subject:"\[Freeipa\-users\] How to use sudo rules on ubuntu"

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-17 Thread Tevfik Ceydeliler



OK :)
No panic  for my self :)
I found what was wrong. now ok.
Thnx so much
On 17-09-2014 14:53, Lukas Slebodnik wrote:

On (17/09/14 13:57), Tevfik Ceydeliler wrote:

Hi Lukas,
After you warned me, I reinstall IPA server and client, and replica.
After that I did your directives shown below.
Everything looked ok.
I got output like you tell.
But after couple of hours later  I try to conenct client host by using ssh
and test again.
ANd suprise! client again cant use sudo.

What happened??

I don't know.

Please put "debug_level = 7" into sssd.conf  (sections: sudo and domain)
* restart sssd
* login as sssd used which should be allowed to run sudo sommand(s)
* execute command "truncate -s 0 /var/log/sssd/*"
* call sudo -l
* and provide log files from /var/log/sssd/* and also output from "sudo -l"
I can take a loog to the log files and identify the problem.

LS


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-17 Thread Lukas Slebodnik

On (17/09/14 13:57), Tevfik Ceydeliler wrote:
>
>Hi Lukas,
>After you warned me, I reinstall IPA server and client, and replica.
>After that I did your directives shown below.
>Everything looked ok.
>I got output like you tell.
>But after couple of hours later  I try to conenct client host by using ssh
>and test again.
>ANd suprise! client again cant use sudo.
>
>What happened??
I don't know.

Please put "debug_level = 7" into sssd.conf  (sections: sudo and domain)
* restart sssd
* login as sssd used which should be allowed to run sudo sommand(s)
* execute command "truncate -s 0 /var/log/sssd/*"
* call sudo -l
* and provide log files from /var/log/sssd/* and also output from "sudo -l"
I can take a loog to the log files and identify the problem.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-17 Thread Tevfik Ceydeliler



Hi Lukas,
After you warned me, I reinstall IPA server and client, and replica.
After that I did your directives shown below.
Everything looked ok.
I got output like you tell.
But after couple of hours later  I try to conenct client host by using 
ssh and test again.

ANd suprise! client again cant use sudo.

What happened??

On 01-09-2014 19:05, Lukas Slebodnik wrote:

On (01/09/14 17:52), Tevfik Ceydeliler wrote:

1. I think I configure instead of this document

Sorry you didn't.


2. I can login with ordinary user

login and sudo are not the same think.

My FreeIPA server is alredy properly configured with sudo rules.
I tried to install freipa-client on ubuntu 14.04 and it owrked without any
problem.


Step 0: Install freipa-client on ubuntu 14.04 and configure sudo integration

root@ubuntu1404:/# ipa-client-install --no-ntp
root@ubuntu1404:/# echo "sudoers: files sss" >> /etc/nsswitch.conf

root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam
root@ubuntu1404:/# sed -i -e 's/\(services.*\)/\1, sudo/' /etc/sssd/sssd.conf
root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam, sudo


Step 1: configure sudo rules for ordinary user
 Please follow the instructions from FreeIPA documentation.
 http://www.freeipa.org/docs/master/html-desktop/index.html#sudo


   This step was skipped, becuase it was already done few months ago :-)


Step 2: login to machine as ordinary user, which is allowed to use sudo.

$ su usersssd01
Password:
$ id
uid=325600011(usersssd01) gid=325600011(usersssd01) 
groups=325600011(usersssd01),30011(biggroup1)


Step 3: run command
 sudo -l
 // this command should show you which commands can be executed as root
 // with sudo

$ sudo -l
sudo: unable to resolve host ubuntu1404.example.test
[sudo] password for usersssd01:
Matching Defaults entries for usersssd01 on ubuntu1404:
 env_reset, mail_badpass,
 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User usersssd01 may run the following commands on ubuntu1404:
 (root) /usr/bin/less, /usr/bin/vim


Step 4: If there weren't any problems then user will be able to run command.
 sudo some_command_listed_in_step3

$ sudo /usr/bin/less /etc/shadow | wc -l
21
$ echo $?
0

$ sudo apt-get install mc
Sorry, user usersssd01 is not allowed to execute '/usr/bin/apt-get install mc' 
as root on ubuntu.example.test.
$ echo $?
1

LS


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-08 Thread Lukas Slebodnik

On (08/09/14 11:24), Tevfik Ceydeliler wrote:
>Is there any article to describe how to configure ubuntu client for ipa and
>sudo  policy?
>
I have already described steps in this thread.
It works for me. You did the same steps. It means there is problem on server
side.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-08 Thread Tevfik Ceydeliler



Is there any article to describe how to configure ubuntu client for ipa 
and sudo  policy?


On 02-09-2014 11:13, Lukas Slebodnik wrote:

On (02/09/14 11:02), Tevfik Ceydeliler wrote:

Step 0
root@clnt:/home/awtadm# grep sudoers /etc/nsswitch.conf
sudoers_debug:1
sudoers: files sss

root@clnt:/home/awtadm# ipa-client-install --no-ntp
IPA client is already configured on this system.

root@clnt:/home/awtadm# grep services /etc/sssd/sssd.conf
services = nss, pam, ssh, sudo


You need to restart sssd after modification of option "services" in
/etc/sssd/sssd.conf. I forgot to mention it.


Step1 (there is some problem when create rule on CLI. No problem prompt on
Web-based)
...
[root@srv ~]# ipa sudorule-add-option readfiles
Sudo Option: !authenticate
ipa: ERROR: no such entry

...
Then:
awtadm@clnt:~$ su user1
Password:
uid=142344(user1) gid=142344(user1) groups=142344(user1)
user1@clnt:/home/awtadm$ sudo -l
[sudo] password for user1:
Sorry, user user1 may not run sudo on clnt.

There is no reason to try sudo commands if "sudo -l" fails.

