Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root
On 05/13/2015 01:12 PM, Andrey Ptashnik wrote: Thank you everyone for your help! I found two ways to implement it in IPA server and tested it. So both methods work in my current setup RHEL 7.1 and IPA server 4.1.0. First method allows user to run default terminal as a target user (bash in my case). Second method is using SU command, but runs it as a root user. So depending on security preferences either one could satisfy admins. === *Options:* !authenticate *Who:* user1 *Access this Host:* webserver *Run Commands:* /usr/bin/sudo /bin/bash *As Whom:* oracle (external user type is oracle is created locally only) How is it working: [user1@webserver ~]$ *sudo -u oracle bash -i* [oracle@webserver user1]$ === *Options:* !authenticate *Who:* user1 *Access this Host:* webserver *Run Commands:* /usr/bin/sudo /bin/su - oracle *As Whom:* root How is it working: [user1@webserver ~]$ *sudo su - oracle* Last login: Wed May 13 11:41:52 CDT 2015 on pts/0 [oracle@webserver ~]$ === For some reason *NOPASSWD:* option was not recognized correctly by IPA server. This is the output I was getting: [user1@webserver ~]$ sudo su - oracle sudo: unknown defaults entry `NOPASSWD:' Last login: Tue May 12 15:00:31 CDT 2015 on pts/1 Last failed login: Wed May 13 10:46:52 CDT 2015 on pts/0 There were 7 failed login attempts since the last successful login. [oracle@webserver ~]$ Regards, Andrey Ptashnik Thank you! Would you mind turning it into a HowTo on the freeIPA wiki? From: , Joshua <mailto:joshua.go...@osumc.edu>> Date: Tuesday, May 12, 2015 at 9:41 PM To: "d...@redhat.com <mailto:d...@redhat.com>" <mailto:d...@redhat.com>>, "freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>" <mailto:freeipa-users@redhat.com>> Subject: Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root For the NOPASSWD option, I found that using !authenticate in the sudo option is what IPA wants instead. $ ipa sudorule-add-option readfiles Sudo Option: !authenticate - Added option "!authenticate" to Sudo rule "readfiles" - From: Dmitri Pal mailto:d...@redhat.com>> Organization: Red Hat Reply-To: "d...@redhat.com <mailto:d...@redhat.com>" <mailto:d...@redhat.com>> Date: Tuesday, May 12, 2015 at 5:32 PM To: "freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>" mailto:freeipa-users@redhat.com>> Subject: Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root On 05/12/2015 04:44 PM, Andrey Ptashnik wrote: Hello Team, We have RHEL 7.1 and IPA server 4.1.0 in our environment as well as stack of Oracle software that require existence of local passwordless users like weblogic and oracle. Users log in to servers via domain accounts at IPA server. I’m trying to configure Sudo policy in IPA server that will allow users in the company to log in to servers in IPA domain and switch to weblogic or oracle user without having to enter any passwords, but also without increasing their privileges to root. Using plain /etc/sudoers file it can be accomplished something like below: %users ALL = (root) Users will be who of the IPA sudo rule NOPASSWD: This will be an option that you would put into the sudo rule /bin/su – oracle This will be the command. You create a command and then reference it in the rule. At least this is what I would try. How can I configure this behavior in IPA server? Regards, Andrey -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root
Thank you everyone for your help! I found two ways to implement it in IPA server and tested it. So both methods work in my current setup RHEL 7.1 and IPA server 4.1.0. First method allows user to run default terminal as a target user (bash in my case). Second method is using SU command, but runs it as a root user. So depending on security preferences either one could satisfy admins. === Options: !authenticate Who: user1 Access this Host: webserver Run Commands: /usr/bin/sudo /bin/bash As Whom: oracle (external user type is oracle is created locally only) How is it working: [user1@webserver ~]$ sudo -u oracle bash -i [oracle@webserver user1]$ === Options: !authenticate Who: user1 Access this Host: webserver Run Commands: /usr/bin/sudo /bin/su - oracle As Whom: root How is it working: [user1@webserver ~]$ sudo su - oracle Last login: Wed May 13 11:41:52 CDT 2015 on pts/0 [oracle@webserver ~]$ === For some reason NOPASSWD: option was not recognized correctly by IPA server. This is the output I was getting: [user1@webserver ~]$ sudo su - oracle sudo: unknown defaults entry `NOPASSWD:' Last login: Tue May 12 15:00:31 CDT 2015 on pts/1 Last failed login: Wed May 13 10:46:52 CDT 2015 on pts/0 There were 7 failed login attempts since the last successful login. [oracle@webserver ~]$ Regards, Andrey Ptashnik From: , Joshua mailto:joshua.go...@osumc.edu>> Date: Tuesday, May 12, 2015 at 9:41 PM To: "d...@redhat.com<mailto:d...@redhat.com>" mailto:d...