Re: [Freeipa-users] Sudo not working

2012-11-01 Thread Pavel Březina
On 10/31/2012 07:20 PM, Rob Crittenden wrote: Bret Wortman wrote: F17. I think you want /etc/ldap.conf then. The easiest way to be sure the right file is being used is to add sudoers_debug 1 to the file. This will present a lot of extra output so you'll know the file is being read. rob Hi,

Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO

2013-04-29 Thread Pavel Březina
On 04/29/2013 08:31 PM, Aly Khimji wrote: Hey Pavel/Guys, Do you see anything in the new logs that might help? I saw this bug https://bugzilla.redhat.com/show_bug.cgi?id=871160 that reports this issue exactly. However its reported as fixed but I am still having the same issue. I am building

Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO

2013-05-07 Thread Pavel Březina
-devel list. Thx for the help Aly Thanks Pavel, Very much appreciated Aly On Tue, Apr 30, 2013 at 1:41 PM, Pavel Brezina pbrez...@redhat.com mailto:pbrez...@redhat.com wrote: - Original Message - From: Pavel Březina pbrez...@redhat.com mailto:pbrez...@redhat.com

Re: [Freeipa-users] Sudo Commands and groups confusion

2013-06-12 Thread Pavel Březina
On 06/12/2013 02:37 PM, Jakub Hrozek wrote: On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote: Hi, The package as you described is installed, the configlines are set as you show it. This is what I see in auth.log, my sssd_sudo does not show a thing: Jun 12 11:19:16 server sudo:

Re: [Freeipa-users] Sudo Commands and groups confusion

2013-06-13 Thread Pavel Březina
On 06/12/2013 02:51 PM, Pavel Březina wrote: On 06/12/2013 02:37 PM, Jakub Hrozek wrote: On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote: Hi, The package as you described is installed, the configlines are set as you show it. This is what I see in auth.log, my sssd_sudo does not show

Re: [Freeipa-users] sudo rules user and host group bugs?

2013-07-18 Thread Pavel Březina
On 07/17/2013 06:39 PM, Tovey, Mark wrote: Okay, I get it (pardon my obtuseness). host1- getent netgroup hgroup1 hgroup1 (host1.my_domain.com, -, my_domain.com) So netgroups are working. The host group is defined in IPA and getent is able to access that

Re: [Freeipa-users] freeipa and sudo

2013-09-09 Thread Pavel Březina
On 09/08/2013 11:11 PM, Jakub Hrozek wrote: On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote: On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote: On 09/07/2013 02:11 PM, Christian Horn wrote: On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: Are [1] and[2] still the

Re: [Freeipa-users] freeipa and sudo

2013-09-09 Thread Pavel Březina
On 09/09/2013 12:26 AM, Dean Hunter wrote: On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote: On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote: On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote: On 09/07/2013 02:11 PM, Christian Horn wrote: On Sat, Sep 07, 2013 at

Re: [Freeipa-users] freeipa and sudo

2013-09-11 Thread Pavel Březina
On 09/09/2013 07:32 PM, Dean Hunter wrote: On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote: On 09/08/2013 01:35 AM, Dmitri Pal wrote: On 09/07/2013 02:11 PM, Christian Horn wrote: On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: Are [1] and[2] still the current and best

Re: [Freeipa-users] freeipa and sudo

2013-09-11 Thread Pavel Březina
On 09/09/2013 05:53 PM, Dean Hunter wrote: On Mon, 2013-09-09 at 11:35 +0200, Pavel Březina wrote: On 09/09/2013 12:26 AM, Dean Hunter wrote: On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote: On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote: On Sat, 2013-09-07 at 19:35 -0400

Re: [Freeipa-users] freeipa and sudo

2013-09-11 Thread Pavel Březina
On 09/11/2013 11:21 AM, Pavel Březina wrote: On 09/09/2013 07:32 PM, Dean Hunter wrote: On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote: On 09/08/2013 01:35 AM, Dmitri Pal wrote: On 09/07/2013 02:11 PM, Christian Horn wrote: On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote

Re: [Freeipa-users] Sudo rule still working after deactivation

2013-11-13 Thread Pavel Březina
On 11/13/2013 05:40 PM, Jakub Hrozek wrote: On Wed, Nov 13, 2013 at 05:26:32PM +0100, David Kreuter wrote: During our evaluation phase we're facing following problem. One particular user were granted sudo permission with the help of a sudo rule. The user can successfully access the host via

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-17 Thread Pavel Březina
On 02/16/2014 01:19 AM, Steve Dainard wrote: Just experienced the same issue on Fedora 20: [sdainard-ad...@miovision.corp@fed20 ~]$ sudo systemctl stop firewalld [sudo] password for sdainard-ad...@miovision.corp: sdainard-ad...@miovision.corp is not allowed to run sudo on fed20. This incident

Re: [Freeipa-users] sudo !requiretty !authenticate

2015-01-06 Thread Pavel Březina
On 01/05/2015 07:32 PM, Craig White wrote: Hi - reply at bottom -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Monday, January 05, 2015 4:33 AM To: Craig White; freeipa-users@redhat.com; Pavel Brezina Subject: Re: [Freeipa-users] sudo !requiretty !authenticate