It works for me on ubuntu 14.04. It is very likely you have problem
on FreeIPA Server. Other people can help you with server part,
I could help you just with client configuration.
(From my point of view, problem is solved)

One more time, please follow instructions:
 http://www.freeipa.org/docs/master/html-desktop/index.html#sudo

LS


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-02 Thread Tevfik Ceydeliler



I restart client after change sssd.conf.

On 02-09-2014 11:13, Lukas Slebodnik wrote:

On (02/09/14 11:02), Tevfik Ceydeliler wrote:

Step 0
root@clnt:/home/awtadm# grep sudoers /etc/nsswitch.conf
sudoers_debug:1
sudoers: files sss

root@clnt:/home/awtadm# ipa-client-install --no-ntp
IPA client is already configured on this system.

root@clnt:/home/awtadm# grep services /etc/sssd/sssd.conf
services = nss, pam, ssh, sudo


You need to restart sssd after modification of option "services" in
/etc/sssd/sssd.conf. I forgot to mention it.


Step1 (there is some problem when create rule on CLI. No problem prompt on
Web-based)
...
[root@srv ~]# ipa sudorule-add-option readfiles
Sudo Option: !authenticate
ipa: ERROR: no such entry

...
Then:
awtadm@clnt:~$ su user1
Password:
uid=142344(user1) gid=142344(user1) groups=142344(user1)
user1@clnt:/home/awtadm$ sudo -l
[sudo] password for user1:
Sorry, user user1 may not run sudo on clnt.

There is no reason to try sudo commands if "sudo -l" fails.

It works for me on ubuntu 14.04. It is very likely you have problem
on FreeIPA Server. Other people can help you with server part,
I could help you just with client configuration.
(From my point of view, problem is solved)

One more time, please follow instructions:
 http://www.freeipa.org/docs/master/html-desktop/index.html#sudo

LS


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-02 Thread Lukas Slebodnik

On (02/09/14 11:02), Tevfik Ceydeliler wrote:
>
>Step 0
>root@clnt:/home/awtadm# grep sudoers /etc/nsswitch.conf
>sudoers_debug:1
>sudoers: files sss
>
>root@clnt:/home/awtadm# ipa-client-install --no-ntp
>IPA client is already configured on this system.
>
>root@clnt:/home/awtadm# grep services /etc/sssd/sssd.conf
>services = nss, pam, ssh, sudo
>

You need to restart sssd after modification of option "services" in
/etc/sssd/sssd.conf. I forgot to mention it.

>
>Step1 (there is some problem when create rule on CLI. No problem prompt on
>Web-based)
>...
>[root@srv ~]# ipa sudorule-add-option readfiles
>Sudo Option: !authenticate
>ipa: ERROR: no such entry
>
>...
> Then:
>awtadm@clnt:~$ su user1
>Password:
>uid=142344(user1) gid=142344(user1) groups=142344(user1)
>user1@clnt:/home/awtadm$ sudo -l
>[sudo] password for user1:
>Sorry, user user1 may not run sudo on clnt.

There is no reason to try sudo commands if "sudo -l" fails.

It works for me on ubuntu 14.04. It is very likely you have problem
on FreeIPA Server. Other people can help you with server part,
I could help you just with client configuration.
(From my point of view, problem is solved)

One more time, please follow instructions:
http://www.freeipa.org/docs/master/html-desktop/index.html#sudo

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-02 Thread Tevfik Ceydeliler



Step 0
root@clnt:/home/awtadm# grep sudoers /etc/nsswitch.conf
sudoers_debug:1
sudoers: files sss

root@clnt:/home/awtadm# ipa-client-install --no-ntp
IPA client is already configured on this system.

root@clnt:/home/awtadm# grep services /etc/sssd/sssd.conf
services = nss, pam, ssh, sudo


Step1 (there is some problem when create rule on CLI. No problem prompt 
on Web-based)

...
[root@srv ~]# ipa sudorule-add-option readfiles
Sudo Option: !authenticate
ipa: ERROR: no such entry

...
 Then:
awtadm@clnt:~$ su user1
Password:
user1@clnt:/home/awtadm$ /usr/bin/less /etc/shadow |wc -l
/etc/shadow: Permission denied
0
user1@clnt:/home/awtadm$ sudo /usr/bin/less /etc/shadow |wc -l
[sudo] password for user1:
user1 is not in the sudoers file.  This incident will be reported.
0
user1@clnt:/home/awtadm$ id
uid=142344(user1) gid=142344(user1) groups=142344(user1)
user1@clnt:/home/awtadm$ sudo -l
[sudo] password for user1:
Sorry, user user1 may not run sudo on clnt.
user1@clnt:/home/awtadm$ exit
exit
awtadm@clnt:~$ su user1
Password:
user1@clnt:/home/awtadm$ id
uid=142344(user1) gid=142344(user1) groups=142344(user1)
user1@clnt:/home/awtadm$ sudo -l
[sudo] password for user1:
Sorry, user user1 may not run sudo on clnt.
user1@clnt:/home/awtadm$ /usr/bin/less /etc/shadow |wc -l
/etc/shadow: Permission denied
0
user1@clnt:/home/awtadm$ sudo /usr/bin/less /etc/shadow |wc -l
[sudo] password for user1:
user1 is not in the sudoers file.  This incident will be reported.
0

--OR--

Darktower tevfik # ssh user1@10.1.1.174
The authenticity of host '10.1.1.174 (10.1.1.174)' can't be established.
ECDSA key fingerprint is 37:32:fc:ca:34:ce:4c:07:e8:b6:f6:56:75:98:69:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.174' (ECDSA) to the list of known hosts.
user1@10.1.1.174's password:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Mon Sep  1 17:50:02 2014 from 10.65.8.100
user1@clnt:~$ sudo /usr/bin/less /etc/shadow |wc -l
[sudo] password for user1:
user1 is not allowed to run sudo on clnt.  This incident will be reported.
0
user1@clnt:~$ sudo -l
[sudo] password for user1:
User user1 is not allowed to run sudo on clnt.



