Re: [Freeipa-users] Sudo Rule not working

2016-09-29 Thread Jeff Goddard 
I had a similar issue. To see the details and solution search the list for:
Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1


Jeff

On Thu, Sep 29, 2016 at 4:22 AM, Deepak Dimri 
wrote:

> Hi All,
>
> I have added sudo rule  having allowed command for sudo su for a test
> user. When i login with this test user to my IPA client (ubuntu). I am
> getting a message that "the user is not in the sudoers file.  This
> incident will be reported." and it works fine if i add the user to sudoers
> file then the user can switch to sudo and is able to run all the commands
> even the commands i have included in "deny" list in my IPA server.
>
>
> Do we need to have  user/group added sudoers list for IPA sudo rule to
> work? if so then how can i make it work with IPA sudo rules?
>
>
> Thanks,
>
> Deepak
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo Rule not working

2016-09-29 Thread Jakub Hrozek 
On Thu, Sep 29, 2016 at 08:22:03AM +, Deepak Dimri wrote:
> Hi All,
> 
> I have added sudo rule  having allowed command for sudo su for a test user. 
> When i login with this test user to my IPA client (ubuntu). I am getting a 
> message that "the user is not in the sudoers file.  This incident will be 
> reported." and it works fine if i add the user to sudoers file then the user 
> can switch to sudo and is able to run all the commands even the commands i 
> have included in "deny" list in my IPA server.
> 
> 
> Do we need to have  user/group added sudoers list for IPA sudo rule to work? 
> if so then how can i make it work with IPA sudo rules?

Please check out:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Sudo Rule not working

2016-09-29 Thread Deepak Dimri 
Hi All,

I have added sudo rule  having allowed command for sudo su for a test user. 
When i login with this test user to my IPA client (ubuntu). I am getting a 
message that "the user is not in the sudoers file.  This incident will be 
reported." and it works fine if i add the user to sudoers file then the user 
can switch to sudo and is able to run all the commands even the commands i have 
included in "deny" list in my IPA server.


Do we need to have  user/group added sudoers list for IPA sudo rule to work? if 
so then how can i make it work with IPA sudo rules?


Thanks,

Deepak

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo Rule Not working with UserGroup

2015-08-14 Thread Jakub Hrozek 
On Fri, Aug 14, 2015 at 07:05:48PM +0530, Yogesh Sharma wrote:
 Hi,
 
 We have moved to next step and working to configuring the Sudo Rule.
 
 When we add individual users to sudo rules, it works perfectly. However as
 soon as we add usergroup to sudo rules, It stop working.

I'm sorry, but it's not possible to help without seeing the logs.
In this case, the sudo logs.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Sudo Rule Not working with UserGroup

2015-08-14 Thread Yogesh Sharma 
Hi,

We have moved to next step and working to configuring the Sudo Rule.

When we add individual users to sudo rules, it works perfectly. However as
soon as we add usergroup to sudo rules, It stop working.

*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in/ *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

https://www.fb.com/yks   http://in.linkedin.com/in/yks
https://twitter.com/checkwithyogesh
http://google.com/+YogeshSharmaOnGooglePlus
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo Rule Not working with UserGroup

2015-08-14 Thread Yogesh Sharma 
It has started working. Not sure what happened, but seems to be issue with
cache time out again.

Thanks Jakub. I will update more if I am able to replicate the issue again.

*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in/ *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

https://www.fb.com/yks   http://in.linkedin.com/in/yks
https://twitter.com/checkwithyogesh
http://google.com/+YogeshSharmaOnGooglePlus

On Fri, Aug 14, 2015 at 7:12 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Fri, Aug 14, 2015 at 07:05:48PM +0530, Yogesh Sharma wrote:
  Hi,
 
  We have moved to next step and working to configuring the Sudo Rule.
 
  When we add individual users to sudo rules, it works perfectly. However
 as
  soon as we add usergroup to sudo rules, It stop working.

 I'm sorry, but it's not possible to help without seeing the logs.
 In this case, the sudo logs.

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Sudo rule still working after deactivation

2013-11-14 Thread David Kreuter 
Thanks for the fast reply and great support.

The usage of 'entry_cache_sudo_timeout' parameter does the trick.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Sudo rule still working after deactivation

2013-11-13 Thread David Kreuter 
During our evaluation phase we're facing following problem. One particular user 
were granted sudo permission with the help of a sudo rule. The user can 
successfully access the host via SSH and switched to user root by using the 
sudo command, which was enabled for the user with the sudo rule. After that the 
sudo rule was disabled and the user tried to login again and switching to root 
was still possible.

After deleting the SSSD cache files and restarting the service sudo did not 
work anymore, as excepted.

How long does it take until the sudo rules are refreshed in SSSD cache? I know 
that there are three different refresh mechanism (full, smart, rule). Full and 
smart refresh mechanism are performed periodically dependent on the settings in 
SSSD configuration file and rule method should refresh the users's specific 
rules after each login, what apparently was not the case for my test scenario. 
Please correct me if i'm wrong. Of course I can set the interval for smart 
refresh to a minimum of 10 seconds, but this would cause a lot of traffic.

