Martin, Sorry for the late reply.
Thanks for spotting this. I suspect I cannot "just" change ldap in our IPA. This is part of a production environment consisting solely of supported RHEL 6.4 servers. I can snapshot the IPA servers (they are VM's) to be able to roll back in case of trouble, but I am not sure such a change is "supported". Fred On Fri, Jan 10, 2014 at 5:28 PM, Martin Kosek <[email protected]> wrote: > Ah, I think I found the root cause. Our sudoers compat tree configuration > missed out the sudoOrder attribute. The order was thus missing in LDAP > sudoers > and thus ineffective. I filed an upstream ticket to fix it: > https://fedorahosted.org/freeipa/ticket/4107 > > However, to hotfix it in your environment, could you try manually fixing > the > configuration on your FreeIPA server? > > $ ldapmodify -h `hostname` -D "cn=Directory Manager" -x -W > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: sudoOrder=%{sudoOrder} > > > This should do the trick. > > Martin > > On 01/10/2014 05:17 PM, Martin Kosek wrote: > > On 01/10/2014 04:52 PM, Fred van Zwieten wrote: > >> Yes, you would expect that to help, wouldn't you :-) > > > > Yes, I would :-) > > > >> > >> Didn't even know this existed. Thanks for that. > >> > >> User has 3 sudo rules. I have set the allow_all rule to 1, the second > rule > >> to 2 and the cobbler (with the "!authenticate" option) rule to 99: > > > > What is the version of the SUDO on your system? According to > > http://www.sudo.ws/sudoers.ldap.man.html > > it was implemented in SUDO 1.7.5. > > > > Martin > > > >> > >> User ******** may run the following commands on this host: > >> (root) ALL > >> (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, > /bin/more, > >> /usr/bin/less, !/bin/su > >> (root) NOPASSWD: /usr/bin/cobbler > >> (root) !/bin/su > >> > >> Nope. Didn't help. > >> > >> Fred > >> > >> On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek <[email protected]> > wrote: > >> > >>> On 01/10/2014 11:52 AM, Fred van Zwieten wrote: > >>>> Hi, > >>>> > >>>> I have a sudo rule in IPA that has the !authenticate option added to > >>> enable > >>>> admins to execute certain programs as root without authentication. > >>>> > >>>> It doesn't work. There is another rule for the admins that allow all > >>>> commands as long as they give their password. > >>>> > >>>> In a sudoers file, you can solve this by specifing the nopasswd rule > as > >>>> last. > >>>> > >>>> sudo -l from an IPA-client gives me this: > >>>> > >>>> *******@svr001 ~]$ sudo -l > >>>> Matching Defaults entries for ******* on this host: > >>>> requiretty, !visiblepw, always_set_home, env_reset, > env_keep="COLORS > >>>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", > env_keep+="MAIL > >>> PS1 > >>>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", > env_keep+="LC_COLLATE > >>>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", > env_keep+="LC_MONETARY > >>>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME > LC_ALL > >>>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > >>>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > >>>> > >>>> User ******** may run the following commands on this host: > >>>> (root) NOPASSWD: ALL > >>>> (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, > >>> /bin/more, > >>>> /usr/bin/less, !/bin/su > >>>> (root) NOPASSWD: /usr/bin/cobbler > >>>> (root) !/bin/su > >>>> > >>>> I want the cobbler command to run without password authentication. > What > >>> am > >>>> I doing wrong? > >>>> > >>> > >>> Would setting SUDO rule order help? > >>> > >>> # ipa sudorule-mod -h > >>> ... > >>> --order=INT integer to order the Sudo rules > >>> ... > >>> > >>> Martin > >>> > >>> > >> > > > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
