On (03/05/14 10:39), Dean Hunter wrote: >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: > >> On (01/05/14 15:53), Dean Hunter wrote: >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote: >> >> >> >> > >> >> > I just noticed that I had been incorrectly setting the NIS domain >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is >> >> > sudo still using NIS-style netgroups? Is there still a requirement >> >> > to set the NIS domain name? >> >> >> >> >> >> I think NIS domain is needed for netgroups. If you are not using >> >> netgroups in the sudo rules but just user groups you should be fine. >> >> Is this the case with you? >> >> If not please provide the logs and config. >> >> >> > >> >I am not aware of using netgroups, either the IPA object or any other >> >kind. I just remember that when I was first configuring sudo to >> >retrieve rules from IPA it would not work until I set nisdomainname >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the >> >manual: >> > >> > >> > Even though sudo uses NIS-style netgroups, it is not necessary >> > to have a NIS server installed. Netgroups require that a NIS >> > domain be named in their configuration, so sudo requires that a >> > NIS domain be named for netgroups. However, that NIS domain does >> > not actually need to exist. >> > >> > >> >With Fedora 20 I can no longer find the emulation of rc.local that >> >existed in Fedora 19. I did find fedora-domainname.service and started >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet >> >IPA sudo rules appear to work. >> > >> Hope It helps you >> http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html >> >> LS > > >Thank you. Now that you point it out, I remember that this thread is >where I first learned about fedora-domainname.service. I see: > > You would also need to set NIS domain name, otherwise SUDO will > not correctly recognize SUDO rules targeted on host groups, ^^^^^^^^^^^^^^ This is important part > instead of hosts: > >which explains when sudo would need the NIS domain name. Since my sudo >rules address user groups I guess there is no requirement for NIS domain >name since they are working just fine: Your sudo rules use host groups.
> > ipa sudorule-add desktop-admins --desc "Desktop > Administrators" > ipa sudorule-mod desktop-admins --cmdcat all > ipa sudorule-add-host desktop-admins --hostgroups desktops > ipa sudorule-add-option desktop-admins --sudooption "! > authenticate" > ipa sudorule-add-runasuser desktop-admins --users root > ipa sudorule-add-runasgroup desktop-admins --groups root > ipa sudorule-add-user desktop-admins --groups > desktop-admins > > ipa sudorule-add server-admins --desc "Server > Administrators" > ipa sudorule-mod server-admins --cmdcat all > ipa sudorule-add-host server-admins --hostgroups servers hostgroups are reason why you need to configure NIS domain name. hostgroups are also available as netgroups in compat tree and sudo reads information from netgroups. > ipa sudorule-add-option server-admins --sudooption "! > authenticate" > ipa sudorule-add-runasuser server-admins --users root > ipa sudorule-add-runasgroup server-admins --groups root > ipa sudorule-add-user server-admins --groups > server-admins > >However, I was really asking whether there had been a change in >sssd/sudo behavior as it was my recollection that my sudo rules did not >work at all in early IPA 3.n releases unless the NIS domain name was >configured. > LS _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
