Re: [Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu?
Hi The problem was unclear for me with ubuntu and altrough in theory everything should work it did not so (checked fiew things that came to mind like kerberos sssd logs pam and figured out some problem with pam sssd integration so i went with the simplest solution (reinstall frreeipa-client on ubuntus) I fixed the problem with sudo on ubuntu 14.4 and 16.4 with ipa-client-install --uninstall followed by ipa-client-install --domain=myfqdndomain --principal=admin --mkhomedir then checking /etc/sssd/sssd.conf if the sudo is in servicess line (it was prior to uninstall) and appropiate mod to pam so mkhomedir actualy works for some reason afer this ubuntus started working i skiped ubuntu 12.4 or now currently im trying to get su and su - to work i mean restrict it to fiew admin users from ipa and local root. from other things i observed (not related to the sudo issue i hope) was that most of the ubuntu hosts did not register theyr A record on IPA wheras all Centos based hosts did (just added missing records for ubuntus manually so its not an issue) Next step after i get su right will be search for a way to get virt-manager work over ssh X forwarding for IPA users works for local accounts only right now Regards Przemysław Orzechowski W dniu 02.05.2016 o 16:22, Rob Crittenden pisze: Przemysław Orzechowski wrote: Hi Im trying to create a single usergroup for sudo enabled users for both Centos and Ubuntu users The problem is on centos its group wheel (10), and on ubuntu its sudo (27) how do i have tried to do it using ID view but somehow im not getting it right btw Centos clients versions 6.x, 7.x Ubuntu clients versions 12.04,14.04,16.04 Ipa server is on Centos 7 IPA VERSION: 4.2.0, API_VERSION: 2.156 Regards Przemyław Orzechowski But aren't these groups used only if you use files for sudo (and even that is just a default)? If you are using IPA to provide the sudo rules then the group you choose shouldn't matter. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu?
On Mon, 02 May 2016, Jakub Hrozek wrote: On Mon, May 02, 2016 at 10:22:49AM -0400, Rob Crittenden wrote: Przemysław Orzechowski wrote: > Hi > > Im trying to create a single usergroup for sudo enabled users for both > Centos and Ubuntu users > The problem is on centos its group wheel (10), and on ubuntu its sudo > (27) how do i have tried to do it using ID view but somehow im not > getting it right > > btw > Centos clients versions 6.x, 7.x > Ubuntu clients versions 12.04,14.04,16.04 > Ipa server is on Centos 7 IPA VERSION: 4.2.0, API_VERSION: 2.156 > > Regards > Przemyław Orzechowski > But aren't these groups used only if you use files for sudo (and even that is just a default)? If you are using IPA to provide the sudo rules then the group you choose shouldn't matter. rob Doesn't polkit also use membership in these group to determine if the user is a 'local admin' ? I haven't configured this kind of setup myself, though. But if it is the case, the user is probably looking for: https://sourceware.org/glibc/wiki/Proposals/GroupMerging There are many ways to achieve the same: http://www.freeipa.org/page/Howto/FreeIPA_PolicyKit I'd prefer to use HBAC and set 'polkit-1' and 'sudo' services via HBAC rules to grant access on the machines. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu?
On Mon, May 02, 2016 at 10:22:49AM -0400, Rob Crittenden wrote: > Przemysław Orzechowski wrote: > > Hi > > > > Im trying to create a single usergroup for sudo enabled users for both > > Centos and Ubuntu users > > The problem is on centos its group wheel (10), and on ubuntu its sudo > > (27) how do i have tried to do it using ID view but somehow im not > > getting it right > > > > btw > > Centos clients versions 6.x, 7.x > > Ubuntu clients versions 12.04,14.04,16.04 > > Ipa server is on Centos 7 IPA VERSION: 4.2.0, API_VERSION: 2.156 > > > > Regards > > Przemyław Orzechowski > > > > But aren't these groups used only if you use files for sudo (and even that > is just a default)? If you are using IPA to provide the sudo rules then the > group you choose shouldn't matter. > > rob Doesn't polkit also use membership in these group to determine if the user is a 'local admin' ? I haven't configured this kind of setup myself, though. But if it is the case, the user is probably looking for: https://sourceware.org/glibc/wiki/Proposals/GroupMerging -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu?
Przemysław Orzechowski wrote: Hi Im trying to create a single usergroup for sudo enabled users for both Centos and Ubuntu users The problem is on centos its group wheel (10), and on ubuntu its sudo (27) how do i have tried to do it using ID view but somehow im not getting it right btw Centos clients versions 6.x, 7.x Ubuntu clients versions 12.04,14.04,16.04 Ipa server is on Centos 7 IPA VERSION: 4.2.0, API_VERSION: 2.156 Regards Przemyław Orzechowski But aren't these groups used only if you use files for sudo (and even that is just a default)? If you are using IPA to provide the sudo rules then the group you choose shouldn't matter. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu?
Hi Im trying to create a single usergroup for sudo enabled users for both Centos and Ubuntu users The problem is on centos its group wheel (10), and on ubuntu its sudo (27) how do i have tried to do it using ID view but somehow im not getting it right btw Centos clients versions 6.x, 7.x Ubuntu clients versions 12.04,14.04,16.04 Ipa server is on Centos 7 IPA VERSION: 4.2.0, API_VERSION: 2.156 Regards Przemyław Orzechowski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project