On 01-09-2014 19:05, Lukas Slebodnik wrote:

On (01/09/14 17:52), Tevfik Ceydeliler wrote:

1. I think I configure instead of this document

Sorry you didn't.


2. I can login with ordinary user

login and sudo are not the same think.

My FreeIPA server is alredy properly configured with sudo rules.
I tried to install freipa-client on ubuntu 14.04 and it owrked without any
problem.


Step 0: Install freipa-client on ubuntu 14.04 and configure sudo integration

root@ubuntu1404:/# ipa-client-install --no-ntp
root@ubuntu1404:/# echo "sudoers: files sss" >> /etc/nsswitch.conf

root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam
root@ubuntu1404:/# sed -i -e 's/\(services.*\)/\1, sudo/' /etc/sssd/sssd.conf
root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam, sudo


Step 1: configure sudo rules for ordinary user
 Please follow the instructions from FreeIPA documentation.
 http://www.freeipa.org/docs/master/html-desktop/index.html#sudo


   This step was skipped, becuase it was already done few months ago :-)


Step 2: login to machine as ordinary user, which is allowed to use sudo.

$ su usersssd01
Password:
$ id
uid=325600011(usersssd01) gid=325600011(usersssd01) 
groups=325600011(usersssd01),30011(biggroup1)


Step 3: run command
 sudo -l
 // this command should show you which commands can be executed as root
 // with sudo

$ sudo -l
sudo: unable to resolve host ubuntu1404.example.test
[sudo] password for usersssd01:
Matching Defaults entries for usersssd01 on ubuntu1404:
 env_reset, mail_badpass,
 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User usersssd01 may run the following commands on ubuntu1404:
 (root) /usr/bin/less, /usr/bin/vim


Step 4: If there weren't any problems then user will be able to run command.
 sudo some_command_listed_in_step3

$ sudo /usr/bin/less /etc/shadow | wc -l
21
$ echo $?
0

$ sudo apt-get install mc
Sorry, user usersssd01 is not allowed to execute '/usr/bin/apt-get install mc' 
as root on ubuntu.example.test.
$ echo $?
1

LS


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies d

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Lukas Slebodnik

On (01/09/14 17:52), Tevfik Ceydeliler wrote:
>
>1. I think I configure instead of this document
Sorry you didn't.

>2. I can login with ordinary user
login and sudo are not the same think.

My FreeIPA server is alredy properly configured with sudo rules.
I tried to install freipa-client on ubuntu 14.04 and it owrked without any
problem.

>>Step 0: Install freipa-client on ubuntu 14.04 and configure sudo integration
root@ubuntu1404:/# ipa-client-install --no-ntp
root@ubuntu1404:/# echo "sudoers: files sss" >> /etc/nsswitch.conf

root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam
root@ubuntu1404:/# sed -i -e 's/\(services.*\)/\1, sudo/' /etc/sssd/sssd.conf
root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam, sudo

>>Step 1: configure sudo rules for ordinary user
>> Please follow the instructions from FreeIPA documentation.
>> http://www.freeipa.org/docs/master/html-desktop/index.html#sudo
>>
  This step was skipped, becuase it was already done few months ago :-)

>>Step 2: login to machine as ordinary user, which is allowed to use sudo.
$ su usersssd01
Password:
$ id
uid=325600011(usersssd01) gid=325600011(usersssd01) 
groups=325600011(usersssd01),30011(biggroup1)

>>Step 3: run command
>> sudo -l
>> // this command should show you which commands can be executed as root
>> // with sudo
$ sudo -l
sudo: unable to resolve host ubuntu1404.example.test
[sudo] password for usersssd01:
Matching Defaults entries for usersssd01 on ubuntu1404:
env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User usersssd01 may run the following commands on ubuntu1404:
(root) /usr/bin/less, /usr/bin/vim

>>Step 4: If there weren't any problems then user will be able to run command.
>> sudo some_command_listed_in_step3
$ sudo /usr/bin/less /etc/shadow | wc -l
21
$ echo $?
0

$ sudo apt-get install mc
Sorry, user usersssd01 is not allowed to execute '/usr/bin/apt-get install mc' 
as root on ubuntu.example.test.
$ echo $?
1

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Tevfik Ceydeliler



1. I think I configure instead of this document
2. I can login with ordinary user
3.
 Irun the command:
ssh user1@10.1.1.174
user1@10.1.1.174's password:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Mon Sep  1 15:03:57 2014 from 10.65.8.100
user1@clnt:~$ sudo -l
[sudo] password for user1:
User user1 is not allowed to run sudo on clnt.
user1@clnt:~$

4.  ??

On 01-09-2014 16:04, Lukas Slebodnik wrote:

On (01/09/14 15:48), Tevfik Ceydeliler wrote:

Actually All I wanna do is , give permission to user to use some commanf. for
example apt-get or something else.
I Think I can do it with IPA
right?

Yes, but you need to use sudo.

Step 1: configure sudo rules for ordinary user
 Please follow the instructions from FreeIPA documentation.
 http://www.freeipa.org/docs/master/html-desktop/index.html#sudo

Step 2: login to machine as ordinary user, which is allowed to use sudo.
Step 3: run command
 sudo -l
 // this command should show you which commands can be executed as root
 // with sudo
Step 4: If there weren't any problems then user will be able to run command.
 sudo some_command_listed_in_step3

LS


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Tevfik Ceydeliler

I think something wrong or miss in ym configuration:
user1@clnt:~$ sudo /usr/bin/apt-get install
[sudo] password for user1:
user1 is not allowed to run sudo on clnt.  This incident will be reported.
On 01-09-2014 16:05, Natxo Asenjo wrote:

On Mon, Sep 1, 2014 at 2:48 PM, Tevfik Ceydeliler 
> wrote:

Actually All I wanna do is , give permission to user to use some
commanf. for example apt-get or something else.
I Think I can do it with IPA
right?

sure,  I do it all the time. But  Lukas was pointing to the fact that 
there are no sudo commands in the example you posted.

there should be something like:

sudo /usr/bin/apt-get (running as user1, so you need to login as that 
user first and then run the sudo command).

instead of su - user1 apt-get install ..

