subject:"\[Freeipa\-users\] sudo and NIS domain name"

Re: [Freeipa-users] sudo and NIS domain name

2014-05-09 Thread Dean Hunter

On Fri, 2014-05-09 at 10:28 +0200, Lukas Slebodnik wrote:

> On (08/05/14 19:46), Dean Hunter wrote:
> >On Mon, 2014-05-05 at 10:02 -0400, Rob Crittenden wrote:
> >
> >> Dean Hunter wrote:
> >> > On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote:
> >> >> On (03/05/14 10:39), Dean Hunter wrote:
> >> >> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:
> >> >> >
> >> >> >> On (01/05/14 15:53), Dean Hunter wrote:
> >> >> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
> >> >> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
> >> >> >> >>
> >> >> >> >> >
> >> >> >> >> > I just noticed that I had been incorrectly setting the NIS 
> >> >> >> >> > domain
> >> >> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I 
> >> >> >> >> > appear to
> >> >> >> >> > be successfully retrieving and using sudo rules from FreeIPA.  
> >> >> >> >> > Is
> >> >> >> >> > sudo still using NIS-style netgroups?  Is there still a 
> >> >> >> >> > requirement
> >> >> >> >> > to set the NIS domain name?
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> I think NIS domain is needed for netgroups. If you are not using
> >> >> >> >> netgroups in the sudo rules but just user groups you should be 
> >> >> >> >> fine.
> >> >> >> >> Is this the case with you?
> >> >> >> >> If not please provide the logs and config.
> >> >> >> >>
> >> >> >> >
> >> >> >> >I am not aware of using netgroups, either the IPA object or any 
> >> >> >> >other
> >> >> >> >kind.  I just remember that when I was first configuring sudo to
> >> >> >> >retrieve rules from IPA it would not work until I set nisdomainname
> >> >> >> >in /etc/rc.d/rc.local.  Here is the quote from section 14.4 of the
> >> >> >> >manual:
> >> >> >> >
> >> >> >> >
> >> >> >> >Even though sudo uses NIS-style netgroups, it is not 
> >> >> >> > necessary
> >> >> >> >to have a NIS server installed. Netgroups require that a NIS
> >> >> >> >domain be named in their configuration, so sudo requires 
> >> >> >> > that a
> >> >> >> >NIS domain be named for netgroups. However, that NIS domain 
> >> >> >> > does
> >> >> >> >not actually need to exist.
> >> >> >> >
> >> >> >> >
> >> >> >> >With Fedora 20 I can no longer find the emulation of rc.local that
> >> >> >> >existed in Fedora 19.  I did find fedora-domainname.service and 
> >> >> >> >started
> >> >> >> >and enabled it but neglected to configure /etc/sysconfig/network.  
> >> >> >> >Yet
> >> >> >> >IPA sudo rules appear to work.
> >> >> >> >
> >> >> >> Hope It helps you
> >> >> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
> >> >> >>
> >> >> >> LS
> >> >> >
> >> >> >
> >> >> >Thank you.  Now that you point it out, I remember that this thread is
> >> >> >where I first learned about fedora-domainname.service.  I see:
> >> >> >
> >> >> >You would also need to set NIS domain name, otherwise SUDO will
> >> >> >not correctly recognize SUDO rules targeted on host groups,
> >> >>   ^^
> >> >>   This is important part
> >> >> >instead of hosts:
> >> >> >
> >> >> >which explains when sudo would need the NIS domain name.  Since my sudo
> >> >> >rules address user groups I guess there is no requirement for NIS 
> >> >> >domain
> >> >> >name since they are working just fine:
> >> >> Your sudo rules use host groups.
> >> >>
> >> >> >
> >> >> >ipa sudorule-adddesktop-admins --desc "Desktop
> >> >> >Administrators"
> >> >> >ipa sudorule-moddesktop-admins --cmdcat all
> >> >> >ipa sudorule-add-host   desktop-admins --hostgroups 
> >> >> > desktops
> >> >> >ipa sudorule-add-option desktop-admins --sudooption "!
> >> >> >authenticate"
> >> >> >ipa sudorule-add-runasuser  desktop-admins --users root
> >> >> >ipa sudorule-add-runasgroup desktop-admins --groups root
> >> >> >ipa sudorule-add-user   desktop-admins --groups
> >> >> >desktop-admins
> >> >> >
> >> >> >ipa sudorule-addserver-admins  --desc "Server
> >> >> >Administrators"
> >> >> >ipa sudorule-modserver-admins  --cmdcat all
> >> >> >ipa sudorule-add-host   server-admins  --hostgroups servers
> >> >> hostgroups are reason why you need to configure NIS domain name.
> >> >> hostgroups are also available as netgroups in compat tree and sudo reads
> >> >> information from netgroups.
> >> >>
> >> >> >ipa sudorule-add-option server-admins  --sudooption "!
> >> >> >authenticate"
> >> >> >ipa sudorule-add-runasuser  server-admins  --users root
> >> >> >ipa sudorule-add-runasgroup server-admins  --groups root
> >> >> >ipa sudorule-add-user   server-admins  --groups
> >> >> >server-admins
> >> >> >
> >> >> >However, I was really asking whether there had been a chang

