On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote:

> On (03/05/14 10:39), Dean Hunter wrote:
> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:
> >
> >> On (01/05/14 15:53), Dean Hunter wrote:
> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
> >> >> 
> >> >> > 
> >> >> > I just noticed that I had been incorrectly setting the NIS domain
> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to
> >> >> > be successfully retrieving and using sudo rules from FreeIPA.  Is
> >> >> > sudo still using NIS-style netgroups?  Is there still a requirement
> >> >> > to set the NIS domain name? 
> >> >> 
> >> >> 
> >> >> I think NIS domain is needed for netgroups. If you are not using
> >> >> netgroups in the sudo rules but just user groups you should be fine.
> >> >> Is this the case with you?
> >> >> If not please provide the logs and config.
> >> >> 
> >> >
> >> >I am not aware of using netgroups, either the IPA object or any other
> >> >kind.  I just remember that when I was first configuring sudo to
> >> >retrieve rules from IPA it would not work until I set nisdomainname
> >> >in /etc/rc.d/rc.local.  Here is the quote from section 14.4 of the
> >> >manual:
> >> >
> >> >
> >> >        Even though sudo uses NIS-style netgroups, it is not necessary
> >> >        to have a NIS server installed. Netgroups require that a NIS
> >> >        domain be named in their configuration, so sudo requires that a
> >> >        NIS domain be named for netgroups. However, that NIS domain does
> >> >        not actually need to exist.
> >> >        
> >> >
> >> >With Fedora 20 I can no longer find the emulation of rc.local that
> >> >existed in Fedora 19.  I did find fedora-domainname.service and started
> >> >and enabled it but neglected to configure /etc/sysconfig/network.  Yet
> >> >IPA sudo rules appear to work.
> >> >
> >> Hope It helps you
> >> http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
> >> 
> >> LS
> >
> >
> >Thank you.  Now that you point it out, I remember that this thread is
> >where I first learned about fedora-domainname.service.  I see:
> >
> >        You would also need to set NIS domain name, otherwise SUDO will
> >        not correctly recognize SUDO rules targeted on host groups,
>                                                      ^^^^^^^^^^^^^^
>                                                  This is important part
> >        instead of hosts:
> >
> >which explains when sudo would need the NIS domain name.  Since my sudo
> >rules address user groups I guess there is no requirement for NIS domain
> >name since they are working just fine:
> Your sudo rules use host groups.
> 
> >
> >        ipa sudorule-add            desktop-admins --desc "Desktop
> >        Administrators"
> >        ipa sudorule-mod            desktop-admins --cmdcat all
> >        ipa sudorule-add-host       desktop-admins --hostgroups desktops
> >        ipa sudorule-add-option     desktop-admins --sudooption "!
> >        authenticate"
> >        ipa sudorule-add-runasuser  desktop-admins --users root
> >        ipa sudorule-add-runasgroup desktop-admins --groups root
> >        ipa sudorule-add-user       desktop-admins --groups
> >        desktop-admins
> >
> >        ipa sudorule-add            server-admins  --desc "Server
> >        Administrators"
> >        ipa sudorule-mod            server-admins  --cmdcat all
> >        ipa sudorule-add-host       server-admins  --hostgroups servers
> hostgroups are reason why you need to configure NIS domain name.
> hostgroups are also available as netgroups in compat tree and sudo reads
> information from netgroups.
> 
> >        ipa sudorule-add-option     server-admins  --sudooption "!
> >        authenticate"
> >        ipa sudorule-add-runasuser  server-admins  --users root
> >        ipa sudorule-add-runasgroup server-admins  --groups root
> >        ipa sudorule-add-user       server-admins  --groups
> >        server-admins
> >
> >However, I was really asking whether there had been a change in
> >sssd/sudo behavior as it was my recollection that my sudo rules did not
> >work at all in early IPA 3.n releases unless the NIS domain name was
> >configured.
> >
> 
> LS


I hear you and that is what I expected.  However, the actual behavior
seems to have changed with 3.3.4 and now 3.3.5.

        [dean@desktop ~]$ domainname --nis
        domainname: Local domain name not set
        
        [dean@desktop ~]$ sudo -l
        Matching Defaults entries for dean on desktop:
            requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME
        HISTSIZE INPUTRC
            KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
        LANG LC_ADDRESS
            LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
        LC_MEASUREMENT
            LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
        LC_PAPER
            LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
        _XKB_CHARSET
            XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
        
        User dean may run the following commands on desktop:
            (root : root) NOPASSWD: ALL
        
        [dean@desktop ~]$ 

I think this is a good thing.  I would just like to confirm that this is
the new expected behavior and that I have not done something wrong.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to