On 01-09-2014 15:42, Lukas Slebodnik wrote:

ogin: Mon Sep  1 13:47:08 2014 from 10.65.8.100
>user1@clnt:~$ su - user1 apt-get install
>Password:
>/usr/bin/apt-get: /usr/bin/apt-get: cannot execute binary file
>
>Does anyone have an article about ubuntu+ipa entegration?

-

--
--
Groeten,
natxo

--

http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Natxo Asenjo

On Mon, Sep 1, 2014 at 2:48 PM, Tevfik Ceydeliler <
tevfik.ceydeli...@astron.yasar.com.tr> wrote:

>  Actually All I wanna do is , give permission to user to use some commanf.
> for example apt-get or something else.
> I Think I can do it with IPA
> right?
>
>
sure,  I do it all the time. But  Lukas was pointing to the fact that there
are no sudo commands in the example you posted.

there should be something like:


sudo /usr/bin/apt-get (running as user1, so you need to login as that user
first and then run the sudo command).

instead of su - user1 apt-get install ..


On 01-09-2014 15:42, Lukas Slebodnik wrote:
>
> ogin: Mon Sep  1 13:47:08 2014 from 10.65.8.100>user1@clnt:~$ su - user1 
> apt-get install>Password:>/usr/bin/apt-get: /usr/bin/apt-get: cannot execute 
> binary file>>Does anyone have an article about ubuntu+ipa entegration?
>
>
> -
>

-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Lukas Slebodnik

On (01/09/14 15:48), Tevfik Ceydeliler wrote:
>
>Actually All I wanna do is , give permission to user to use some commanf. for
>example apt-get or something else.
>I Think I can do it with IPA
>right?
Yes, but you need to use sudo.

Step 1: configure sudo rules for ordinary user
Please follow the instructions from FreeIPA documentation.
http://www.freeipa.org/docs/master/html-desktop/index.html#sudo

Step 2: login to machine as ordinary user, which is allowed to use sudo.
Step 3: run command
sudo -l
// this command should show you which commands can be executed as root
// with sudo
Step 4: If there weren't any problems then user will be able to run command.
sudo some_command_listed_in_step3

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Tevfik Ceydeliler

Actually All I wanna do is , give permission to user to use some 
commanf. for example apt-get or something else.

I Think I can do it with IPA
right?
On 01-09-2014 15:42, Lukas Slebodnik wrote:

ogin: Mon Sep  1 13:47:08 2014 from 10.65.8.100
>user1@clnt:~$ su - user1 apt-get install
>Password:
>/usr/bin/apt-get: /usr/bin/apt-get: cannot execute binary file
>
>Does anyone have an article about ubuntu+ipa entegration?

--

http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Lukas Slebodnik

On (01/09/14 15:38), Tevfik Ceydeliler wrote:
>
>I correct that line.
>But still same:
>tevfik@Darktower ~ $ ssh user1@10.1.1.174
>user1@10.1.1.174's password:
>Permission denied, please try again.
>user1@10.1.1.174's password:
>Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-24-generic x86_64)
>
> * Documentation:  https://help.ubuntu.com/
>
>Last login: Mon Sep  1 13:47:08 2014 from 10.65.8.100
>user1@clnt:~$ su - user1 apt-get install
>Password:
>/usr/bin/apt-get: /usr/bin/apt-get: cannot execute binary file
>
>Does anyone have an article about ubuntu+ipa entegration?
And when(where) was sudo commandused?

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Tevfik Ceydeliler



I correct that line.
But still same:
tevfik@Darktower ~ $ ssh user1@10.1.1.174
user1@10.1.1.174's password:
Permission denied, please try again.
user1@10.1.1.174's password:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Mon Sep  1 13:47:08 2014 from 10.65.8.100
user1@clnt:~$ su - user1 apt-get install
Password:
/usr/bin/apt-get: /usr/bin/apt-get: cannot execute binary file

Does anyone have an article about ubuntu+ipa entegration?

On 01-09-2014 14:18, Alexander Bokovoy wrote:

On Mon, 01 Sep 2014, Tevfik Ceydeliler wrote:


I moved those lines. But still same.

As Jakub pointed out, following option also is wrong:

ldap=sasl_authid = host/cnlt2.ipa.grp

it should be

ldap_sasl_authid = host/cnlt2.ipa.grp

note _ instead of = between ldap and sasl.


On 01-09-2014 12:20, Alexander Bokovoy wrote:

On Mon, 01 Sep 2014, Tevfik Ceydeliler wrote:


libsss-sudo already installed.
Here is my sssd.conf:
[domain/ipa.grp]
krb5_realm = IPA.GRP
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.grp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = clnt.ipa.grp
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, srv.ipa.grp
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = ipa.grp


The options below have to be in [domain/...] section:

ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
ldap_sasl_mech = GSSAPI
ldap=sasl_authid = host/cnlt2.ipa.grp
ldap_sasl_realm = IPA.GRP
ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
sudo_provider = ldap
ldap_uri = ldap://srv.ipa.grp
krb5_server = srv.ipa.grp




--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki 
dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu 
Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal 
sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya 
kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve 
mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of 
the individual or entity to whom they are addressed and Yasar Group 
Companies do not accept legal responsibility for the contents. If you 
are not the intended recipient, please immediately notify the sender 
and delete it from your system.