Re: [Freeipa-users] sudo and NIS domain name

2014-05-09 Thread Lukas Slebodnik

On (08/05/14 19:46), Dean Hunter wrote:
>On Mon, 2014-05-05 at 10:02 -0400, Rob Crittenden wrote:
>
>> Dean Hunter wrote:
>> > On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote:
>> >> On (03/05/14 10:39), Dean Hunter wrote:
>> >> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:
>> >> >
>> >> >> On (01/05/14 15:53), Dean Hunter wrote:
>> >> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
>> >> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
>> >> >> >>
>> >> >> >> >
>> >> >> >> > I just noticed that I had been incorrectly setting the NIS domain
>> >> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear 
>> >> >> >> > to
>> >> >> >> > be successfully retrieving and using sudo rules from FreeIPA.  Is
>> >> >> >> > sudo still using NIS-style netgroups?  Is there still a 
>> >> >> >> > requirement
>> >> >> >> > to set the NIS domain name?
>> >> >> >>
>> >> >> >>
>> >> >> >> I think NIS domain is needed for netgroups. If you are not using
>> >> >> >> netgroups in the sudo rules but just user groups you should be fine.
>> >> >> >> Is this the case with you?
>> >> >> >> If not please provide the logs and config.
>> >> >> >>
>> >> >> >
>> >> >> >I am not aware of using netgroups, either the IPA object or any other
>> >> >> >kind.  I just remember that when I was first configuring sudo to
>> >> >> >retrieve rules from IPA it would not work until I set nisdomainname
>> >> >> >in /etc/rc.d/rc.local.  Here is the quote from section 14.4 of the
>> >> >> >manual:
>> >> >> >
>> >> >> >
>> >> >> >Even though sudo uses NIS-style netgroups, it is not necessary
>> >> >> >to have a NIS server installed. Netgroups require that a NIS
>> >> >> >domain be named in their configuration, so sudo requires that 
>> >> >> > a
>> >> >> >NIS domain be named for netgroups. However, that NIS domain 
>> >> >> > does
>> >> >> >not actually need to exist.
>> >> >> >
>> >> >> >
>> >> >> >With Fedora 20 I can no longer find the emulation of rc.local that
>> >> >> >existed in Fedora 19.  I did find fedora-domainname.service and 
>> >> >> >started
>> >> >> >and enabled it but neglected to configure /etc/sysconfig/network.  Yet
>> >> >> >IPA sudo rules appear to work.
>> >> >> >
>> >> >> Hope It helps you
>> >> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
>> >> >>
>> >> >> LS
>> >> >
>> >> >
>> >> >Thank you.  Now that you point it out, I remember that this thread is
>> >> >where I first learned about fedora-domainname.service.  I see:
>> >> >
>> >> >You would also need to set NIS domain name, otherwise SUDO will
>> >> >not correctly recognize SUDO rules targeted on host groups,
>> >>   ^^
>> >>   This is important part
>> >> >instead of hosts:
>> >> >
>> >> >which explains when sudo would need the NIS domain name.  Since my sudo
>> >> >rules address user groups I guess there is no requirement for NIS domain
>> >> >name since they are working just fine:
>> >> Your sudo rules use host groups.
>> >>
>> >> >
>> >> >ipa sudorule-adddesktop-admins --desc "Desktop
>> >> >Administrators"
>> >> >ipa sudorule-moddesktop-admins --cmdcat all
>> >> >ipa sudorule-add-host   desktop-admins --hostgroups desktops
>> >> >ipa sudorule-add-option desktop-admins --sudooption "!
>> >> >authenticate"
>> >> >ipa sudorule-add-runasuser  desktop-admins --users root
>> >> >ipa sudorule-add-runasgroup desktop-admins --groups root
>> >> >ipa sudorule-add-user   desktop-admins --groups
>> >> >desktop-admins
>> >> >
>> >> >ipa sudorule-addserver-admins  --desc "Server
>> >> >Administrators"
>> >> >ipa sudorule-modserver-admins  --cmdcat all
>> >> >ipa sudorule-add-host   server-admins  --hostgroups servers
>> >> hostgroups are reason why you need to configure NIS domain name.
>> >> hostgroups are also available as netgroups in compat tree and sudo reads
>> >> information from netgroups.
>> >>
>> >> >ipa sudorule-add-option server-admins  --sudooption "!
>> >> >authenticate"
>> >> >ipa sudorule-add-runasuser  server-admins  --users root
>> >> >ipa sudorule-add-runasgroup server-admins  --groups root
>> >> >ipa sudorule-add-user   server-admins  --groups
>> >> >server-admins
>> >> >
>> >> >However, I was really asking whether there had been a change in
>> >> >sssd/sudo behavior as it was my recollection that my sudo rules did not
>> >> >work at all in early IPA 3.n releases unless the NIS domain name was
>> >> >configured.
>> >> >
>> >>
>> >> LS
>> >
>> > I hear you and that is what I expected.  However, the actual behavior
>> > seems to have changed with 3.3.4 and now 3.3.5.
>> >
>> > [dean@desktop

Re: [Freeipa-users] sudo and NIS domain name

2014-05-08 Thread Rob Crittenden


Dean Hunter wrote:

On Mon, 2014-05-05 at 10:02 -0400, Rob Crittenden wrote:

Dean Hunter wrote:
> On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote:
>> On (03/05/14 10:39), Dean Hunter wrote:
>> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:
>> >
>> >> On (01/05/14 15:53), Dean Hunter wrote:
>> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
>> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
>> >> >>
>> >> >> >
>> >> >> > I just noticed that I had been incorrectly setting the NIS domain
>> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to
>> >> >> > be successfully retrieving and using sudo rules from FreeIPA.  Is
>> >> >> > sudo still using NIS-style netgroups?  Is there still a requirement
>> >> >> > to set the NIS domain name?
>> >> >>
>> >> >>
>> >> >> I think NIS domain is needed for netgroups. If you are not using
>> >> >> netgroups in the sudo rules but just user groups you should be fine.
>> >> >> Is this the case with you?
>> >> >> If not please provide the logs and config.
>> >> >>
>> >> >
>> >> >I am not aware of using netgroups, either the IPA object or any other
>> >> >kind.  I just remember that when I was first configuring sudo to
>> >> >retrieve rules from IPA it would not work until I set nisdomainname
>> >> >in /etc/rc.d/rc.local.  Here is the quote from section 14.4 of the
>> >> >manual:
>> >> >
>> >> >
>> >> >Even though sudo uses NIS-style netgroups, it is not necessary
>> >> >to have a NIS server installed. Netgroups require that a NIS
>> >> >domain be named in their configuration, so sudo requires that a
>> >> >NIS domain be named for netgroups. However, that NIS domain does
>> >> >not actually need to exist.
>> >> >
>> >> >
>> >> >With Fedora 20 I can no longer find the emulation of rc.local that
>> >> >existed in Fedora 19.  I did find fedora-domainname.service and started
>> >> >and enabled it but neglected to configure /etc/sysconfig/network.  Yet
>> >> >IPA sudo rules appear to work.
>> >> >
>> >> Hope It helps you
>> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
>> >>
>> >> LS
>> >
>> >
>> >Thank you.  Now that you point it out, I remember that this thread is
>> >where I first learned about fedora-domainname.service.  I see:
>> >
>> >You would also need to set NIS domain name, otherwise SUDO will
>> >not correctly recognize SUDO rules targeted on host groups,
>>   ^^
>>   This is important part
>> >instead of hosts:
>> >
>> >which explains when sudo would need the NIS domain name.  Since my sudo
>> >rules address user groups I guess there is no requirement for NIS domain
>> >name since they are working just fine:
>> Your sudo rules use host groups.
>>
>> >
>> >ipa sudorule-adddesktop-admins --desc "Desktop
>> >Administrators"
>> >ipa sudorule-moddesktop-admins --cmdcat all
>> >ipa sudorule-add-host   desktop-admins --hostgroups desktops
>> >ipa sudorule-add-option desktop-admins --sudooption "!
>> >authenticate"
>> >ipa sudorule-add-runasuser  desktop-admins --users root
>> >ipa sudorule-add-runasgroup desktop-admins --groups root
>> >ipa sudorule-add-user   desktop-admins --groups
>> >desktop-admins
>> >
>> >ipa sudorule-addserver-admins  --desc "Server
>> >Administrators"
>> >ipa sudorule-modserver-admins  --cmdcat all
>> >ipa sudorule-add-host   server-admins  --hostgroups servers
>> hostgroups are reason why you need to configure NIS domain name.
>> hostgroups are also available as netgroups in compat tree and sudo reads
>> information from netgroups.
>>
>> >ipa sudorule-add-option server-admins  --sudooption "!
>> >authenticate"
>> >ipa sudorule-add-runasuser  server-admins  --users root
>> >ipa sudorule-add-runasgroup server-admins  --groups root
>> >ipa sudorule-add-user   server-admins  --groups
>> >server-admins
>> >
>> >However, I was really asking whether there had been a change in
>> >sssd/sudo behavior as it was my recollection that my sudo rules did not
>> >work at all in early IPA 3.n releases unless the NIS domain name was
>> >configured.
>> >
>>
>> LS
>
> I hear you and that is what I expected.  However, the actual behavior
> seems to have changed with 3.3.4 and now 3.3.5.
>
> [dean@desktop  ~]$ domainname --nis
> domainname: Local domain name not set
>
> [dean@desktop  ~]$ sudo -l
> Matching Defaults entries for dean on desktop:
>  requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME
> HISTSIZE INPUTRC
>  KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
> LC_ADDRESS
>  LC

Re: [Freeipa-users] sudo and NIS domain name

2014-05-08 Thread Dean Hunter

On Mon, 2014-05-05 at 10:02 -0400, Rob Crittenden wrote:

> Dean Hunter wrote:
> > On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote:
> >> On (03/05/14 10:39), Dean Hunter wrote:
> >> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:
> >> >
> >> >> On (01/05/14 15:53), Dean Hunter wrote:
> >> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
> >> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
> >> >> >>
> >> >> >> >
> >> >> >> > I just noticed that I had been incorrectly setting the NIS domain
> >> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear 
> >> >> >> > to
> >> >> >> > be successfully retrieving and using sudo rules from FreeIPA.  Is
> >> >> >> > sudo still using NIS-style netgroups?  Is there still a requirement
> >> >> >> > to set the NIS domain name?
> >> >> >>
> >> >> >>
> >> >> >> I think NIS domain is needed for netgroups. If you are not using
> >> >> >> netgroups in the sudo rules but just user groups you should be fine.
> >> >> >> Is this the case with you?
> >> >> >> If not please provide the logs and config.
> >> >> >>
> >> >> >
> >> >> >I am not aware of using netgroups, either the IPA object or any other
> >> >> >kind.  I just remember that when I was first configuring sudo to
> >> >> >retrieve rules from IPA it would not work until I set nisdomainname
> >> >> >in /etc/rc.d/rc.local.  Here is the quote from section 14.4 of the
> >> >> >manual:
> >> >> >
> >> >> >
> >> >> >Even though sudo uses NIS-style netgroups, it is not necessary
> >> >> >to have a NIS server installed. Netgroups require that a NIS
> >> >> >domain be named in their configuration, so sudo requires that a
> >> >> >NIS domain be named for netgroups. However, that NIS domain 
> >> >> > does
> >> >> >not actually need to exist.
> >> >> >
> >> >> >
> >> >> >With Fedora 20 I can no longer find the emulation of rc.local that
> >> >> >existed in Fedora 19.  I did find fedora-domainname.service and started
> >> >> >and enabled it but neglected to configure /etc/sysconfig/network.  Yet
> >> >> >IPA sudo rules appear to work.
> >> >> >
> >> >> Hope It helps you
> >> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
> >> >>
> >> >> LS
> >> >
> >> >
> >> >Thank you.  Now that you point it out, I remember that this thread is
> >> >where I first learned about fedora-domainname.service.  I see:
> >> >
> >> >You would also need to set NIS domain name, otherwise SUDO will
> >> >not correctly recognize SUDO rules targeted on host groups,
> >>   ^^
> >>   This is important part
> >> >instead of hosts:
> >> >
> >> >which explains when sudo would need the NIS domain name.  Since my sudo
> >> >rules address user groups I guess there is no requirement for NIS domain
> >> >name since they are working just fine:
> >> Your sudo rules use host groups.
> >>
> >> >
> >> >ipa sudorule-adddesktop-admins --desc "Desktop
> >> >Administrators"
> >> >ipa sudorule-moddesktop-admins --cmdcat all
