On 01/05/2015 07:32 PM, Craig White wrote:
Hi - reply at bottom
-----Original Message-----
From: Martin Kosek [mailto:[email protected]]
Sent: Monday, January 05, 2015 4:33 AM
To: Craig White; [email protected]; Pavel Brezina
Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
On 01/02/2015 07:47 PM, Craig White wrote:
Subject pretty much says it all.
Starting to play around with rundeck and was thinking it would be nice if I
could create a user that had the ability to sudo, without password, a public
key and the ability to run commands.
But the use of 'sudo' gets me an error that says it requires a tty to run sudo.
So I tried by creating a sudo rule that has options '!requiretty !authenticate'
but it still complains that I need a tty. Is there a FreeIPA method that I am
lacking?
Craig White
System Administrator
O 623-201-8179 M 602-377-9752
[cid:[email protected]]
SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032
CCing Pavel to advise.
From top of my head - did you try clearing SSSD cache before calling the sudo
command again? Did you enter the options in the FreeIPA SUDO entry correctly?
Maybe the problem is that each option should be filed as a separate attribute
value and you entered it as one combined attribute value.
Martin
----
Thanks Martin
Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing
box but it didn't help.
$ ipa sudorule-show --all
Rule name: rundeck
dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local
Rule name: rundeck
Enabled: TRUE
Host category: all
Command category: all
RunAs User category: all
Users: rundeck
Sudo Option: !requiretty, !authenticate
ipauniqueid: XXXXXX
objectclass: ipaassociation, ipasudorule
At this point, !requiretty and !authenticate are separate options but I have
previously tried them as a bundle together but the results are the same...
sudo: sorry, you must have a tty to run sudo :-(
(client system)
# rpm -qa | egrep 'ipa|sssd'
sssd-ldap-1.11.6-30.el6.x86_64
libipa_hbac-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-ipa-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.11.6-30.el6.x86_64
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
ipa-python-3.0.0-42.el6.x86_64
sssd-proxy-1.11.6-30.el6.x86_64
ipa-client-3.0.0-42.el6.x86_64
Hi,
just to be sure that the problem is indeed in options - the rule without
any sudoOption and with only one of them does work, right?
Can you send us sudo debug log? You can enable debug log by putting the
following line in /etc/sudo.conf:
Debug sudo /var/log/sudo.log all@debug
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