--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Lukas Slebodnik

On (01/09/14 12:20), Alexander Bokovoy wrote:
>On Mon, 01 Sep 2014, Tevfik Ceydeliler wrote:
>>
>>libsss-sudo already installed.
>>Here is my sssd.conf:
>>[domain/ipa.grp]
>>krb5_realm = IPA.GRP
>>cache_credentials = True
>>krb5_store_password_if_offline = True
>>ipa_domain = ipa.grp
>>id_provider = ipa
>>auth_provider = ipa
>>access_provider = ipa
>>ipa_hostname = clnt.ipa.grp
>>chpass_provider = ipa
>>ipa_dyndns_update = True
>>ipa_server = _srv_, srv.ipa.grp
>>ldap_tls_cacert = /etc/ipa/ca.crt
>>[sssd]
>>services = nss, pam, ssh, sudo
>>config_file_version = 2
>>domains = ipa.grp
>

Alexander,
just for you information. These options are not necessary.
sssd-1-11 has sudo_provider ipa. It should work out of box.

Tevfik,
I wrote you that you should follow instructions for configurations of sudo
from manual page sssd-sudo.

If it does not help plesase send us log file. It will not help us to find
problem if you wote "It still the same". Follow slide 18 from presentation[1].
There is described how to obtain debugging informations.

LS

[1] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Alexander Bokovoy


On Mon, 01 Sep 2014, Tevfik Ceydeliler wrote:


I moved those lines. But still same.

As Jakub pointed out, following option also is wrong:

ldap=sasl_authid = host/cnlt2.ipa.grp

it should be

ldap_sasl_authid = host/cnlt2.ipa.grp

note _ instead of = between ldap and sasl.


On 01-09-2014 12:20, Alexander Bokovoy wrote:

On Mon, 01 Sep 2014, Tevfik Ceydeliler wrote:


libsss-sudo already installed.
Here is my sssd.conf:
[domain/ipa.grp]
krb5_realm = IPA.GRP
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.grp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = clnt.ipa.grp
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, srv.ipa.grp
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = ipa.grp


The options below have to be in [domain/...] section:

ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
ldap_sasl_mech = GSSAPI
ldap=sasl_authid = host/cnlt2.ipa.grp
ldap_sasl_realm = IPA.GRP
ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
sudo_provider = ldap
ldap_uri = ldap://srv.ipa.grp
krb5_server = srv.ipa.grp




--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Tevfik Ceydeliler



I moved those lines. But still same.
On 01-09-2014 12:20, Alexander Bokovoy wrote:

On Mon, 01 Sep 2014, Tevfik Ceydeliler wrote:


libsss-sudo already installed.
Here is my sssd.conf:
[domain/ipa.grp]
krb5_realm = IPA.GRP
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.grp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = clnt.ipa.grp
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, srv.ipa.grp
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = ipa.grp


The options below have to be in [domain/...] section:

ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
ldap_sasl_mech = GSSAPI
ldap=sasl_authid = host/cnlt2.ipa.grp
ldap_sasl_realm = IPA.GRP
ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
sudo_provider = ldap
ldap_uri = ldap://srv.ipa.grp
krb5_server = srv.ipa.grp




--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Jakub Hrozek

On Mon, Sep 01, 2014 at 12:20:21PM +0300, Alexander Bokovoy wrote:
> On Mon, 01 Sep 2014, Tevfik Ceydeliler wrote:
> >
> >libsss-sudo already installed.
> >Here is my sssd.conf:
> >[domain/ipa.grp]
> >krb5_realm = IPA.GRP
> >cache_credentials = True
> >krb5_store_password_if_offline = True
> >ipa_domain = ipa.grp
> >id_provider = ipa
> >auth_provider = ipa
> >access_provider = ipa
> >ipa_hostname = clnt.ipa.grp
> >chpass_provider = ipa
> >ipa_dyndns_update = True
> >ipa_server = _srv_, srv.ipa.grp
> >ldap_tls_cacert = /etc/ipa/ca.crt
> >[sssd]
> >services = nss, pam, ssh, sudo
> >config_file_version = 2
> >domains = ipa.grp
> 
> The options below have to be in [domain/...] section:
> >ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
> >ldap_sasl_mech = GSSAPI
> >ldap=sasl_authid = host/cnlt2.ipa.grp

Moreover this seems to be a typo. (ldap=sasl_authid insteat of
ldap_sasl_authid)

> >ldap_sasl_realm = IPA.GRP
> >ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
> >sudo_provider = ldap
> >ldap_uri = ldap://srv.ipa.grp
> >krb5_server = srv.ipa.grp
> 
> -- 
> / Alexander Bokovoy
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Alexander Bokovoy


On Mon, 01 Sep 2014, Tevfik Ceydeliler wrote:


libsss-sudo already installed.
Here is my sssd.conf:
[domain/ipa.grp]
krb5_realm = IPA.GRP
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.grp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = clnt.ipa.grp
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, srv.ipa.grp
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = ipa.grp


The options below have to be in [domain/...] section:

ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
ldap_sasl_mech = GSSAPI
ldap=sasl_authid = host/cnlt2.ipa.grp
ldap_sasl_realm = IPA.GRP
ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
sudo_provider = ldap
ldap_uri = ldap://srv.ipa.grp
krb5_server = srv.ipa.grp


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Tevfik Ceydeliler



libsss-sudo already installed.
Here is my sssd.conf:
[domain/ipa.grp]
krb5_realm = IPA.GRP
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.grp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = clnt.ipa.grp
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, srv.ipa.grp
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = ipa.grp
ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
ldap_sasl_mech = GSSAPI
ldap=sasl_authid = host/cnlt2.ipa.grp
ldap_sasl_realm = IPA.GRP
ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
sudo_provider = ldap
ldap_uri = ldap://srv.ipa.grp
krb5_server = srv.ipa.grp
debulg_level = 6
[nss]
homedir_substring = /home
[pam]

[sudo]
debug_level = 6
[autofs]

[ssh]

[pac

On 01-09-2014 10:12, Lukas Slebodnik wrote:

On (01/09/14 09:59), Tevfik Ceydeliler wrote:

Client side:
sssd --> 1.11.5
sudo --> 1.8.9p5-1ubuntu1 (sudo-ldap package conflicts)

Thats good. The package sudo-ldap is not compiled with sssd support.


