subject:"\[Freeipa\-users\] sudo questions"

Re: [Freeipa-users] sudo questions

2012-10-09 Thread Rob Crittenden


Sigbjorn Lie wrote:

On 10/09/2012 04:08 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:




On Tue, October 9, 2012 01:13, Dmitri Pal wrote:

On 10/08/2012 06:04 PM, Sigbjorn Lie wrote:


Hi,




Thank you for the report!




I've been testing the sudo integration with IPA and I came across some
questions:


1. When I disable or delete a sudo rule, it's not removed from the
ou=sudoers until I restart the directory server. Am I doing
something wrong?
(389-ds-base-1.2.10.2-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)




This might be a bug in the compat plugin. The internal tree is
reflected
into the standard sudo schema that is supposed to be kept in sync
with the internal tree. However I
would be surprised if there is actually a bug.



I definitely still saw the rules in ou=sudoers even though I disabled
or deleted the rules.
However the cn=sudo tree was instantly updated.

Could someone else test and see if they see the same behaviour?



2. Perhaps the documentation should mention creating a rule called
"defaults" to put default options for all sudo rules in. Or even
better having one created by default with a fresh IPA installation.
It took me a few seconds to
figure out where to put default options for all sudo rules.


Can you please open an RFE in trac?
https://fedorahosted.org/freeipa



Ok.







3. sudo integration with SSSD does not work when anonymous LDAP
authentication is disabled at the server. Enabling verbose logging
in SSSD seem to suggest that
it's attempting  anonymous auth only. (sssd-1.8.4-14.fc17.x86_64)



Which integration you are trying? The one that was tech preview in 1.8?
The one that makes SSSD cache sudo rules? It was significantly
rewritten
in 1.9. Can you please try with 1.9?



This was F17. There is F17 packages for 1.9 somewhere? Will 1.9 be in
the next update of RHEL 6?





4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make
sudo display these options as errors when sudo debugging is enabled
(sudoers_debug 1 in
/etc/ldap.conf or /etc/sudo-ldap.conf):
sudo: unknown defaults entry `env_keep '



Yes. This is a known issue already filed as a ticket.



OK





5. It would be great to have a set of sudo commands and a set of sudo
command groups installed by default.


Can you make a proposal about what groups would you like to see in
an RFE?
https://fedorahosted.org/freeipa



Sure. I do believe in having only 1 sudoers source, either a file or
ldap. So I I believe the
contents of the file /etc/sudoers distributed with the sudoers
package is a good starting point.









6. Adding a sudo command having multiple commands listed (such as:
"/sbin/route, /sbin/ifconfig, /bin/ping
") is allowed in IPA and does list it
correctly as allowed commands when
doing "sudo -l", however attempting to execute one of the commands
in the list using sudo fails.




Can you please try SSSD 1.9?


Sure, but I'm not sure how that is going to matter as this is sudo
returning an error. How is it
expected to be different when the information is coming from a
different source?

I believe we have to do the LDAP way and not the SSSD way in
production though as we have clients
such as older RHEL and Solaris as well besides RHEL 6. So this should
be fixed regardsless of
where the sudo source is coming from. And I believe we are not alone
here in having a mixed
environment... :)


Your command is allowing a user to pass the arguments /sbin/ifconfig,
/bin/ping to /sbin/iparoute, (note the commas). A sudo command is a
single invocation of a command.

rob


I am well aware of that. :)

However that is an allowed syntax in file based sudoers.

I believe there should be a syntax checking in IPA when adding sudo
commands since it's not working with ldap based sudoers.


Regards,
Siggi



I'm just not sure how we would know, except maybe to detect the commas 
and warn the user. If you'd like this enhancement can you open a ticket 
on our trac?


thanks

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo questions

2012-10-09 Thread Sigbjorn Lie


On 10/09/2012 04:08 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:




On Tue, October 9, 2012 01:13, Dmitri Pal wrote:

On 10/08/2012 06:04 PM, Sigbjorn Lie wrote:


Hi,




Thank you for the report!




I've been testing the sudo integration with IPA and I came across some
questions:


1. When I disable or delete a sudo rule, it's not removed from the
ou=sudoers until I restart the directory server. Am I doing 
something wrong?

