On 04/13/2015 05:37 PM, Alexander Bokovoy wrote: > On Mon, 13 Apr 2015, Gould, Joshua wrote: >> I’ve looked at the docs and it looks as if I can specify an external >> user who can have sudo rights via IPA. >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo >> >> >> The issue being that when I try to add my AD Trust user, it doesn’t >> allow the @ sign. (ex. gould@test.osuwmc). >> >> If I modify the sudo rule to allow all users, I can see that it allows >> my AD account sudo rights. >> >> $ sudo –l >> >> User gould@test.osuwmc may run the following commands on this host: >> (ALL : ALL) ALL >> >> How can I configure the rule to allow certain AD users to be able to >> execute certain sudo rules? > Through external users' groups mechanism we use for any other AD users > mapping in HBAC and SUDO. These are not local (not defined in IPA but > defined on the host) groups and users but rather AD groups and users. > > ipa group-add --external gould_group_ext > ipa group-add-member gould_group_ext --external=gould@test.osuwmc > ipa group-add gould_group > ipa group-add-member gould_group --groups=gould_group_ext > > And now make sudo rule that allows users of gould_group to run needed > commands. SSSD will pull in all membership information for gould_group, > including AD users.
Theoretically, adding AD users as *external* users to the SUDO rule should work, given they are stored as a bare string, no? See example of such rule below.. # ipa sudorule-show test --all --raw dn: ipaUniqueID=01405730-e273-11e4-9df6-001a4a104e33,cn=sudorules,cn=sudo,dc=f21 cn: test ipaenabledflag: TRUE hostcategory: all externaluser: foouser ipaUniqueID: 01405730-e273-11e4-9df6-001a4a104e33 memberallowcmd: ipaUniqueID=11281796-e273-11e4-abfe-001a4a104e33,cn=sudocmds,cn=sudo,dc=f21 objectClass: ipasudorule objectClass: ipaassociation The change in FreeIPA would be then only a matter of allowing users with '@' in 'externaluser' attribute -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project