Charles,Not sure my boss wants to do it that way. How do you deploy new rules?
Puppet, Ansible?
Also here is the logs from sssd:
(Thu Nov 9 08:53:57 2017) [sssd[be[mgt.stl.exampleblend.net]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSudoRunAsExtUserGroup](Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [externalUser](Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [entryUSN](Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [sdap_get_generic_ext_step] (0x2000):
ldap_search_ext called, msgid = 8(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [sdap_op_add] (0x2000): New operation 8
timeout 6(Thu Nov 9 08:53:57 2017) [sssd[be[mgt.stl.exampleblend.net]]]
[sdap_process_result] (0x2000): Trace: sh[0x55848d200b40], connected[1],
ops[0x55848d265290], ldap[0x55848d2272e0](Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [sdap_process_result] (0x2000): Trace: end
of ldap_result list(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [sdap_process_result] (0x2000): Trace:
sh[0x55848d200b40], connected[1], ops[0x55848d265290], ldap[0x55848d2272e0](Thu
Nov 9 08:53:57 2017) [sssd[be[mgt.stl.exampleblend.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg
set(Thu Nov 9 08:53:57 2017) [sssd[be[mgt.stl.exampleblend.net]]]
[sdap_get_generic_op_finished] (0x2000): Total count [0](Thu Nov 9 08:53:57
2017) [sssd[be[mgt.stl.exampleblend.net]]] [sdap_op_destructor] (0x2000):
Operation 8 finished(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [sdap_search_bases_ex_done] (0x0400):
Receiving data from base [cn=sudo,dc=example,dc=net](Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [ipa_sudo_fetch_rules_done] (0x0040):
Received 0 sudo rules(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [ipa_sudo_fetch_cmdgroups] (0x0400): About
to fetch sudo command groups(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [ipa_sudo_fetch_cmdgroups] (0x0400): No
command groups needs to be downloaded(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [ipa_sudo_fetch_cmds] (0x0400): About to
fetch sudo commands(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [ipa_sudo_fetch_cmds] (0x0400): No
commands needs to be downloaded(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [ipa_sudo_fetch_done] (0x0400): About to
convert rules(Thu Nov 9 08:53:57 2017) [sssd[be[mgt.stl.exampleblend.net]]]
[sysdb_sudo_purge_byrules] (0x0400): About to remove rules from sudo cache(Thu
Nov 9 08:53:57 2017) [sssd[be[mgt.stl.exampleblend.net]]] [sdap_sudo_set_usn]
(0x0400): SUDO USN value is empty.(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [ipa_sudo_refresh_done] (0x0400): Sudo
rules are successfully stored in cache(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [ipa_sudo_smart_refresh_done] (0x0400):
Successful smart refresh of sudo rules(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [be_ptask_done] (0x0400): Task [SUDO Smart
Refresh]: finished successfully(Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [be_ptask_schedule] (0x0400): Task [SUDO
Smart Refresh]: scheduling task 900 seconds from last execution time
[1510240137](Thu Nov 9 08:53:57 2017) [sssd[be[mgt.stl.exampleblend.net]]]
[sdap_process_result] (0x2000): Trace: sh[0x55848d200b40], connected[1],
ops[(nil)], ldap[0x55848d2272e0](Thu Nov 9 08:53:57 2017)
[sssd[be[mgt.stl.exampleblend.net]]] [sdap_process_result] (0x2000): Trace: end
of ldap_result list
On Thursday, November 9, 2017 8:17 AM, Charles Hedrick via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
Our sudo is set up to use local files with the rule citing a group, with the
group in IPA. sssd gets a fresh groups list for the user at login, so there
should be no caching issues. This should be sufficient if you’re just
interested in sudo root or a few fairly fixed things. If you’re using sudo in
more complex ways and the requirements change a lot, then having the whole
thing in IPA would certainly be a win.
On Nov 9, 2017, at 8:48 AM, Andrew Meyer via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
Ok so I did that and the rules are coming down just like I thought:
[user1@jira02 ~]$ sudo -lMatching Defaults entries for rob.lloyd on jira02:
!visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user1 may run the following commands on jira02: (ALL : ALL) NOPASSWD:
/usr/bin/su - jira,/usr/bin/sudo su - jira,/bin/su - jira,/bin/sudo -
jira[user1@jira02 ~]$
But i'm not able to execute...I will look into the debugger and see what I get.
This is all new territory for me. If you have any ideas, thank you in advance.
On Thursday, November 9, 2017 1:47 AM, Jakub Hrozek via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
On Thu, Nov 09, 2017 at 02:07:03AM +0000, Andrew Meyer via FreeIPA-users wrote:
> Hello, I am trying to setup a few of my users to have the ability to su -
> jira or another user using FreeIPA.
> Here is what happens when I am logged in as the user and try to su - jira
> [user1@jira02 ~]$ sudo su - process[sudo] password for user1:Sorry, user
> user1 is not allowed to execute '/bin/su - jira' as root
> onjira02.example.net.[user1@jira02 ~]$
> [andrew.meyer@jira02 ~]$ ipa sudorule-show su_jira Rule name: su_jira
> Enabled: TRUE Host category: all RunAs User category: all RunAs Group
> category: all User Groups: developers, ops_sudoers Sudo Allow Command
> Groups: jira_access Sudo Option: !authenticate[andrew.meyer@jira02 ~]$
>
> [andrew.meyer@jira02 ~]$ ipa sudocmd-find su_jira_cmds----------------------1
> Sudo Command matched---------------------- Sudo Command: /usr/bin/su -
> jira,/usr/bin/sudo su - jira,/bin/su - jira,/bin/sudo - jira Description:
> su_jira_cmds----------------------------Number of entries returned
> 1----------------------------
> What am I doing wrong?
I would first run "sudo -l" to see if the user is able to run any sudo
commands at all.
Then I'd proceed to sudo debugging from
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html#obtaining-logs
to see what data was transferred to sudo and how did sudo evaluate them.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