(389-ds-base-1.2.10.2-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)




This might be a bug in the compat plugin. The internal tree is 
reflected
into the standard sudo schema that is supposed to be kept in sync 
with the internal tree. However I

would be surprised if there is actually a bug.



I definitely still saw the rules in ou=sudoers even though I disabled 
or deleted the rules.

However the cn=sudo tree was instantly updated.

Could someone else test and see if they see the same behaviour?



2. Perhaps the documentation should mention creating a rule called
"defaults" to put default options for all sudo rules in. Or even
better having one created by default with a fresh IPA installation. 
It took me a few seconds to

figure out where to put default options for all sudo rules.


Can you please open an RFE in trac?
https://fedorahosted.org/freeipa



Ok.







3. sudo integration with SSSD does not work when anonymous LDAP
authentication is disabled at the server. Enabling verbose logging 
in SSSD seem to suggest that

it's attempting  anonymous auth only. (sssd-1.8.4-14.fc17.x86_64)



Which integration you are trying? The one that was tech preview in 1.8?
The one that makes SSSD cache sudo rules? It was significantly 
rewritten

in 1.9. Can you please try with 1.9?



This was F17. There is F17 packages for 1.9 somewhere? Will 1.9 be in 
the next update of RHEL 6?






4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make
sudo display these options as errors when sudo debugging is enabled 
(sudoers_debug 1 in

/etc/ldap.conf or /etc/sudo-ldap.conf):
sudo: unknown defaults entry `env_keep '



Yes. This is a known issue already filed as a ticket.



OK





5. It would be great to have a set of sudo commands and a set of sudo
command groups installed by default.


Can you make a proposal about what groups would you like to see in 
an RFE?

https://fedorahosted.org/freeipa



Sure. I do believe in having only 1 sudoers source, either a file or 
ldap. So I I believe the
contents of the file /etc/sudoers distributed with the sudoers 
package is a good starting point.










6. Adding a sudo command having multiple commands listed (such as:
"/sbin/route, /sbin/ifconfig, /bin/ping
") is allowed in IPA and does list it 
correctly as allowed commands when
doing "sudo -l", however attempting to execute one of the commands 
in the list using sudo fails.





Can you please try SSSD 1.9?


Sure, but I'm not sure how that is going to matter as this is sudo 
returning an error. How is it
expected to be different when the information is coming from a 
different source?


I believe we have to do the LDAP way and not the SSSD way in 
production though as we have clients
such as older RHEL and Solaris as well besides RHEL 6. So this should 
be fixed regardsless of
where the sudo source is coming from. And I believe we are not alone 
here in having a mixed

environment... :)


Your command is allowing a user to pass the arguments /sbin/ifconfig, 
/bin/ping to /sbin/iparoute, (note the commas). A sudo command is a 
single invocation of a command.


rob


I am well aware of that. :)

However that is an allowed syntax in file based sudoers.

I believe there should be a syntax checking in IPA when adding sudo 
commands since it's not working with ldap based sudoers.



Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo questions

2012-10-09 Thread Rob Crittenden


Sigbjorn Lie wrote:




On Tue, October 9, 2012 01:13, Dmitri Pal wrote:

On 10/08/2012 06:04 PM, Sigbjorn Lie wrote:


Hi,




Thank you for the report!




I've been testing the sudo integration with IPA and I came across some
questions:


1. When I disable or delete a sudo rule, it's not removed from the
ou=sudoers until I restart the directory server. Am I doing something wrong?
(389-ds-base-1.2.10.2-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)




This might be a bug in the compat plugin. The internal tree is reflected
into the standard sudo schema that is supposed to be kept in sync with the 
internal tree. However I
would be surprised if there is actually a bug.



I definitely still saw the rules in ou=sudoers even though I disabled or 
deleted the rules.
However the cn=sudo tree was instantly updated.

Could someone else test and see if they see the same behaviour?



2. Perhaps the documentation should mention creating a rule called
"defaults" to put default options for all sudo rules in. Or even
better having one created by default with a fresh IPA installation. It took me 
a few seconds to
figure out where to put default options for all sudo rules.


Can you please open an RFE in trac?
https://fedorahosted.org/freeipa



Ok.