OS --> Ubuntu 14.04.1 LTS

Do you have installed package libsss-sudo.

Could you show us your sssd.conf file?

BTW: Instructions for confugurations sudo with the SSSD back end
are in man page sssd-sudo.

LS


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Lukas Slebodnik

On (01/09/14 09:59), Tevfik Ceydeliler wrote:
>
>Client side:
>sssd --> 1.11.5
>sudo --> 1.8.9p5-1ubuntu1 (sudo-ldap package conflicts)
Thats good. The package sudo-ldap is not compiled with sssd support.

>OS --> Ubuntu 14.04.1 LTS
Do you have installed package libsss-sudo.

Could you show us your sssd.conf file?

BTW: Instructions for confugurations sudo with the SSSD back end
are in man page sssd-sudo.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Tevfik Ceydeliler



Client side:
sssd --> 1.11.5
sudo --> 1.8.9p5-1ubuntu1 (sudo-ldap package conflicts)
OS --> Ubuntu 14.04.1 LTS


On 29-08-2014 17:53, Lukas Slebodnik wrote:

On (29/08/14 17:37), Tevfik Ceydeliler wrote:

Thnx for document. I know this.
I think there is  no problem abot configuration generally. Maybe some nish
details.
Problem is why dont work in my test env.


Could you write more details about version of sssd, sudo?
Which ubuntu release do you use?
...

LS


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-09-01 Thread Tevfik Ceydeliler



Hi
sssd_sudo.log is attached
But there is no log about sssd_domain_name.log (In my case sssd_ipa.grp.log)


On 29-08-2014 16:14, Jakub Hrozek wrote:

On Fri, Aug 29, 2014 at 03:07:08PM +0200, Jakub Hrozek wrote:

On Fri, Aug 29, 2014 at 03:45:38PM +0300, Tevfik Ceydeliler wrote:

this package is installed

root@clnt:/home/awtadm# apt-get install libsss-sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
libsss-sudo is already the newest version.
libsss-sudo set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.

sssd_sudo and sssd_domain logs are empty under /var/log/sssd

You need to put debug_level=N into the [sssd] and [domain] sections,

Sorry I meant to say [sudo] and [domain] sections.


restart sssd, then you'll have some logs. We only log critical failures
by default.

6 is a good start for the log level usually.


On 29-08-2014 14:23, Jakub Hrozek wrote:

On Fri, Aug 29, 2014 at 01:15:28PM +0300, Tevfik Ceydeliler wrote:

I moved these configuration lines under [domain] section. Then reboot the
client. But same result..

Please make sure libsss_sudo is installed. If it is, then we need to see
the logs from the [sudo] and [domain] sections of sssd.conf

--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go Tohttp://freeipa.org  for more info on the project


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is use
r1
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is use
r1
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [user1] from [<
ALL>]
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [us...@ipa.grp]
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [us...@ipa.grp]
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [user1] from [ipa.grp]
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudo
Rule)(|(sudoUser=ALL)(name=defaults)(sudoUser=user1)(sudoUser=#142344)(sudoUser=%user1)(sudoUser=+*))(&(dataExpireTimestamp
<=1409554438)))]
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40c150:0:1:us...@ipa.grp]
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sss_dp_get_sudoers_msg] (0x0400): Creating SUDOers request for [ipa.grp][7][user1][1]
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40c150:0:1:us...@ipa.grp]
(Mon Sep  1 09:53:58 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudo
Rule)(|(name=default

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-08-29 Thread Lukas Slebodnik

On (29/08/14 17:37), Tevfik Ceydeliler wrote:
>
>Thnx for document. I know this.
>I think there is  no problem abot configuration generally. Maybe some nish
>details.
>Problem is why dont work in my test env.
>
Could you write more details about version of sssd, sudo?
Which ubuntu release do you use?
...

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-08-29 Thread Tevfik Ceydeliler



Thnx for document. I know this.
I think there is  no problem abot configuration generally. Maybe some 
nish details.

Problem is why dont work in my test env.

On 29-08-2014 16:44, Lukas Slebodnik wrote:

On (28/08/14 14:15), Tevfik Ceydeliler wrote:

Hi,
I try to apply sudo policies on ubuntu client.
Is there any examples how to apply it?
Regards...

You may be interested in this presentation.
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

LS


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-08-29 Thread Lukas Slebodnik

On (28/08/14 14:15), Tevfik Ceydeliler wrote:
>
>Hi,
>I try to apply sudo policies on ubuntu client.
>Is there any examples how to apply it?
>Regards...
You may be interested in this presentation.
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-08-29 Thread Jakub Hrozek

On Fri, Aug 29, 2014 at 03:07:08PM +0200, Jakub Hrozek wrote:
> On Fri, Aug 29, 2014 at 03:45:38PM +0300, Tevfik Ceydeliler wrote:
> > 
> > this package is installed
> > 
> > root@clnt:/home/awtadm# apt-get install libsss-sudo
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > libsss-sudo is already the newest version.
> > libsss-sudo set to manually installed.
> > 0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.
> > 
> > sssd_sudo and sssd_domain logs are empty under /var/log/sssd
> 
> You need to put debug_level=N into the [sssd] and [domain] sections,

Sorry I meant to say [sudo] and [domain] sections.

