Craig White wrote: > -----Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Thursday, January 08, 2015 9:33 AM > To: Craig White; Martin Kosek; Pavel Březina; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] sudo !requiretty !authenticate > > Craig White wrote: >> -----Original Message----- >> From: freeipa-users-boun...@redhat.com >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Kosek >> Sent: Thursday, January 08, 2015 5:30 AM >> To: Pavel Březina; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate >> >> On 01/08/2015 10:45 AM, Pavel Březina wrote: >>> On 01/07/2015 06:32 PM, Craig White wrote: >>>> Still struggling with this... >>>> >>>> $ sudo /sbin/service pe-puppet restart >>>> [sudo] password for rundeck: >>>> Stopping puppet: [ OK ] >>>> Starting puppet: [ OK ] >>>> >>>> So it asks for the password even though, via FreeIPA it isn't required... >>>> >>>> $ sudo -l >>>> Matching Defaults entries for rundeck on this host: >>>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >>>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL >>>> PS1 >>>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >>>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >>>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >>>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >>>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >>>> >>>> User rundeck may run the following commands on this host: >>>> (root) ALL >>>> (ALL) NOPASSWD: ALL >>> >>> Hi, >>> thank you, I was just going to ask you for sudo -l. I believe that >>> the problem is that (root) ALL rule takes precedence. Or to be more >>> precise, the first rule that matches is always applied, unless >>> sudoOrder attribute is present (but that is not supported by IPA, is it?). >> >> JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream >> ticket https://fedorahosted.org/freeipa/ticket/4107). >> >> ---- >> I see said the blind man. Obviously the root/ALL rule is part and parcel of >> RHEL distribution of sudo package. >> >> $ rpm -q ipa-server >> ipa-server-3.0.0-42.el6.x86_64 >> >> $ cat sudoOrder.ldif >> dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config >> changetype: modify >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: sudoOrder=%{sudoOrder} >> >> $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f >> sudoOrder.ldif Enter LDAP Password: >> modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config" >> ldap_modify: No such object (32) >> additional info: Range Check error >> >> bummer :-( > > You have a typo, suoders instead of sudoers. > > You might also experiment with order in the sudoers entry in > /etc/nsswitch.conf, try sss files. Or if you don't intend on storing any > rules in files, perhaps drop it. > ---- > Thanks for catching my typo - my bad. > > This is interesting. First tried 'sss files' and then just 'sss' for sudoers > in nsswitch.conf but no go. > > $ sudo -l > > We trust you have received the usual lecture from the local System > Administrator. It usually boils down to these three things: > > #1) Respect the privacy of others. > #2) Think before you type. > #3) With great power comes great responsibility. > > [sudo] password for rundeck: > Matching Defaults entries for rundeck on this host: > !requiretty > > User rundeck may run the following commands on this host: > (root) ALL > (ALL) NOPASSWD: ALL > > So !authenticate doesn't show up even though I have had the rule in ipa for 2 > days now. > $ ipa sudorule-show rundeck > Rule name: rundeck > Enabled: TRUE > Host category: all > Command category: all > RunAs User category: all > RunAs Group category: all > Users: rundeck > Sudo Option: !authenticate > > That '(root) ALL' rule doesn't come from /etc/sudoers as I thought because > nsswitch.conf presently only uses sss for sudoers. I still don't see where it > actually comes from though...
What groups is rundeck a member of? rob > > $ ldapsearch -x -h `hostname` -D "cn=Directory Manager" -W -b > ou=sudoers,dc=stt,dc=local > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <ou=sudoers,dc=stt,dc=local> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # sudoers, stt.local > dn: ou=sudoers,dc=stt,dc=local > objectClass: extensibleObject > ou: sudoers > > # defaults, sudoers, stt.local > dn: cn=defaults,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoOption: !requiretty > cn: defaults > > # rundeck, sudoers, stt.local > dn: cn=rundeck,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: rundeck > sudoHost: ALL > sudoCommand: ALL > sudoRunAsUser: ALL > sudoOption: !authenticate > cn: rundeck > > # puppet, sudoers, stt.local > dn: cn=puppet,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: %puppet > sudoHost: +puppet > sudoCommand: ALL > cn: puppet > > # sysengineers, sudoers, stt.local > dn: cn=sysengineers,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: %sysengineer > sudoHost: ALL > sudoCommand: ALL > cn: sysengineers > > # sysadmins, sudoers, stt.local > dn: cn=sysadmins,ou=sudoers,dc=stt,dc=local > objectClass: sudoRole > sudoUser: %sysadmin > sudoHost: ALL > sudoCommand: ALL > cn: sysadmins > > # search result > search: 2 > result: 0 Success > > # numResponses: 7 > # numEntries: 6 > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
