users: brian.keithly, andrew.meyer
> User Groups: ops_sudoers, ops
> RunAs Users: process
> Sudo Option: !authenticate
>
> [ andrew.meyer@jira02 ~]$ sudo su -
> [sudo] password for andrew.meyer:
> Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root
> on jira02.mgt.example.net.
> [ andrew.meyer@jira02 ~]$
>
> My HBAC is set to allow_all.
>
> [ root@jira02 log]# cat /etc/sssd/sssd.conf
> [domain/mgt.example.net]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = EXAMPLE.NET
> ipa_domain = mgt.example.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = jira02.mgt.example.net
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, infra-test-ipa.example.net
> dyndns_iface = ens160
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh, sudo
>
> domains = mgt.example.net
> [nss]
> homedir_substring = /home
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
> [secrets]
>
> [ root@jira02 log]#
Start here:
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
