[Freeipa-users] Re: sudo rule doesn't work

[Florence Blanc-Renaud via FreeIPA-users]

On 1/18/20 11:37 AM, Elhamsadat Azarian wrote:

Hi dear Florence
Thanks of ur reply
I wasnt at office and today i chacked parameteres but i cant find them 
in sssd.conf!

How can  i check or set values of them?


Hi,

(adding back freeipa-users mailing list)
All the parameters are described in the man page for sssd.conf or 
sssd-ldap. If they are not set in /etc/sssd/sssd.conf, then the default 
value applies.


flo


On Mon, 13 Jan 2020, 12:21 Florence Blanc-Renaud, > wrote:


On 1/13/20 9:38 AM, Elhamsadat Azarian wrote:
 > I did it but doesnt wotk
 >   I think my sudo rule doesnt place on my hosts!!!
 >
Hi,

the sudorules can be cached on the host. Please check the following
SSSD
parameters:
- entry_cache_sudo_timeout -- How many seconds should sudo consider
rules valid before asking the backend again
- ldap_sudo_smart_refresh_interval -- How many seconds SSSD has to wait
before executing a smart refresh of sudo rules (which downloads all
rules that have USN higher than the highest USN of cached rules).
- ldap_sudo_full_refresh_interval -- How many seconds SSSD will wait
between executing a full refresh of sudo rules (which downloads all
rules that are stored on the server).

HTH,
flo

 > On Mon, 13 Jan 2020, 11:57 Florence Blanc-Renaud, mailto:f...@redhat.com>
 > >> wrote:
 >
 >     On 1/13/20 8:57 AM, Elhamsadat Azarian wrote:
 >      > Hi Florence
 >      > Thanks i replaced but it doest work!
 >      >
 >     Hi,
 >     can you also replace the "RunAs group categoray: all" attr
with "RunAs
 >     User category: all"?
 >     flo
 >
 >      > On Mon, 13 Jan 2020, 11:18 Florence Blanc-Renaud,
mailto:f...@redhat.com>
 >     >
 >      > 
      >
 >      >     On 1/12/20 12:26 PM, Elhamsadat Azarian via
FreeIPA-users wrote:
 >      >      > Hi friends
 >      >      > i define a SudoRule with this properties:
 >      >      >
 >      >      > rulename : rsyslog_rule
 >      >      > Enabled : true
 >      >      > RunAs group Category : All
 >      >      > users :user-test
 >      >      > hosts: ipacli-irvlt01.mydomain.com

 >     
 >      >     
 >      >      > sudo Deny Commands : sudo /usr/bin/systemctl
restart rsyslog
 >      >      >
 >      >      > now i login with "user-test" into "ipacli-irvlt01"
server
 >     and i
 >      >     try to run " sudo /usr/bin/systemctl restart rsyslog"
command. i
 >      >     expected to doesnt allow to run this command but no action
 >     happend
 >      >     and i could run it!!!
 >      >      >
 >      >      > why my sudo rule doesnt work?
 >      >     Hi,
 >      >
 >      >     can you try to replace the "sudo deny commands": "sudo
 >      >     /usr/bin/systemctl restart rsyslog" with
"/usr/bin/systemctl
 >     restart
 >      >     rsyslog" ?
 >      >
 >      >     thanks,
 >      >     flo
 >      >
 >      >      >
 >      >      >
--
 >      >      > this is less /var/log/sssd/sssd_domain.log:
 >      >      > (Sun Jan 12 13:59:01 2020) [sssd[be[lshs.dc]]]
 >     [orderly_shutdown]
 >      >     (0x0010): SIGTERM: killing children
 >      >      >
--
 >      >      > this is /var/log/sssd/sssd_sudo.log
 >      >      > (Sun Jan 12 13:59:01 2020) [sssd[sudo]]
[orderly_shutdown]
 >      >     (0x0010): SIGTERM: killing children
 >      >      >
 >      >      >
--
 >      >      > this is less /var/log/sudo_debug
 >      >      > Jan 12 14:19:27 sudo[17370] /etc/sudoers:53
CMNDALIAS ALIAS =
 >      >     COMMAND , COMMAND ARG , COMMAND ARG
 >      >      > Jan 12 14:19:27 sudo[17370] -> alias_add @
./alias.c:120
 >      >      > Jan 12 14:19:27 sudo[17370] -> rcstr_addref @
./rcstr.c:81
 >      >      > Jan 12 14:19:27 sudo[17370] <- rcstr_addref @
./rcstr.c:88 :=
 >      >     0x55f2968e7714
 >      >      > Jan 12 14:19:27 sudo[17370] -> rbinsert @
./redblack.c:177
 >      >      > Jan 12 14:19:27 sudo[17370] -> alias_compare @
./alias.c:54
 >      >      > Jan 12 14:19:27 sudo[17370] <- alias_compare @
 >     ./alias.c:62 := -13
 >      >      > Jan 12 14:19:27 sudo[17370] -> alias_compare @
./alias.c:54
 >      >    

