Re: [Freeipa-users] Sudo Rule not working
I had a similar issue. To see the details and solution search the list for: Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1 Jeff On Thu, Sep 29, 2016 at 4:22 AM, Deepak Dimriwrote: > Hi All, > > I have added sudo rule having allowed command for sudo su for a test > user. When i login with this test user to my IPA client (ubuntu). I am > getting a message that "the user is not in the sudoers file. This > incident will be reported." and it works fine if i add the user to sudoers > file then the user can switch to sudo and is able to run all the commands > even the commands i have included in "deny" list in my IPA server. > > > Do we need to have user/group added sudoers list for IPA sudo rule to > work? if so then how can i make it work with IPA sudo rules? > > > Thanks, > > Deepak > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo Rule not working
On Thu, Sep 29, 2016 at 08:22:03AM +, Deepak Dimri wrote: > Hi All, > > I have added sudo rule having allowed command for sudo su for a test user. > When i login with this test user to my IPA client (ubuntu). I am getting a > message that "the user is not in the sudoers file. This incident will be > reported." and it works fine if i add the user to sudoers file then the user > can switch to sudo and is able to run all the commands even the commands i > have included in "deny" list in my IPA server. > > > Do we need to have user/group added sudoers list for IPA sudo rule to work? > if so then how can i make it work with IPA sudo rules? Please check out: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Sudo Rule not working
Hi All, I have added sudo rule having allowed command for sudo su for a test user. When i login with this test user to my IPA client (ubuntu). I am getting a message that "the user is not in the sudoers file. This incident will be reported." and it works fine if i add the user to sudoers file then the user can switch to sudo and is able to run all the commands even the commands i have included in "deny" list in my IPA server. Do we need to have user/group added sudoers list for IPA sudo rule to work? if so then how can i make it work with IPA sudo rules? Thanks, Deepak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo Rule Not working with UserGroup
On Fri, Aug 14, 2015 at 07:05:48PM +0530, Yogesh Sharma wrote: Hi, We have moved to next step and working to configuring the Sudo Rule. When we add individual users to sudo rules, it works perfectly. However as soon as we add usergroup to sudo rules, It stop working. I'm sorry, but it's not possible to help without seeing the logs. In this case, the sudo logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Sudo Rule Not working with UserGroup
Hi, We have moved to next step and working to configuring the Sudo Rule. When we add individual users to sudo rules, it works perfectly. However as soon as we add usergroup to sudo rules, It stop working. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo Rule Not working with UserGroup
It has started working. Not sure what happened, but seems to be issue with cache time out again. Thanks Jakub. I will update more if I am able to replicate the issue again. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 7:12 PM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Aug 14, 2015 at 07:05:48PM +0530, Yogesh Sharma wrote: Hi, We have moved to next step and working to configuring the Sudo Rule. When we add individual users to sudo rules, it works perfectly. However as soon as we add usergroup to sudo rules, It stop working. I'm sorry, but it's not possible to help without seeing the logs. In this case, the sudo logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Sudo rule still working after deactivation
Thanks for the fast reply and great support. The usage of 'entry_cache_sudo_timeout' parameter does the trick. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Sudo rule still working after deactivation
During our evaluation phase we're facing following problem. One particular user were granted sudo permission with the help of a sudo rule. The user can successfully access the host via SSH and switched to user root by using the sudo command, which was enabled for the user with the sudo rule. After that the sudo rule was disabled and the user tried to login again and switching to root was still possible. After deleting the SSSD cache files and restarting the service sudo did not work anymore, as excepted. How long does it take until the sudo rules are refreshed in SSSD cache? I know that there are three different refresh mechanism (full, smart, rule). Full and smart refresh mechanism are performed periodically dependent on the settings in SSSD configuration file and rule method should refresh the users's specific rules after each login, what apparently was not the case for my test scenario. Please correct me if i'm wrong. Of course I can set the interval for smart refresh to a minimum of 10 seconds, but this would cause a lot of traffic. How can I configure SSSD to update the rules during each login of the user? Following components are used: - FreeIPA server freeipa-server.x86_64 3.3.2-1.fc19 - FreeIPA client on CentosOS ipa-client.x86_64 3.0.0-26.el6_4.4 - SSSD sudo integration --- /etc/sssd/sssd.conf --- [domain/example.info] debug_level = 0xFFF0 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.info id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = chef01.example.info chpass_provider = ipa ipa_server = _srv_, ipa01.example.info ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipa01.example.info ldap_sudo_search_base = ou=sudoers,dc=example,dc=info ldap_schema=IPA ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/chef01.example.info ldap_sasl_realm = EXAMPLE.INFO krb5_server = ipa01.example.info [sssd] debug_level = 0x0400 services = nss, pam, ssh, sudo config_file_version = 2 domains = example.info [nss] [pam] [sudo] debug_level = 0xFFF0 [autofs] [ssh] [pac] --- /etc/sssd/sssd.conf --- I tested the test scenario with very small intervals and the rules were properly updated. ldap_sudo_full_refresh_interval = 30 ldap_sudo_smart_refresh_interval = 15 Is this a proper solution or can configure SSSD in a way that rules were updated during each uses's login? I appreciate any help and thanking you in advance. Cheers, David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo rule still working after deactivation
On Wed, Nov 13, 2013 at 05:26:32PM +0100, David Kreuter wrote: During our evaluation phase we're facing following problem. One particular user were granted sudo permission with the help of a sudo rule. The user can successfully access the host via SSH and switched to user root by using the sudo command, which was enabled for the user with the sudo rule. After that the sudo rule was disabled and the user tried to login again and switching to root was still possible. After deleting the SSSD cache files and restarting the service sudo did not work anymore, as excepted. How long does it take until the sudo rules are refreshed in SSSD cache? I know that there are three different refresh mechanism (full, smart, rule). Full and smart refresh mechanism are performed periodically dependent on the settings in SSSD configuration file and rule method should refresh the users's specific rules after each login, what apparently was not the case for my test scenario. Please correct me if i'm wrong. Of course I can set the interval for smart refresh to a minimum of 10 seconds, but this would cause a lot of traffic. How can I configure SSSD to update the rules during each login of the user? Hi David, Pavel Brezina (CC-ed) would know for sure as he wrote the sudo integration, but I think the trick could be to force the rules refresh to run more often, as you noted, detecting the removed rules. I'd suggest to lower the entry_cache_sudo_timeout to make the rules expire faster which would trigger the rules refresh which, if it detected rules were removed would trigger the full refresh. Currently there's no config option that would tie login and rules refresh update. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo rule still working after deactivation
On 11/13/2013 05:40 PM, Jakub Hrozek wrote: On Wed, Nov 13, 2013 at 05:26:32PM +0100, David Kreuter wrote: During our evaluation phase we're facing following problem. One particular user were granted sudo permission with the help of a sudo rule. The user can successfully access the host via SSH and switched to user root by using the sudo command, which was enabled for the user with the sudo rule. After that the sudo rule was disabled and the user tried to login again and switching to root was still possible. After deleting the SSSD cache files and restarting the service sudo did not work anymore, as excepted. How long does it take until the sudo rules are refreshed in SSSD cache? I know that there are three different refresh mechanism (full, smart, rule). Full and smart refresh mechanism are performed periodically dependent on the settings in SSSD configuration file and rule method should refresh the users's specific rules after each login, what apparently was not the case for my test scenario. Please correct me if i'm wrong. Of course I can set the interval for smart refresh to a minimum of 10 seconds, but this would cause a lot of traffic. How can I configure SSSD to update the rules during each login of the user? Hi David, Pavel Brezina (CC-ed) would know for sure as he wrote the sudo integration, but I think the trick could be to force the rules refresh to run more often, as you noted, detecting the removed rules. I'd suggest to lower the entry_cache_sudo_timeout to make the rules expire faster which would trigger the rules refresh which, if it detected rules were removed would trigger the full refresh. Hi, this is completely correct answer. Currently there's no config option that would tie login and rules refresh update. And this sounds like a nice RFE :-) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users