> restart sssd, then you'll have some logs. We only log critical failures
> by default.
> 
> 6 is a good start for the log level usually.
> 
> > 
> > On 29-08-2014 14:23, Jakub Hrozek wrote:
> > >On Fri, Aug 29, 2014 at 01:15:28PM +0300, Tevfik Ceydeliler wrote:
> > >>I moved these configuration lines under [domain] section. Then reboot the
> > >>client. But same result..
> > >Please make sure libsss_sudo is installed. If it is, then we need to see
> > >the logs from the [sudo] and [domain] sections of sssd.conf
> > 
> > -- 
> > 
> > 
> > 
> > http://www.yasar.com.tr/banner/yhbanner.jpg";> 
> > 
> > Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar 
> > sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu 
> > mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. 
> > Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen 
> > kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The 
> > information contained in this e-mail and any files transmitted with it are 
> > intended solely for the use of the individual or entity to whom they are 
> > addressed and Yasar Group Companies do not accept legal responsibility for 
> > the contents. If you are not the intended recipient, please immediately 
> > notify the sender and delete it from your system.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-08-29 Thread Jakub Hrozek

On Fri, Aug 29, 2014 at 03:45:38PM +0300, Tevfik Ceydeliler wrote:
> 
> this package is installed
> 
> root@clnt:/home/awtadm# apt-get install libsss-sudo
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> libsss-sudo is already the newest version.
> libsss-sudo set to manually installed.
> 0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.
> 
> sssd_sudo and sssd_domain logs are empty under /var/log/sssd

You need to put debug_level=N into the [sssd] and [domain] sections,
restart sssd, then you'll have some logs. We only log critical failures
by default.

6 is a good start for the log level usually.

> 
> On 29-08-2014 14:23, Jakub Hrozek wrote:
> >On Fri, Aug 29, 2014 at 01:15:28PM +0300, Tevfik Ceydeliler wrote:
> >>I moved these configuration lines under [domain] section. Then reboot the
> >>client. But same result..
> >Please make sure libsss_sudo is installed. If it is, then we need to see
> >the logs from the [sudo] and [domain] sections of sssd.conf
> 
> -- 
> 
> 
> 
> http://www.yasar.com.tr/banner/yhbanner.jpg";> 
> 
> Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar 
> sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu 
> mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. 
> Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen 
> kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information 
> contained in this e-mail and any files transmitted with it are intended 
> solely for the use of the individual or entity to whom they are addressed and 
> Yasar Group Companies do not accept legal responsibility for the contents. If 
> you are not the intended recipient, please immediately notify the sender and 
> delete it from your system.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-08-29 Thread Tevfik Ceydeliler



this package is installed

root@clnt:/home/awtadm# apt-get install libsss-sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
libsss-sudo is already the newest version.
libsss-sudo set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.

sssd_sudo and sssd_domain logs are empty under /var/log/sssd

On 29-08-2014 14:23, Jakub Hrozek wrote:

On Fri, Aug 29, 2014 at 01:15:28PM +0300, Tevfik Ceydeliler wrote:

I moved these configuration lines under [domain] section. Then reboot the
client. But same result..

Please make sure libsss_sudo is installed. If it is, then we need to see
the logs from the [sudo] and [domain] sections of sssd.conf


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-08-29 Thread Jakub Hrozek

On Fri, Aug 29, 2014 at 01:15:28PM +0300, Tevfik Ceydeliler wrote:
> 
> I moved these configuration lines under [domain] section. Then reboot the
> client. But same result..

Please make sure libsss_sudo is installed. If it is, then we need to see
the logs from the [sudo] and [domain] sections of sssd.conf

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-08-29 Thread Tevfik Ceydeliler



I moved these configuration lines under [domain] section. Then reboot 
the client. But same result..


On 29-08-2014 11:27, Jakub Hrozek wrote:

On Fri, Aug 29, 2014 at 09:30:55AM +0300, Tevfik Ceydeliler wrote:

Here is my configuration adn client output. I dont know what is wrong

Please keep the freeipa-users list in the CC list; other users might run
into the same problem.


===
Server Side:
[root@srv ~]# ipa sudorule-find
---
1 Sudo Rule matched
---
   Rule name: log-reading
   Enabled: TRUE
   Users: kduser1, user1
   Hosts: clnt2.ipa.grp, clnt.ipa.grp
   Sudo Allow Commands: /usr/bin/less, /usr/bin/vi, /usr/bin/yum,
/usr/bin/apt-
get
   Sudo Option: !authenticate

Number of entries returned 1



And client side:
1. nsswitch.con:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat sss
group:  compat sss
shadow: compat

hosts:  files mdns4_minimal [NOTFOUND=return] dns
networks:   files

protocols:  sss files
services:   sss files
ethers: sss files
rpc:sss files

netgroup:   nis sss
sudoers:files sss
sudoers_debug:  1

2. sssd.conf:

[domain/ipa.grp]
krb5_realm = IPA.GRP
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.grp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = clnt.ipa.grp
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, srv.ipa.grp
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = ipa.grp
[nss]
homedir_substring = /home
[pam]

[sudo]

[autofs]

[ssh]

[pac]

ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
ldap_sasl_mech = GSSAPI
ldap=sasl_authid = host/cnlt2.ipa.grp
ldap_sasl_realm = IPA.GRP
ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
sudo_provider = ldap
ldap_uri = ldap://srv.ipa.grp
krb5_server = srv.ipa.grp

These options belong to the [domain] section, you put them into the
[pac] section.


When I try to use sudo:

user1@clnt:~$ sudo -i user1 vi apt-get update
[sudo] password for user1:
Sorry, user user1 is not allowed to execute '/bin/bash -c user1 vi apt-get
update' as root on clnt.ipa.grp.
user1@clnt:~$

===
On 28-08-2014 17:21, Jakub Hrozek wrote:

On Thu, Aug 28, 2014 at 02:53:35PM +0300, Tevfik Ceydeliler wrote:

After configuration, for example, I try to create policiy about sudo
command, let's say I want to run "apt-get" command bu sudoas client

How can I use it in client side?
Any example?

I still don't understand what you mean, did you check out the 'ipa
sudorule-add-runasuser' command?

--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-08-29 Thread Tevfik Ceydeliler



ok sorry.
On 29-08-2014 11:27, Jakub Hrozek wrote:

On Fri, Aug 29, 2014 at 09:30:55AM +0300, Tevfik Ceydeliler wrote:

Here is my configuration adn client output. I dont know what is wrong

Please keep the freeipa-users list in the CC list; other users might run
into the same problem.