How can I configure SSSD to update the rules during each login of the user?

Following components are used:
- FreeIPA server freeipa-server.x86_64 3.3.2-1.fc19
- FreeIPA client on CentosOS ipa-client.x86_64 3.0.0-26.el6_4.4
- SSSD sudo integration

--- /etc/sssd/sssd.conf ---

[domain/example.info]
debug_level = 0xFFF0
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.info
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = chef01.example.info
chpass_provider = ipa
ipa_server = _srv_, ipa01.example.info
ldap_tls_cacert = /etc/ipa/ca.crt

sudo_provider = ldap
ldap_uri = ldap://ipa01.example.info
ldap_sudo_search_base = ou=sudoers,dc=example,dc=info
ldap_schema=IPA
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/chef01.example.info
ldap_sasl_realm = EXAMPLE.INFO
krb5_server = ipa01.example.info

[sssd]
debug_level = 0x0400
services = nss, pam, ssh, sudo
config_file_version = 2
domains = example.info
[nss]
[pam]
[sudo]
debug_level = 0xFFF0
[autofs]
[ssh]
[pac]

--- /etc/sssd/sssd.conf ---

I tested the test scenario with very small intervals and the rules were 
properly updated.

ldap_sudo_full_refresh_interval = 30
ldap_sudo_smart_refresh_interval = 15

Is this a proper solution or can configure SSSD in a way that rules were 
updated during each uses's login?

I appreciate any help and thanking you in advance.

Cheers,
David

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo rule still working after deactivation

2013-11-13 Thread Jakub Hrozek 
On Wed, Nov 13, 2013 at 05:26:32PM +0100, David Kreuter wrote:
 During our evaluation phase we're facing following problem. One particular 
 user were granted sudo permission with the help of a sudo rule. The user can 
 successfully access the host via SSH and switched to user root by using the 
 sudo command, which was enabled for the user with the sudo rule. After that 
 the sudo rule was disabled and the user tried to login again and switching to 
 root was still possible.
 
 After deleting the SSSD cache files and restarting the service sudo did not 
 work anymore, as excepted.
 
 How long does it take until the sudo rules are refreshed in SSSD cache? I 
 know that there are three different refresh mechanism (full, smart, rule). 
 Full and smart refresh mechanism are performed periodically dependent on the 
 settings in SSSD configuration file and rule method should refresh the 
 users's specific rules after each login, what apparently was not the case for 
 my test scenario. Please correct me if i'm wrong. Of course I can set the 
 interval for smart refresh to a minimum of 10 seconds, but this would cause a 
 lot of traffic.
 
 How can I configure SSSD to update the rules during each login of the user?

Hi David,

Pavel Brezina (CC-ed) would know for sure as he wrote the sudo
integration, but I think the trick could be to force the rules refresh
to run more often, as you noted, detecting the removed rules. 

I'd suggest to lower the entry_cache_sudo_timeout to make the rules expire
faster which would trigger the rules refresh which, if it detected rules
were removed would trigger the full refresh.

Currently there's no config option that would tie login and rules
refresh update.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo rule still working after deactivation

2013-11-13 Thread Pavel Březina 

On 11/13/2013 05:40 PM, Jakub Hrozek wrote:

On Wed, Nov 13, 2013 at 05:26:32PM +0100, David Kreuter wrote:

During our evaluation phase we're facing following problem. One particular user 
were granted sudo permission with the help of a sudo rule. The user can 
successfully access the host via SSH and switched to user root by using the 
sudo command, which was enabled for the user with the sudo rule. After that the 
sudo rule was disabled and the user tried to login again and switching to root 
was still possible.

After deleting the SSSD cache files and restarting the service sudo did not 
work anymore, as excepted.

How long does it take until the sudo rules are refreshed in SSSD cache? I know 
that there are three different refresh mechanism (full, smart, rule). Full and 
smart refresh mechanism are performed periodically dependent on the settings in 
SSSD configuration file and rule method should refresh the users's specific 
rules after each login, what apparently was not the case for my test scenario. 
Please correct me if i'm wrong. Of course I can set the interval for smart 
refresh to a minimum of 10 seconds, but this would cause a lot of traffic.

How can I configure SSSD to update the rules during each login of the user?


Hi David,

Pavel Brezina (CC-ed) would know for sure as he wrote the sudo
integration, but I think the trick could be to force the rules refresh
to run more often, as you noted, detecting the removed rules.

I'd suggest to lower the entry_cache_sudo_timeout to make the rules expire
faster which would trigger the rules refresh which, if it detected rules
were removed would trigger the full refresh.


Hi,
this is completely correct answer.


Currently there's no config option that would tie login and rules
refresh update.


And this sounds like a nice RFE :-)


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users