[Freeipa-users] Re: sudo rule doesn't work

[Florence Blanc-Renaud via FreeIPA-users]

On 1/12/20 12:26 PM, Elhamsadat Azarian via FreeIPA-users wrote:

Hi friends
i define a SudoRule with this properties:

rulename : rsyslog_rule
Enabled : true
RunAs group Category : All
users :user-test
hosts: ipacli-irvlt01.mydomain.com
sudo Deny Commands : sudo /usr/bin/systemctl restart rsyslog

now i login with "user-test" into "ipacli-irvlt01" server and i try to run " sudo 
/usr/bin/systemctl restart rsyslog" command. i expected to doesnt allow to run this command but no 
action happend and i could run it!!!

why my sudo rule doesnt work?

Hi,

can you try to replace the "sudo deny commands": "sudo 
/usr/bin/systemctl restart rsyslog" with "/usr/bin/systemctl restart 
rsyslog" ?


thanks,
flo



--
this is less /var/log/sssd/sssd_domain.log:
(Sun Jan 12 13:59:01 2020) [sssd[be[lshs.dc]]] [orderly_shutdown] (0x0010): 
SIGTERM: killing children
--
this is /var/log/sssd/sssd_sudo.log
(Sun Jan 12 13:59:01 2020) [sssd[sudo]] [orderly_shutdown] (0x0010): SIGTERM: 
killing children

--
this is less /var/log/sudo_debug
Jan 12 14:19:27 sudo[17370] /etc/sudoers:53 CMNDALIAS ALIAS = COMMAND , COMMAND 
ARG , COMMAND ARG
Jan 12 14:19:27 sudo[17370] -> alias_add @ ./alias.c:120
Jan 12 14:19:27 sudo[17370] -> rcstr_addref @ ./rcstr.c:81
Jan 12 14:19:27 sudo[17370] <- rcstr_addref @ ./rcstr.c:88 := 0x55f2968e7714
Jan 12 14:19:27 sudo[17370] -> rbinsert @ ./redblack.c:177
Jan 12 14:19:27 sudo[17370] -> alias_compare @ ./alias.c:54
Jan 12 14:19:27 sudo[17370] <- alias_compare @ ./alias.c:62 := -13
Jan 12 14:19:27 sudo[17370] -> alias_compare @ ./alias.c:54
Jan 12 14:19:27 sudo[17370] <- alias_compare @ ./alias.c:62 := -6
Jan 12 14:19:27 sudo[17370] -> alias_compare @ ./alias.c:54
Jan 12 14:19:27 sudo[17370] <- alias_compare @ ./alias.c:62 := -6
Jan 12 14:19:27 sudo[17370] -> rotate_right @ ./redblack.c:147
Jan 12 14:19:27 sudo[17370] <- rotate_right @ ./redblack.c:163
Jan 12 14:19:27 sudo[17370] <- rbinsert @ ./redblack.c:265 := 0
Jan 12 14:19:27 sudo[17370] <- alias_add @ ./alias.c:143 := (null)
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true
Jan 12 14:19:27 sudo[17370] -> fill_txt @ ./toke_util.c:52
Jan 12 14:19:27 sudo[17370] <- fill_txt @ ./toke_util.c:80 := true
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true
Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103
Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true
Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132
Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true
Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956
Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968ff550
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true
Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103
Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159
Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true
Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @