OK now I need help w/ another aspect of sudo. I need to setup a rule so taht certain users in a group can su - someuser, or sudo su - someuser. I'm having difficulty researching this. Can anyone shed light on this?
On Wednesday, November 8, 2017 2:57 PM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: I tried to add to much to the rule. I added a RunAs or AuthAs option which killed me. On Wednesday, November 8, 2017 2:51 PM, Patrick Grove via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: What was the resolution? Patrick Grove, System Administrator, IT Infrastructure NHK International E-mail: patrick.gr...@nhkusa.com Office #: 248 308 5624 ----- Original Message ----- From: "Andrew Meyer via FreeIPA-users" <freeipa-users@lists.fedorahosted.org> To: "Andrew Meyer" <andrewm...@yahoo.com>, "FreeIPA users list" <freeipa-users@lists.fedorahosted.org>, "FreeIPA users list" <freeipa-users@lists.fedorahosted.org> Cc: "Rob Crittenden" <rcrit...@redhat.com>, "Andrew Meyer" <andrewm...@yahoo.com> Sent: Wednesday, November 8, 2017 3:47:42 PM Subject: [Freeipa-users] Re: FreeIPA sudoers Nm. I fixed it. On Wednesday, November 8, 2017 2:28 PM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: so looking at the logs it find a rule: (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_cached_rules_by_user] (0x0400): Replacing sudoUser attribute with sudoUser: #1154600003 (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=andrew.me...@mgt.stl.gatewaybl end.net)(sudoUser=#1154600003)(sudoUser=%answers\20jira\20engine...@mgt.stl.example.net)(sudoUser=%answers\20jira\20adm...@mgt.stl.example.net)(sudoUser=%example-admins@mgt.s tl.example.net)(sudoUser=%answers\20jira\20us...@mgt.stl.example.net)(sudoUser=%ipaus...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net)(sudoUser=%wheel@mgt.s tl.example.net)(sudoUser=%ops_sudo...@mgt.stl.example.net)(sudoUser=%o...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net))))] (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 1 rules for [andrew.me...@mgt.stl.example.net@mgt.stl.example.net] (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0] (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num: [0] (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): rule [1]/[1] (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): cn:All (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): objectClass:sudoRule (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoCommand:ALL (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoHost:ALL (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoOption:!authenticate (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoRunAsUser:process (Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoUser:#1154600003 (Wed Nov 8 14:23:40 2017) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Nov 8 14:23:40 2017) [sssd[sudo]] [client_close_fn] (0x2000): Terminated client [0x55fce3abe990][18] the sssd_hostname log is complaining about no SELinux maps... On Wednesday, November 8, 2017 1:43 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > Hello, i'm having some trouble getting sudoers to work. > > I have 5 machines joined to the FreeIPA domain and I have a user group > called ops and ops_sudoers. Both have permission to full sudo. > > > [ andrew.meyer@jira02 ~]$ ipa sudorule-find ALL > ------------------- > 1 Sudo Rule matched > ------------------- > Rule name: All > Enabled: TRUE > Host category: all > Command category: all > Sudo Option: !authenticate > ---------------------------- > Number of entries returned 1 > ---------------------------- > > [ andrew.meyer@jira02 ~]$ ipa sudorule-show ALL > Rule name: All > Enabled: TRUE > Host category: all > Command category: all > Users: brian.keithly, andrew.meyer > User Groups: ops_sudoers, ops > RunAs Users: process > Sudo Option: !authenticate > > [ andrew.meyer@jira02 ~]$ sudo su - > [sudo] password for andrew.meyer: > Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root > on jira02.mgt.example.net. > [ andrew.meyer@jira02 ~]$ > > My HBAC is set to allow_all. > > [ root@jira02 log]# cat /etc/sssd/sssd.conf > [domain/mgt.example.net] > > cache_credentials = True > krb5_store_password_if_offline = True > krb5_realm = EXAMPLE.NET > ipa_domain = mgt.example.net > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = jira02.mgt.example.net > chpass_provider = ipa > dyndns_update = True > ipa_server = _srv_, infra-test-ipa.example.net > dyndns_iface = ens160 > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, pam, ssh, sudo > > domains = mgt.example.net > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > [secrets] > > [ root@jira02 log]# Start here: https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org