More information:
 
[root@puppet01 ~]# cat /etc/sssd/sssd.conf
[domain/example.com]
 
cache_credentials = True
krb5_realm = EXAMPLE.COM
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = puppet01.example.com
chpass_provider = ipa
ipa_server = ipa01.example.com, ipa02.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_network_timeout = 2
ldap_opt_timeout = 2
ldap_search_timeout = 2
ldap_user_extra_attrs = email:mail, firstname:givenname, lastname:sn, ou
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
 
domains = example.com
[nss]
filter_users =
root,apache,postgres,oracle,tomcat,puppet,foreman,foreman-proxy
filter_groups = root,apache,postgres,oracle,tomcat,puppet,foreman-proxy
homedir_substring = /home
 
[pam]
 
[sudo]
 
[autofs]
 
[ssh]

We don't use _srv_ as we have no control over the DNS servers.
 
[root@puppet01 ~]# cat /etc/nsswitch.conf | grep -v \#
 

passwd:     files sss
shadow:     files sss
group:      files sss
 
hosts:      files dns
 

bootparams: nisplus [NOTFOUND=return] files
 
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
 
netgroup:   files sss
 
publickey:  nisplus
 
automount:  files
aliases:    files nisplus
sudoers:    files sss
 
[root@puppet01 ~]#

The client runs sudo successfully for other rules that are in place.

________________________________

From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Innes, Duncan
Sent: 04 August 2015 12:10
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA and sudo Defaults


Information:
 
IPA server and client both running on RHEL 6.7 fully patched.
IPA server version: ipa-server-3.0.0-47.el6.x86_64
sssd client version: sssd-1.12.4-47.el6.x86_64
 
IPA server hosts dozens of sudo rules that work as expected.  This is
the first rule, however, that needs the !requiretty in the Defaults for
the user.
 
Thanks

D
 

________________________________

From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Innes, Duncan
Sent: 04 August 2015 10:58
To: freeipa-users@redhat.com
Subject: [Freeipa-users] FreeIPA and sudo Defaults


Hi folks,
 
Struggling with creating a sudo rule in IPA that will allow my
foreman-proxy to run specific commands.  When I put the following into
/etc/sudoers.d/foreman:
 
[root@puppet01 ~]# cat /etc/sudoers.d/foreman
foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet
kick *
Defaults:foreman-proxy !requiretty
innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
Defaults:innesd !requiretty
[root@puppet01 ~]#

[innesd@puppet01 ~]$ sudo -l
Matching Defaults entries for innesd on this host:
    !requiretty
 
User innesd may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick
*
    (root) /bin/su
[innesd@puppet01 ~]$

Both my user and the foreman-proxy can run the relevant commands both on
the command line and remotely.
 
IT Security are not happy with local sudo rules being condifured around
the network, so I'm trying to create the same configuration via IPA.
 
When I try to get the same rule into IPA, my user can run the command in
a tty, but the foreman-proxy user is refused.  This looks to be down to
the lack of !requiretty coming through for the users:
 
[root@ipa01 ~]# ipa sudorule-show foreman-proxy
  Rule name: foreman-proxy
  Enabled: TRUE
  User category: all
  Hosts: puppet02.example.com, puppet01.example.com,
         puppet03.example.com, puppet04.example.com
  Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick *
  Sudo Option: !authenticate, !requiretty
[root@ipa01 ~]#

and once I've removed the #includedir option from my local sudoers file,
I get the following as my user:
 
[innesd@puppet01 ~]$ sudo -l
User innesd may run the following commands on this host:
    (root) /bin/su
    (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
[innesd@puppet01 ~]$

where the noticeable difference is that the !requiretty isn't listed
under any "Matching Defaults entries" for my user.  With the rule set up
like this, I can run the command in a tty, but the foreman-proxy user is
denied when the command is run without a tty.
 
How do I go about setting the Defaults for the foreman-proxy user?  Once
my testing is done, I'd like to move the rule to run only against the
foreman-proxy external user rather than all users.
 
And a small follow-up question: how long should I expect it to take for
a change to the sudo rule on my IPA server to become available on the
client?  I keep doing sss_cache -E to clear the cache, but it still
seems to take it's own sweet time to be changed on the client.  It's not
a huge wait - just a bit of a pain when I'm testing these changes.
 
Thanks in advance,
 
Duncan Innes

This message has been checked for viruses and spam by the Virgin Money
email scanning system powered by Messagelabs.

This e-mail is intended to be confidential to the recipient. If you
receive a copy in error, please inform the sender and then delete this
message.

Virgin Money plc - Registered in England and Wales (Company no.
6952311). Registered office - Jubilee House, Gosforth, Newcastle upon
Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential
Regulation Authority and regulated by the Financial Conduct Authority
and the Prudential Regulation Authority.

The following companies also trade as Virgin Money. They are both
authorised and regulated by the Financial Conduct Authority, are
registered in England and Wales and have their registered office at
Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money
Personal Financial Service Limited (Company no. 3072766) and Virgin
Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our
website at virginmoney.com

This message has been checked for viruses and spam by the Virgin Money
email scanning system powered by Messagelabs.

This message has been checked for viruses and spam by the Virgin Money
email scanning system powered by Messagelabs.

This e-mail is intended to be confidential to the recipient. If you
receive a copy in error, please inform the sender and then delete this
message.

Virgin Money plc - Registered in England and Wales (Company no.
6952311). Registered office - Jubilee House, Gosforth, Newcastle upon
Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential
Regulation Authority and regulated by the Financial Conduct Authority
and the Prudential Regulation Authority.

The following companies also trade as Virgin Money. They are both
authorised and regulated by the Financial Conduct Authority, are
registered in England and Wales and have their registered office at
Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money
Personal Financial Service Limited (Company no. 3072766) and Virgin
Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our
website at virginmoney.com

This message has been checked for viruses and spam by the Virgin Money
email scanning system powered by Messagelabs.


This message has been checked for viruses and spam by the Virgin Money email 
scanning system powered by Messagelabs.

This e-mail is intended to be confidential to the recipient. If you receive a 
copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). 
Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. 
Virgin Money plc is authorised by the Prudential Regulation Authority and 
regulated by the Financial Conduct Authority and the Prudential Regulation 
Authority.

The following companies also trade as Virgin Money. They are both authorised 
and regulated by the Financial Conduct Authority, are registered in England and 
Wales and have their registered office at Jubilee House, Gosforth, Newcastle 
upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 
3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our website at 
virginmoney.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to