3. sudo integration with SSSD does not work when anonymous LDAP
authentication is disabled at the server. Enabling verbose logging in SSSD seem 
to suggest that
it's attempting  anonymous auth only. (sssd-1.8.4-14.fc17.x86_64)



Which integration you are trying? The one that was tech preview in 1.8?
The one that makes SSSD cache sudo rules? It was significantly rewritten
in 1.9. Can you please try with 1.9?



This was F17. There is F17 packages for 1.9 somewhere? Will 1.9 be in the next 
update of RHEL 6?





4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make
sudo display these options as errors when sudo debugging is enabled 
(sudoers_debug 1 in
/etc/ldap.conf or /etc/sudo-ldap.conf):
sudo: unknown defaults entry `env_keep '



Yes. This is a known issue already filed as a ticket.



OK





5. It would be great to have a set of sudo commands and a set of sudo
command groups installed by default.


Can you make a proposal about what groups would you like to see in an RFE?
https://fedorahosted.org/freeipa



Sure. I do believe in having only 1 sudoers source, either a file or ldap. So I 
I believe the
contents of the file /etc/sudoers distributed with the sudoers package is a 
good starting point.









6. Adding a sudo command having multiple commands listed (such as:
"/sbin/route, /sbin/ifconfig, /bin/ping
") is allowed in IPA and does list it correctly as allowed 
commands when
doing "sudo -l", however attempting to execute one of the commands in the list 
using sudo fails.




Can you please try SSSD 1.9?


Sure, but I'm not sure how that is going to matter as this is sudo returning an 
error. How is it
expected to be different when the information is coming from a different source?

I believe we have to do the LDAP way and not the SSSD way in production though 
as we have clients
such as older RHEL and Solaris as well besides RHEL 6. So this should be fixed 
regardsless of
where the sudo source is coming from. And I believe we are not alone here in 
having a mixed
environment... :)


Your command is allowing a user to pass the arguments /sbin/ifconfig, 
/bin/ping to /sbin/iparoute, (note the commas). A sudo command is a 
single invocation of a command.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo questions

2012-10-09 Thread Sigbjorn Lie




On Tue, October 9, 2012 07:59, Jakub Hrozek wrote:
> On Tue, Oct 09, 2012 at 12:04:24AM +0200, Sigbjorn Lie wrote:
>
>> Hi,
>>
>>
>
> Hi Siggi,
>
>
>> 3. sudo integration with SSSD does not work when anonymous LDAP
>> authentication is disabled at the server. Enabling verbose logging in SSSD 
>> seem to suggest that
>> it's attempting  anonymous auth only. (sssd-1.8.4-14.fc17.x86_64)
>>
>
> This is a known limitation of both 1.8 and 1.9. SSSD-1.9 documentation
> includes an example on how to configure the sudo provider against an IPA 
> server:
> http://jhrozek.fedorapeople.org/sssd/1.9.1/man/sssd-sudo.5.html
>
>
> We're tracking creating a native IPA sudo backend in SSSD-1.10:
> https://fedorahosted.org/sssd/ticket/1108
>

OK


>
>> 6. Adding a sudo command having multiple commands listed (such as:
>> "/sbin/route, /sbin/ifconfig, /bin/ping
>> > lient,%20/usr/bin/net,%20/sbin/iptables,%20/usr/bin/%20rfcomm,%20/usr/bin/wvdial,%20/sbin/iwcon
>> fig,%20/sbin/mii-tool>") is allowed in IPA and does list it correctly as 
>> allowed commands when
>> doing "sudo -l", however attempting to execute one of the commands in the 
>> list using sudo fails.
>>
>
> This was with SSSD or nss-pam-ldapd?


ldap directly, not sssd.


regards,
Siggi


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo questions

2012-10-09 Thread Sigbjorn Lie




On Tue, October 9, 2012 01:13, Dmitri Pal wrote:
> On 10/08/2012 06:04 PM, Sigbjorn Lie wrote:
>
>> Hi,
>>
>
>
> Thank you for the report!
>
>
>>
>> I've been testing the sudo integration with IPA and I came across some
>> questions:
>>
>>
>> 1. When I disable or delete a sudo rule, it's not removed from the
>> ou=sudoers until I restart the directory server. Am I doing something wrong?
>> (389-ds-base-1.2.10.2-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)
>>
>>
>
> This might be a bug in the compat plugin. The internal tree is reflected
> into the standard sudo schema that is supposed to be kept in sync with the 
> internal tree. However I
> would be surprised if there is actually a bug.
>

I definitely still saw the rules in ou=sudoers even though I disabled or 
deleted the rules.
However the cn=sudo tree was instantly updated.

