On (06/01/15 10:21), Pavel Březina wrote: >On 01/05/2015 07:32 PM, Craig White wrote: >>Hi - reply at bottom >> >>-----Original Message----- >>From: Martin Kosek [mailto:[email protected]] >>Sent: Monday, January 05, 2015 4:33 AM >>To: Craig White; [email protected]; Pavel Brezina >>Subject: Re: [Freeipa-users] sudo !requiretty !authenticate >> >>On 01/02/2015 07:47 PM, Craig White wrote: >>>Subject pretty much says it all. >>> >>>Starting to play around with rundeck and was thinking it would be nice if I >>>could create a user that had the ability to sudo, without password, a public >>>key and the ability to run commands. >>> >>>But the use of 'sudo' gets me an error that says it requires a tty to run >>>sudo. So I tried by creating a sudo rule that has options '!requiretty >>>!authenticate' but it still complains that I need a tty. Is there a FreeIPA >>>method that I am lacking? >>> >>>Craig White >>>System Administrator >>>O 623-201-8179 M 602-377-9752 >>> >>>[cid:[email protected]] >>> >>>SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 >> >>CCing Pavel to advise. >> >> From top of my head - did you try clearing SSSD cache before calling the >> sudo command again? Did you enter the options in the FreeIPA SUDO entry >> correctly? >>Maybe the problem is that each option should be filed as a separate attribute >>value and you entered it as one combined attribute value. >> >>Martin >>---- >>Thanks Martin >> >>Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing >>box but it didn't help. >> >>$ ipa sudorule-show --all >>Rule name: rundeck >> dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local >> Rule name: rundeck >> Enabled: TRUE >> Host category: all >> Command category: all >> RunAs User category: all >> Users: rundeck >> Sudo Option: !requiretty, !authenticate >> ipauniqueid: XXXXXX >> objectclass: ipaassociation, ipasudorule >> >>At this point, !requiretty and !authenticate are separate options but I have >>previously tried them as a bundle together but the results are the same... >> >>sudo: sorry, you must have a tty to run sudo :-( >> >>(client system) >># rpm -qa | egrep 'ipa|sssd' >>sssd-ldap-1.11.6-30.el6.x86_64 >>libipa_hbac-1.11.6-30.el6.x86_64 >>python-sssdconfig-1.11.6-30.el6.noarch >>sssd-ipa-1.11.6-30.el6.x86_64 >>sssd-client-1.11.6-30.el6.x86_64 >>sssd-common-1.11.6-30.el6.x86_64 >>sssd-ad-1.11.6-30.el6.x86_64 >>sssd-1.11.6-30.el6.x86_64 >>python-iniparse-0.3.1-2.1.el6.noarch >>libipa_hbac-python-1.11.6-30.el6.x86_64 >>sssd-krb5-common-1.11.6-30.el6.x86_64 >>sssd-krb5-1.11.6-30.el6.x86_64 >>sssd-common-pac-1.11.6-30.el6.x86_64 >>ipa-python-3.0.0-42.el6.x86_64 >>sssd-proxy-1.11.6-30.el6.x86_64 >>ipa-client-3.0.0-42.el6.x86_64 > >Hi, >just to be sure that the problem is indeed in options - the rule without any >sudoOption and with only one of them does work, right? > >Can you send us sudo debug log? You can enable debug log by putting the >following line in /etc/sudo.conf: > >Debug sudo /var/log/sudo.log all@debug > It will help as well if you provide your sssd and nsswitch configuration files. (/etc/nsswitch.conf, /etc/sssd/sssd.conf) We need to be sure that sudo integration with sssd is configured properly.
LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
