On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote: > On (03/05/14 10:39), Dean Hunter wrote: > >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: > > > >> On (01/05/14 15:53), Dean Hunter wrote: > >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: > >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote: > >> >> > >> >> > > >> >> > I just noticed that I had been incorrectly setting the NIS domain > >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to > >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is > >> >> > sudo still using NIS-style netgroups? Is there still a requirement > >> >> > to set the NIS domain name? > >> >> > >> >> > >> >> I think NIS domain is needed for netgroups. If you are not using > >> >> netgroups in the sudo rules but just user groups you should be fine. > >> >> Is this the case with you? > >> >> If not please provide the logs and config. > >> >> > >> > > >> >I am not aware of using netgroups, either the IPA object or any other > >> >kind. I just remember that when I was first configuring sudo to > >> >retrieve rules from IPA it would not work until I set nisdomainname > >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the > >> >manual: > >> > > >> > > >> > Even though sudo uses NIS-style netgroups, it is not necessary > >> > to have a NIS server installed. Netgroups require that a NIS > >> > domain be named in their configuration, so sudo requires that a > >> > NIS domain be named for netgroups. However, that NIS domain does > >> > not actually need to exist. > >> > > >> > > >> >With Fedora 20 I can no longer find the emulation of rc.local that > >> >existed in Fedora 19. I did find fedora-domainname.service and started > >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet > >> >IPA sudo rules appear to work. > >> > > >> Hope It helps you > >> http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html > >> > >> LS > > > > > >Thank you. Now that you point it out, I remember that this thread is > >where I first learned about fedora-domainname.service. I see: > > > > You would also need to set NIS domain name, otherwise SUDO will > > not correctly recognize SUDO rules targeted on host groups, > ^^^^^^^^^^^^^^ > This is important part > > instead of hosts: > > > >which explains when sudo would need the NIS domain name. Since my sudo > >rules address user groups I guess there is no requirement for NIS domain > >name since they are working just fine: > Your sudo rules use host groups. > > > > > ipa sudorule-add desktop-admins --desc "Desktop > > Administrators" > > ipa sudorule-mod desktop-admins --cmdcat all > > ipa sudorule-add-host desktop-admins --hostgroups desktops > > ipa sudorule-add-option desktop-admins --sudooption "! > > authenticate" > > ipa sudorule-add-runasuser desktop-admins --users root > > ipa sudorule-add-runasgroup desktop-admins --groups root > > ipa sudorule-add-user desktop-admins --groups > > desktop-admins > > > > ipa sudorule-add server-admins --desc "Server > > Administrators" > > ipa sudorule-mod server-admins --cmdcat all > > ipa sudorule-add-host server-admins --hostgroups servers > hostgroups are reason why you need to configure NIS domain name. > hostgroups are also available as netgroups in compat tree and sudo reads > information from netgroups. > > > ipa sudorule-add-option server-admins --sudooption "! > > authenticate" > > ipa sudorule-add-runasuser server-admins --users root > > ipa sudorule-add-runasgroup server-admins --groups root > > ipa sudorule-add-user server-admins --groups > > server-admins > > > >However, I was really asking whether there had been a change in > >sssd/sudo behavior as it was my recollection that my sudo rules did not > >work at all in early IPA 3.n releases unless the NIS domain name was > >configured. > > > > LS
I hear you and that is what I expected. However, the actual behavior seems to have changed with 3.3.4 and now 3.3.5. [dean@desktop ~]$ domainname --nis domainname: Local domain name not set [dean@desktop ~]$ sudo -l Matching Defaults entries for dean on desktop: requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User dean may run the following commands on desktop: (root : root) NOPASSWD: ALL [dean@desktop ~]$ I think this is a good thing. I would just like to confirm that this is the new expected behavior and that I have not done something wrong.
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users