Could someone else test and see if they see the same behaviour?


>> 2. Perhaps the documentation should mention creating a rule called
>> "defaults" to put default options for all sudo rules in. Or even
>> better having one created by default with a fresh IPA installation. It took 
>> me a few seconds to
>> figure out where to put default options for all sudo rules.
>
> Can you please open an RFE in trac?
> https://fedorahosted.org/freeipa
>

Ok.


>
>
>>
>> 3. sudo integration with SSSD does not work when anonymous LDAP
>> authentication is disabled at the server. Enabling verbose logging in SSSD 
>> seem to suggest that
>> it's attempting  anonymous auth only. (sssd-1.8.4-14.fc17.x86_64)
>>
>
> Which integration you are trying? The one that was tech preview in 1.8?
> The one that makes SSSD cache sudo rules? It was significantly rewritten
> in 1.9. Can you please try with 1.9?
>

This was F17. There is F17 packages for 1.9 somewhere? Will 1.9 be in the next 
update of RHEL 6?

>
>>
>> 4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make
>> sudo display these options as errors when sudo debugging is enabled 
>> (sudoers_debug 1 in
>> /etc/ldap.conf or /etc/sudo-ldap.conf):
>> sudo: unknown defaults entry `env_keep '
>>
>
> Yes. This is a known issue already filed as a ticket.
>

OK

>
>>
>> 5. It would be great to have a set of sudo commands and a set of sudo
>> command groups installed by default.
>
> Can you make a proposal about what groups would you like to see in an RFE?
> https://fedorahosted.org/freeipa
>

Sure. I do believe in having only 1 sudoers source, either a file or ldap. So I 
I believe the
contents of the file /etc/sudoers distributed with the sudoers package is a 
good starting point.




>
>
>>
>> 6. Adding a sudo command having multiple commands listed (such as:
>> "/sbin/route, /sbin/ifconfig, /bin/ping
>> > ient,%20/usr/bin/net,%20/sbin/iptables,%20/usr/bin/%20rfcomm,%20/usr/bin/wvdial,%20/sbin/iwconf
>> ig,%20/sbin/mii-tool>") is allowed in IPA and does list it correctly as 
>> allowed commands when
>> doing "sudo -l", however attempting to execute one of the commands in the 
>> list using sudo fails.
>>
>>
>
> Can you please try SSSD 1.9?

Sure, but I'm not sure how that is going to matter as this is sudo returning an 
error. How is it
expected to be different when the information is coming from a different source?

I believe we have to do the LDAP way and not the SSSD way in production though 
as we have clients
such as older RHEL and Solaris as well besides RHEL 6. So this should be fixed 
regardsless of
where the sudo source is coming from. And I believe we are not alone here in 
having a mixed
environment... :)

File a bug?



Regards,
Siggi





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo questions

2012-10-08 Thread Jakub Hrozek

On Tue, Oct 09, 2012 at 12:04:24AM +0200, Sigbjorn Lie wrote:
> Hi,
> 

Hi Siggi,

> 3. sudo integration with SSSD does not work when anonymous LDAP
> authentication is disabled at the server. Enabling verbose logging
> in SSSD seem to suggest that it's attempting  anonymous auth only.
> (sssd-1.8.4-14.fc17.x86_64)

This is a known limitation of both 1.8 and 1.9. SSSD-1.9 documentation
includes an example on how to configure the sudo provider against an IPA
server:
http://jhrozek.fedorapeople.org/sssd/1.9.1/man/sssd-sudo.5.html

We're tracking creating a native IPA sudo backend in SSSD-1.10:
https://fedorahosted.org/sssd/ticket/1108

> 6. Adding a sudo command having multiple commands listed (such as:
> "/sbin/route, /sbin/ifconfig, /bin/ping 
> ")
> is allowed in IPA and does list it correctly as allowed commands
> when doing "sudo -l", however attempting to execute one of the
> commands in the list using sudo fails.