===
Server Side:
[root@srv ~]# ipa sudorule-find
---
1 Sudo Rule matched
---
   Rule name: log-reading
   Enabled: TRUE
   Users: kduser1, user1
   Hosts: clnt2.ipa.grp, clnt.ipa.grp
   Sudo Allow Commands: /usr/bin/less, /usr/bin/vi, /usr/bin/yum,
/usr/bin/apt-
get
   Sudo Option: !authenticate

Number of entries returned 1



And client side:
1. nsswitch.con:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat sss
group:  compat sss
shadow: compat

hosts:  files mdns4_minimal [NOTFOUND=return] dns
networks:   files

protocols:  sss files
services:   sss files
ethers: sss files
rpc:sss files

netgroup:   nis sss
sudoers:files sss
sudoers_debug:  1

2. sssd.conf:

[domain/ipa.grp]
krb5_realm = IPA.GRP
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.grp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = clnt.ipa.grp
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, srv.ipa.grp
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = ipa.grp
[nss]
homedir_substring = /home
[pam]

[sudo]

[autofs]

[ssh]

[pac]

ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
ldap_sasl_mech = GSSAPI
ldap=sasl_authid = host/cnlt2.ipa.grp
ldap_sasl_realm = IPA.GRP
ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
sudo_provider = ldap
ldap_uri = ldap://srv.ipa.grp
krb5_server = srv.ipa.grp

These options belong to the [domain] section, you put them into the
[pac] section.


When I try to use sudo:

user1@clnt:~$ sudo -i user1 vi apt-get update
[sudo] password for user1:
Sorry, user user1 is not allowed to execute '/bin/bash -c user1 vi apt-get
update' as root on clnt.ipa.grp.
user1@clnt:~$

===
On 28-08-2014 17:21, Jakub Hrozek wrote:

On Thu, Aug 28, 2014 at 02:53:35PM +0300, Tevfik Ceydeliler wrote:

After configuration, for example, I try to create policiy about sudo
command, let's say I want to run "apt-get" command bu sudoas client

How can I use it in client side?
Any example?

I still don't understand what you mean, did you check out the 'ipa
sudorule-add-runasuser' command?

--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-08-29 Thread Jakub Hrozek

On Fri, Aug 29, 2014 at 09:30:55AM +0300, Tevfik Ceydeliler wrote:
> 
> Here is my configuration adn client output. I dont know what is wrong

Please keep the freeipa-users list in the CC list; other users might run
into the same problem.

> ===
> Server Side:
> [root@srv ~]# ipa sudorule-find
> ---
> 1 Sudo Rule matched
> ---
>   Rule name: log-reading
>   Enabled: TRUE
>   Users: kduser1, user1
>   Hosts: clnt2.ipa.grp, clnt.ipa.grp
>   Sudo Allow Commands: /usr/bin/less, /usr/bin/vi, /usr/bin/yum,
> /usr/bin/apt-
>get
>   Sudo Option: !authenticate
> 
> Number of entries returned 1
> 
> 
> 
> And client side:
> 1. nsswitch.con:
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd: compat sss
> group:  compat sss
> shadow: compat
> 
> hosts:  files mdns4_minimal [NOTFOUND=return] dns
> networks:   files
> 
> protocols:  sss files
> services:   sss files
> ethers: sss files
> rpc:sss files
> 
> netgroup:   nis sss
> sudoers:files sss
> sudoers_debug:  1
> 
> 2. sssd.conf:
> 
> [domain/ipa.grp]
> krb5_realm = IPA.GRP
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.grp
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = clnt.ipa.grp
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, srv.ipa.grp
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> domains = ipa.grp
> [nss]
> homedir_substring = /home
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
> ldap_sasl_mech = GSSAPI
> ldap=sasl_authid = host/cnlt2.ipa.grp
> ldap_sasl_realm = IPA.GRP
> ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
> sudo_provider = ldap
> ldap_uri = ldap://srv.ipa.grp
> krb5_server = srv.ipa.grp

These options belong to the [domain] section, you put them into the
[pac] section.

> 
> When I try to use sudo:
> 
> user1@clnt:~$ sudo -i user1 vi apt-get update
> [sudo] password for user1:
> Sorry, user user1 is not allowed to execute '/bin/bash -c user1 vi apt-get
> update' as root on clnt.ipa.grp.
> user1@clnt:~$
> 
> ===
> On 28-08-2014 17:21, Jakub Hrozek wrote:
> >On Thu, Aug 28, 2014 at 02:53:35PM +0300, Tevfik Ceydeliler wrote:
> >>After configuration, for example, I try to create policiy about sudo
> >>command, let's say I want to run "apt-get" command bu sudoas client
> >>
> >>How can I use it in client side?
> >>Any example?
> >I still don't understand what you mean, did you check out the 'ipa
> >sudorule-add-runasuser' command?
> 
> -- 
> 
> 
> 
> http://www.yasar.com.tr/banner/yhbanner.jpg";> 
> 
> Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar 
> sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu 
> mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. 
> Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen 
> kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information 
> contained in this e-mail and any files transmitted with it are intended 
> solely for the use of the individual or entity to whom they are addressed and 
> Yasar Group Companies do not accept legal responsibility for the contents. If 
> you are not the intended recipient, please immediately notify the sender and 
> delete it from your system.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

2014-08-28 Thread Jakub Hrozek

On Thu, Aug 28, 2014 at 02:15:43PM +0300, Tevfik Ceydeliler wrote:
> 
> Hi,
> I try to apply sudo policies on ubuntu client.
> Is there any examples how to apply it?
> Regards...

Depends on your sssd and sudo versions but in general I don't think
there are any Ubuntu-specific issues.

As long as you have sssd 1.9+ and sudo 1.8+ you should be good.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] How to use sudo rules on ubuntu

2014-08-28 Thread Tevfik Ceydeliler



Hi,
I try to apply sudo policies on ubuntu client.
Is there any examples how to apply it?
Regards...
--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

37 matches

Mail list logo