On (06/01/15 10:21), Pavel Březina wrote:
>On 01/05/2015 07:32 PM, Craig White wrote:
>>Hi - reply at bottom
>>-----Original Message-----
>>From: Martin Kosek [mailto:mko...@redhat.com]
>>Sent: Monday, January 05, 2015 4:33 AM
>>To: Craig White; freeipa-users@redhat.com; Pavel Brezina
>>Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
>>On 01/02/2015 07:47 PM, Craig White wrote:
>>>Subject pretty much says it all.
>>>Starting to play around with rundeck and was thinking it would be nice if I 
>>>could create a user that had the ability to sudo, without password, a public 
>>>key and the ability to run commands.
>>>But the use of 'sudo' gets me an error that says it requires a tty to run 
>>>sudo. So I tried by creating a sudo rule that has options '!requiretty 
>>>!authenticate' but it still complains that I need a tty. Is there a FreeIPA 
>>>method that I am lacking?
>>>Craig White
>>>System Administrator
>>>O 623-201-8179   M 602-377-9752
>>>SkyTouch Technology     4225 E. Windrose Dr.     Phoenix, AZ 85032
>>CCing Pavel to advise.
>> From top of my head - did you try clearing SSSD cache before calling the 
>> sudo command again? Did you enter the options in the FreeIPA SUDO entry 
>> correctly?
>>Maybe the problem is that each option should be filed as a separate attribute 
>>value and you entered it as one combined attribute value.
>>Thanks Martin
>>Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing 
>>box but it didn't help.
>>$ ipa sudorule-show --all
>>Rule name: rundeck
>>   dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local
>>   Rule name: rundeck
>>   Enabled: TRUE
>>   Host category: all
>>   Command category: all
>>   RunAs User category: all
>>   Users: rundeck
>>   Sudo Option: !requiretty, !authenticate
>>   ipauniqueid: XXXXXX
>>   objectclass: ipaassociation, ipasudorule
>>At this point, !requiretty and !authenticate are separate options but I have 
>>previously tried them as a bundle together but the results are the same...
>>sudo: sorry, you must have a tty to run sudo   :-(
>>(client system)
>># rpm -qa | egrep 'ipa|sssd'
>just to be sure that the problem is indeed in options - the rule without any
>sudoOption and with only one of them does work, right?
>Can you send us sudo debug log? You can enable debug log by putting the
>following line in /etc/sudo.conf:
>Debug sudo /var/log/sudo.log all@debug
It will help as well if you provide your sssd and nsswitch configuration files.
(/etc/nsswitch.conf, /etc/sssd/sssd.conf)
We need to be sure that sudo integration with sssd is configured properly.


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to