@redhat.com>>, "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" mailto:freeipa-users@redhat.com>> Subject: Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root For the NOPASSWD option, I found that using !authenticate in the sudo option is what IPA wants instead. $ ipa sudorule-add-option readfiles Sudo Option: !authenticate - Added option "!authenticate" to Sudo rule "readfiles" - From: Dmitri Pal mailto:d...@redhat.com>> Organization: Red Hat Reply-To: "d...@redhat.com<mailto:d...@redhat.com>" mailto:d...@redhat.com>> Date: Tuesday, May 12, 2015 at 5:32 PM To: "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" mailto:freeipa-users@redhat.com>> Subject: Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root On 05/12/2015 04:44 PM, Andrey Ptashnik wrote: Hello Team, We have RHEL 7.1 and IPA server 4.1.0 in our environment as well as stack of Oracle software that require existence of local passwordless users like weblogic and oracle. Users log in to servers via domain accounts at IPA server. I’m trying to configure Sudo policy in IPA server that will allow users in the company to log in to servers in IPA domain and switch to weblogic or oracle user without having to enter any passwords, but also without increasing their privileges to root. Using plain /etc/sudoers file it can be accomplished something like below: %users ALL = (root) Users will be who of the IPA sudo rule NOPASSWD: This will be an option that you would put into the sudo rule /bin/su – oracle This will be the command. You create a command and then reference it in the rule. At least this is what I would try. How can I configure this behavior in IPA server? Regards, Andrey -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root
For the NOPASSWD option, I found that using !authenticate in the sudo option is what IPA wants instead. $ ipa sudorule-add-option readfiles Sudo Option: !authenticate - Added option "!authenticate" to Sudo rule "readfiles" - From: Dmitri Pal mailto:d...@redhat.com>> Organization: Red Hat Reply-To: "d...@redhat.com<mailto:d...@redhat.com>" mailto:d...@redhat.com>> Date: Tuesday, May 12, 2015 at 5:32 PM To: "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" mailto:freeipa-users@redhat.com>> Subject: Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root On 05/12/2015 04:44 PM, Andrey Ptashnik wrote: Hello Team, We have RHEL 7.1 and IPA server 4.1.0 in our environment as well as stack of Oracle software that require existence of local passwordless users like weblogic and oracle. Users log in to servers via domain accounts at IPA server. I’m trying to configure Sudo policy in IPA server that will allow users in the company to log in to servers in IPA domain and switch to weblogic or oracle user without having to enter any passwords, but also without increasing their privileges to root. Using plain /etc/sudoers file it can be accomplished something like below: %users ALL = (root) Users will be who of the IPA sudo rule NOPASSWD: This will be an option that you would put into the sudo rule /bin/su – oracle This will be the command. You create a command and then reference it in the rule. At least this is what I would try. How can I configure this behavior in IPA server? Regards, Andrey -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root
On 05/12/2015 04:44 PM, Andrey Ptashnik wrote: Hello Team, We have RHEL 7.1 and IPA server 4.1.0 in our environment as well as stack of Oracle software that require existence of local passwordless users like weblogic and oracle. Users log in to servers via domain accounts at IPA server. I'm trying to configure Sudo policy in IPA server that will allow users in the company to log in to servers in IPA domain and switch to weblogic or oracle user without having to enter any passwords, but also without increasing their privileges to root. Using plain /etc/sudoers file it can be accomplished something like below: %users ALL = (root) Users will be who of the IPA sudo rule NOPASSWD: This will be an option that you would put into the sudo rule /bin/su -- oracle This will be the command. You create a command and then reference it in the rule. At least this is what I would try. How can I configure this behavior in IPA server? Regards, Andrey -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Allow user or group to switch user without password and not becoming root
Hello Team, We have RHEL 7.1 and IPA server 4.1.0 in our environment as well as stack of Oracle software that require existence of local passwordless users like weblogic and oracle. Users log in to servers via domain accounts at IPA server. I’m trying to configure Sudo policy in IPA server that will allow users in the company to log in to servers in IPA domain and switch to weblogic or oracle user without having to enter any passwords, but also without increasing their privileges to root. Using plain /etc/sudoers file it can be accomplished something like below: %users ALL = (root) NOPASSWD: /bin/su – oracle How can I configure this behavior in IPA server? Regards, Andrey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project