Re: [Freeipa-users] sudo !requiretty !authenticate

2015-01-08 Thread Pavel Březina
: [Freeipa-users] sudo !requiretty !authenticate -Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: Tuesday, January 06, 2015 3:11 AM To: Craig White Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo !requiretty !authenticate On (06/01/15 10:21), Pavel

Re: [Freeipa-users] regex with sudo commands

2015-05-05 Thread Pavel Březina
On 05/05/2015 10:53 AM, Martin Kosek wrote: On 05/05/2015 03:37 AM, Megan . wrote: Good Evening! I'm running 3.0.0-42 on Centos 6.6. I setup a number of sudo commands today with regular expressions and now users seem to be having issues running any sudo command. Are there any known issues

Re: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain

2015-06-08 Thread Pavel Březina
On 06/05/2015 03:14 PM, Sina Owolabi wrote: Odd, sssd sudo up and started working properly after I added debug to the clients I was interested in. I didnt see any errors in the logs at all. This may indicate a race condition. Does it hang up again if you disable debugging? Very strange.

Re: [Freeipa-users] FreeIPA and sudo Defaults

2015-08-05 Thread Pavel Březina
On 08/04/2015 11:57 AM, Innes, Duncan wrote: Hi folks, Struggling with creating a sudo rule in IPA that will allow my foreman-proxy to run specific commands. When I put the following into /etc/sudoers.d/foreman: [root@puppet01 ~]# cat /etc/sudoers.d/foreman foreman-proxy ALL = NOPASSWD:

Re: [Freeipa-users] Sudo Rules Help

2015-11-12 Thread Pavel Březina
On 11/11/2015 03:24 PM, Branden Coates wrote: I have a few issues with sudo rules(FreeIPA 4.1.4-4 on Fedora 22) that I would greatly appreciate some help with. The core of the issue is that sudo rules fail to work when using ldap instead of ipa when you assign user groups and host groups to the

Re: [Freeipa-users] sudo rules do not seem to work

2015-10-08 Thread Pavel Březina
On 10/08/2015 04:09 PM, Karl Forner wrote: Sorry I had disabled the emailing, just was your answers in the archives. How can I debug this ? Pavel (CC) has a nice sudo debug howto, maybe it would be helpful? Where is it ? Do you mean the slide "FreeIPA Training Series: Obtaining debugging

Re: [Freeipa-users] (no subject)

2015-10-08 Thread Pavel Březina
On 10/08/2015 04:26 PM, Karl Forner wrote: Hi, you are prompted for password because (ALL) ALL rule is applied because of last-match rule. > > > See: http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder. Ok. I updated the rules to use a sudoorder attribute of 100 for the

Re: [Freeipa-users] sudo rules do not seem to work

2015-10-07 Thread Pavel Březina
On 10/07/2015 10:03 AM, Jakub Hrozek wrote: On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote: Hello, I had assumed sudo rules worked because I have an "allow_all for admins" sudo rule that seemed to work, but I wonder if there is an implicit rule for the special group admins ?

[Freeipa-users] HOWTO: Troubleshooting SUDO

2015-10-09 Thread Pavel Březina
Hi, I just submitted a sudo troubleshooting guide [1]. If you find anything missing, please, let me know. [1] https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to

Re: [Freeipa-users] (no subject)

2015-10-09 Thread Pavel Březina
. Thanks a lot. Thanks. Please, keep in mind that we changed the default to the correct order in sssd 1.13.1. Therefore if you update sssd you will either have to invert the order again or set sudo_inverse_order = true in [sudo] in /etc/sssd/sssd.conf. On Thu, Oct 8, 2015 at 5:26 PM, Pavel

Re: [Freeipa-users] (no subject)

2015-10-09 Thread Pavel Březina
). On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina <pbrez...@redhat.com> wrote: On 10/08/2015 04:26 PM, Karl Forner wrote: Hi, you are prompted for password because (ALL) ALL rule is applied because of last-match rule. > > > See: http://www.sudo.ws/man/1.8.13/sudoer

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-14 Thread Pavel Březina
On 09/11/2015 02:40 PM, Molnár Domokos wrote: Full log attached. "Molnár Domokos" <kret...@freemail.hu> írta: "Pavel Březina" <pbrez...@redhat.com> írta: On 09/09/2015 09:31 PM, Molnár Domokos wrote: > I have a working IPA

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-11 Thread Pavel Březina
On 09/09/2015 09:31 PM, Molnár Domokos wrote: I have a working IPA server and a working client config on an OpenSuse 13.2 with the following versions: nappali:~ # rpm -qa |grep sssd sssd-tools-1.12.2-3.4.1.i586 sssd-krb5-1.12.2-3.4.1.i586 python-sssd-config-1.12.2-3.4.1.i586

Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo

2015-09-29 Thread Pavel Březina
On 09/21/2015 10:42 PM, Andy Thompson wrote: On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote: -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Monday, September 21, 2015 3:29 PM To: Andy Thompson Cc:

Re: [Freeipa-users] sudo options/sss_cache

2015-09-29 Thread Pavel Březina
On 09/25/2015 01:12 PM, Jakub Hrozek wrote: On Fri, Sep 25, 2015 at 11:48:27AM +0200, Pavel Březina wrote: On 09/25/2015 10:06 AM, Jakub Hrozek wrote: On Thu, Sep 24, 2015 at 03:39:48PM +0200, Christoph Kaminski wrote: Hi I have 3 problems/questions with ipa and sudo... 1. How to make

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-29 Thread Pavel Březina
On 09/15/2015 09:10 AM, Molnár Domokos wrote: "Molnár Domokos" <kret...@freemail.hu> írta: On 09/14/2015 03:08 PM, Pavel Březina wrote: On 09/11/2015 02:40 PM, Molnár Domokos wrote: Full log attached. "Molnár Domokos" <kret...@freemail.hu>

Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo

2015-10-01 Thread Pavel Březina
On 09/30/2015 09:04 PM, Andy Thompson wrote: On Wed, Sep 30, 2015 at 12:17:22PM +, Andy Thompson wrote: On 09/21/2015 10:42 PM, Andy Thompson wrote: On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote: -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com]

Re: [Freeipa-users] Sudo default options

2015-10-05 Thread Pavel Březina
On 10/05/2015 10:58 AM, Andreas Calminder wrote: Hi, guessing this is a quite frequent question, but I can't find any solid information about the topic. I want to specify a set of default sudo options so I don't have to specify these options for every other sudo rule I create. There's supposed

Re: [Freeipa-users] sudo options/sss_cache

2015-09-25 Thread Pavel Březina
On 09/25/2015 10:06 AM, Jakub Hrozek wrote: On Thu, Sep 24, 2015 at 03:39:48PM +0200, Christoph Kaminski wrote: Hi I have 3 problems/questions with ipa and sudo... 1. How to make a GLOBAL sudo rule with all the options what I want to have? (e.g. !authenticate). I have tried to make a sudo

Re: [Freeipa-users] Sudo ALL rule

2016-05-31 Thread Pavel Březina
On 05/31/2016 11:19 AM, Tony Brian Albers wrote: Hi guys, I'm implementing FreeIPA to auhenticate users on a small HPC cluster here. For a few of these I need a sudo rule that in essence does the same as the standard ALL(ALL) rule. How do I implement that in FreeIPA? I've found some

Re: [Freeipa-users] sudo rules are not active immediatly

2017-02-08 Thread Pavel Březina
On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote: Hello, on latest IPA, when adding a command to a rule or a sudo option for example, the change is not active on the user session. For example, after removing !authenticate option, I still can execute sudo commands without password. I tried to

Re: [Freeipa-users] sudo NOPASSWD for a single command

2017-02-24 Thread Pavel Březina
On 02/23/2017 03:43 PM, Auerbach, Steven wrote: Yes, I implemented in Policy -> Sudo -> Sudo Commands as: Sudo Command: NOPASSWD: /sbin/vgs NOPASSWD is used in /etc/sudoers. In IPA, create a sudo option "!authenticate" instead. The script (executed by a non-root,

Re: [Freeipa-users] sudo rules are not active immediatly

2017-02-09 Thread Pavel Březina
On 02/08/2017 04:03 PM, Nathanaël Blanchet wrote: Le 08/02/2017 à 13:00, Pavel Březina a écrit : On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote: Hello, on latest IPA, when adding a command to a rule or a sudo option for example, the change is not active on the user session. For example

Re: [Freeipa-users] Help with sudo permission for a command

2016-08-31 Thread Pavel Březina
On 08/30/2016 05:08 PM, Ryan Whalen wrote: Hi All, Im having an issue getting a command to run properly, and the issue seems to be with Freeipa sudo permissions. Specifically 'sudo su - app_user -c ""' prompts for a password when run. However if I 'sudo su - app_user' and then run the '' as

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-30 Thread Pavel Březina
On 08/26/2016 02:15 PM, Jeff Goddard wrote: Pavel, I appreciate that you're busy and thank you for taking time to look at this. Here is the output: [root@id-management-1 ~]# ipa sudorule-show Rule name: all Rule name: All Description: Full sudo access for Developer group in office

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-26 Thread Pavel Březina
On 08/25/2016 08:01 PM, Jeff Goddard wrote: I'm still hoping someone can offer additional help. I see in the apt term.log these errors when downloading the freeipa-client package. Could this be the problem? Hi, I'm sorry, I somehow overlooked this thread. Can you provide output of ipa

Re: [Freeipa-users] can't get sudo to work.

2016-08-23 Thread Pavel Březina
On 08/23/2016 11:26 AM, Tony Brian Albers wrote: Thanks Jakub, I've attached a file with the output from looking in the log files mentioned in the link you gave me. I'm not sure exactly what is wrong, I don't know how to interpret messages like: name 'tba-sadm' matched without domain, user is