On Tue, October 9, 2012 01:13, Dmitri Pal wrote:
> On 10/08/2012 06:04 PM, Sigbjorn Lie wrote:
>
>> Hi,
>>
>
>
> Thank you for the report!
>
>
>>
>> I've been testing the sudo integration with IPA and I came across some
>> questions:
>>
>>
>> 1. When I disable or delete a sudo rule, it's not removed from the
>> ou=sudoers until I restart the directory server. Am I doing something wrong?
>> (389-ds-base-1.2.10.2-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)
>>
>>
>
> This might be a bug in the compat plugin. The internal tree is reflected
> into the standard sudo schema that is supposed to be kept in sync with the 
> internal tree. However I
> would be surprised if there is actually a bug.
>

I definitely still saw the rules in ou=sudoers even though I disabled or 
deleted the rules.
However the cn=sudo tree was instantly updated.

Could someone else test and see if they see the same behaviour?


>> 2. Perhaps the documentation should mention creating a rule called
>> "defaults" to put default options for all sudo rules in. Or even
>> better having one created by default with a fresh IPA installation. It took 
>> me a few seconds to
>> figure out where to put default options for all sudo rules.
>
> Can you please open an RFE in trac?
> https://fedorahosted.org/freeipa
>

Ok.


>
>
>>
>> 3. sudo integration with SSSD does not work when anonymous LDAP
>> authentication is disabled at the server. Enabling verbose logging in SSSD 
>> seem to suggest that
>> it's attempting  anonymous auth only. (sssd-1.8.4-14.fc17.x86_64)
>>
>
> Which integration you are trying? The one that was tech preview in 1.8?
> The one that makes SSSD cache sudo rules? It was significantly rewritten
> in 1.9. Can you please try with 1.9?
>

This was F17. There is F17 packages for 1.9 somewhere? Will 1.9 be in the next 
update of RHEL 6?

>
>>
>> 4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make
>> sudo display these options as errors when sudo debugging is enabled 
>> (sudoers_debug 1 in
>> /etc/ldap.conf or /etc/sudo-ldap.conf):
>> sudo: unknown defaults entry `env_keep '
>>
>
> Yes. This is a known issue already filed as a ticket.
>

OK

>
>>
>> 5. It would be great to have a set of sudo commands and a set of sudo
>> command groups installed by default.
>
> Can you make a proposal about what groups would you like to see in an RFE?
> https://fedorahosted.org/freeipa
>

Sure. I do believe in having only 1 sudoers source, either a file or ldap. So I 
I believe the
contents of the file /etc/sudoers distributed with the sudoers package is a 
good starting point.




>
>
>>
>> 6. Adding a sudo command having multiple commands listed (such as:
>> "/sbin/route, /sbin/ifconfig, /bin/ping
>> <https://lieipa01.ix.nixtra.com/ipa/ui/#/sbin/route,%20/sbin/ifconfig,%20/bin/ping,%20/sbin/dhcl
>> ient,%20/usr/bin/net,%20/sbin/iptables,%20/usr/bin/%20rfcomm,%20/usr/bin/wvdial,%20/sbin/iwconf
>> ig,%20/sbin/mii-tool>") is allowed in IPA and does list it correctly as 
>> allowed commands when
>> doing "sudo -l", however attempting to execute one of the commands in the 
>> list using sudo fails.
>>
>>
>
> Can you please try SSSD 1.9?

Sure, but I'm not sure how that is going to matter as this is sudo returning an 
error. How is it
expected to be different when the information is coming from a different source?

I believe we have to do the LDAP way and not the SSSD way in production though 
as we have clients
such as older RHEL and Solaris as well besides RHEL 6. So this should be fixed 
regardsless of
where the sudo source is coming from. And I believe we are not alone here in 
having a mixed
environment... :)

File a bug?



Regards,
Siggi





_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to