This was with SSSD or nss-pam-ldapd?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo questions

2012-10-08 Thread Dmitri Pal

On 10/08/2012 06:04 PM, Sigbjorn Lie wrote:
> Hi,


Thank you for the report!

>
> I've been testing the sudo integration with IPA and I came across some
> questions:
>
> 1. When I disable or delete a sudo rule, it's not removed from the
> ou=sudoers until I restart the directory server. Am I doing something
> wrong? (389-ds-base-1.2.10.2-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)
>

This might be a bug in the compat plugin. The internal tree is reflected
into the standard sudo schema that is supposed to be kept in sync with
the internal tree. However I would be surprised if there is actually a bug.

> 2. Perhaps the documentation should mention creating a rule called
> "defaults" to put default options for all sudo rules in. Or even
> better having one created by default with a fresh IPA installation. It
> took me a few seconds to figure out where to put default options for
> all sudo rules.

Can you please open an RFE in trac?
https://fedorahosted.org/freeipa


>
> 3. sudo integration with SSSD does not work when anonymous LDAP
> authentication is disabled at the server. Enabling verbose logging in
> SSSD seem to suggest that it's attempting  anonymous auth only.
> (sssd-1.8.4-14.fc17.x86_64)

Which integration you are trying? The one that was tech preview in 1.8?
The one that makes SSSD cache sudo rules? It was significantly rewritten
in 1.9. Can you please try with 1.9?


>
> 4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make
> sudo display these options as errors when sudo debugging is enabled
> (sudoers_debug 1 in /etc/ldap.conf or /etc/sudo-ldap.conf):
> sudo: unknown defaults entry `env_keep '

Yes. This is a known issue already filed as a ticket.

>
> 5. It would be great to have a set of sudo commands and a set of sudo
> command groups installed by default.

Can you make a proposal about what groups would you like to see in an RFE?
https://fedorahosted.org/freeipa


>
> 6. Adding a sudo command having multiple commands listed (such as:
> "/sbin/route, /sbin/ifconfig, /bin/ping
> ")
> is allowed in IPA and does list it correctly as allowed commands when
> doing "sudo -l", however attempting to execute one of the commands in
> the list using sudo fails.
>

Can you please try SSSD 1.9?

> I did my testing with IPA server 2.2 in CentOS 6.3.
>
>
>
> Regards,
> Siggi
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] sudo questions

2012-10-08 Thread Sigbjorn Lie


Hi,

I've been testing the sudo integration with IPA and I came across some 
questions:


1. When I disable or delete a sudo rule, it's not removed from the 
ou=sudoers until I restart the directory server. Am I doing something 
wrong? (389-ds-base-1.2.10.2-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)


2. Perhaps the documentation should mention creating a rule called 
"defaults" to put default options for all sudo rules in. Or even better 
having one created by default with a fresh IPA installation. It took me 
a few seconds to figure out where to put default options for all sudo rules.


3. sudo integration with SSSD does not work when anonymous LDAP 
authentication is disabled at the server. Enabling verbose logging in 
SSSD seem to suggest that it's attempting  anonymous auth only. 
(sssd-1.8.4-14.fc17.x86_64)


4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make 
sudo display these options as errors when sudo debugging is enabled 
(sudoers_debug 1 in /etc/ldap.conf or /etc/sudo-ldap.conf):

sudo: unknown defaults entry `env_keep '

5. It would be great to have a set of sudo commands and a set of sudo 
command groups installed by default.


6. Adding a sudo command having multiple commands listed (such as: 
"/sbin/route, /sbin/ifconfig, /bin/ping 
") 
is allowed in IPA and does list it correctly as allowed commands when 
doing "sudo -l", however attempting to execute one of the commands in 
the list using sudo fails.


I did my testing with IPA server 2.2 in CentOS 6.3.



Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo questions

Re: [Freeipa-users] sudo questions

Re: [Freeipa-users] sudo questions

Re: [Freeipa-users] sudo questions

Re: [Freeipa-users] sudo questions

Re: [Freeipa-users] sudo questions

Re: [Freeipa-users] sudo questions

[Freeipa-users] sudo questions

8 matches

Site Navigation

Mail list logo

Footer information