Step 0
root@clnt:/home/awtadm# grep sudoers /etc/nsswitch.conf
sudoers_debug:    1
sudoers: files sss

root@clnt:/home/awtadm# ipa-client-install --no-ntp
IPA client is already configured on this system.

root@clnt:/home/awtadm# grep services /etc/sssd/sssd.conf
services = nss, pam, ssh, sudo


Step1 (there is some problem when create rule on CLI. No problem prompt on Web-based)
...
[root@srv ~]# ipa sudorule-add-option readfiles
Sudo Option: !authenticate
ipa: ERROR: no such entry

...
 Then:
awtadm@clnt:~$ su user1
Password:
user1@clnt:/home/awtadm$ /usr/bin/less /etc/shadow |wc -l
/etc/shadow: Permission denied
0
user1@clnt:/home/awtadm$ sudo /usr/bin/less /etc/shadow |wc -l
[sudo] password for user1:
user1 is not in the sudoers file.  This incident will be reported.
0
user1@clnt:/home/awtadm$ id
uid=1423400004(user1) gid=1423400004(user1) groups=1423400004(user1)
user1@clnt:/home/awtadm$ sudo -l
[sudo] password for user1:
Sorry, user user1 may not run sudo on clnt.
user1@clnt:/home/awtadm$ exit
exit
awtadm@clnt:~$ su user1
Password:
user1@clnt:/home/awtadm$ id
uid=1423400004(user1) gid=1423400004(user1) groups=1423400004(user1)
user1@clnt:/home/awtadm$ sudo -l
[sudo] password for user1:
Sorry, user user1 may not run sudo on clnt.
user1@clnt:/home/awtadm$ /usr/bin/less /etc/shadow |wc -l
/etc/shadow: Permission denied
0
user1@clnt:/home/awtadm$ sudo /usr/bin/less /etc/shadow |wc -l
[sudo] password for user1:
user1 is not in the sudoers file.  This incident will be reported.
0

--OR--

Darktower tevfik # ssh user1@10.1.1.174
The authenticity of host '10.1.1.174 (10.1.1.174)' can't be established.
ECDSA key fingerprint is 37:32:fc:ca:34:ce:4c:07:e8:b6:f6:56:75:98:69:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.174' (ECDSA) to the list of known hosts.
user1@10.1.1.174's password:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Mon Sep  1 17:50:02 2014 from 10.65.8.100
user1@clnt:~$ sudo /usr/bin/less /etc/shadow |wc -l
[sudo] password for user1:
user1 is not allowed to run sudo on clnt.  This incident will be reported.
0
user1@clnt:~$ sudo -l
[sudo] password for user1:
User user1 is not allowed to run sudo on clnt.



On 01-09-2014 19:05, Lukas Slebodnik wrote:
On (01/09/14 17:52), Tevfik Ceydeliler wrote:
1. I think I configure instead of this document
Sorry you didn't.

2. I can login with ordinary user
login and sudo are not the same think.

My FreeIPA server is alredy properly configured with sudo rules.
I tried to install freipa-client on ubuntu 14.04 and it owrked without any
problem.

Step 0: Install freipa-client on ubuntu 14.04 and configure sudo integration
root@ubuntu1404:/# ipa-client-install --no-ntp
root@ubuntu1404:/# echo "sudoers: files sss" >> /etc/nsswitch.conf

root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam
root@ubuntu1404:/# sed -i -e 's/\(services.*\)/\1, sudo/' /etc/sssd/sssd.conf
root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam, sudo

Step 1: configure sudo rules for ordinary user
     Please follow the instructions from FreeIPA documentation.
     http://www.freeipa.org/docs/master/html-desktop/index.html#sudo

   This step was skipped, becuase it was already done few months ago :-)

Step 2: login to machine as ordinary user, which is allowed to use sudo.
$ su usersssd01
Password:
$ id
uid=325600011(usersssd01) gid=325600011(usersssd01) 
groups=325600011(usersssd01),30011(biggroup1)

Step 3: run command
     sudo -l
     // this command should show you which commands can be executed as root
     // with sudo
$ sudo -l
sudo: unable to resolve host ubuntu1404.example.test
[sudo] password for usersssd01:
Matching Defaults entries for usersssd01 on ubuntu1404:
     env_reset, mail_badpass,
     
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User usersssd01 may run the following commands on ubuntu1404:
     (root) /usr/bin/less, /usr/bin/vim

Step 4: If there weren't any problems then user will be able to run command.
     sudo some_command_listed_in_step3
$ sudo /usr/bin/less /etc/shadow | wc -l
21
$ echo $?
0

$ sudo apt-get install mc
Sorry, user usersssd01 is not allowed to execute '/usr/bin/apt-get install mc' 
as root on ubuntu.example.test.
$ echo $?
1

LS

--


<br>
<img src="http://www.yasar.com.tr/banner/yhbanner.jpg";> </img>
<br><br>
Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to