> >> >ipa sudorule-add-host   desktop-admins --hostgroups desktops
> >> >ipa sudorule-add-option desktop-admins --sudooption "!
> >> >authenticate"
> >> >ipa sudorule-add-runasuser  desktop-admins --users root
> >> >ipa sudorule-add-runasgroup desktop-admins --groups root
> >> >ipa sudorule-add-user   desktop-admins --groups
> >> >desktop-admins
> >> >
> >> >ipa sudorule-addserver-admins  --desc "Server
> >> >Administrators"
> >> >ipa sudorule-modserver-admins  --cmdcat all
> >> >ipa sudorule-add-host   server-admins  --hostgroups servers
> >> hostgroups are reason why you need to configure NIS domain name.
> >> hostgroups are also available as netgroups in compat tree and sudo reads
> >> information from netgroups.
> >>
> >> >ipa sudorule-add-option server-admins  --sudooption "!
> >> >authenticate"
> >> >ipa sudorule-add-runasuser  server-admins  --users root
> >> >ipa sudorule-add-runasgroup server-admins  --groups root
> >> >ipa sudorule-add-user   server-admins  --groups
> >> >server-admins
> >> >
> >> >However, I was really asking whether there had been a change in
> >> >sssd/sudo behavior as it was my recollection that my sudo rules did not
> >> >work at all in early IPA 3.n releases unless the NIS domain name was
> >> >configured.
> >> >
> >>
> >> LS
> >
> > I hear you and that is what I expected.  However, the actual behavior
> > seems to have changed with 3.3.4 and now 3.3.5.
> >
> > [dean@desktop  ~]$ domainname --nis
> > domainname: Local domain name not set
> >
> > [dean@desktop  ~]$ sudo -l
> > Matching Defaults entries fo

Re: [Freeipa-users] sudo and NIS domain name

2014-05-05 Thread Rob Crittenden


Dean Hunter wrote:

On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote:

On (03/05/14 10:39), Dean Hunter wrote:
>On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:
>
>> On (01/05/14 15:53), Dean Hunter wrote:
>> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
>> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
>> >>
>> >> >
>> >> > I just noticed that I had been incorrectly setting the NIS domain
>> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to
>> >> > be successfully retrieving and using sudo rules from FreeIPA.  Is
>> >> > sudo still using NIS-style netgroups?  Is there still a requirement
>> >> > to set the NIS domain name?
>> >>
>> >>
>> >> I think NIS domain is needed for netgroups. If you are not using
>> >> netgroups in the sudo rules but just user groups you should be fine.
>> >> Is this the case with you?
>> >> If not please provide the logs and config.
>> >>
>> >
>> >I am not aware of using netgroups, either the IPA object or any other
>> >kind.  I just remember that when I was first configuring sudo to
>> >retrieve rules from IPA it would not work until I set nisdomainname
>> >in /etc/rc.d/rc.local.  Here is the quote from section 14.4 of the
>> >manual:
>> >
>> >
>> >Even though sudo uses NIS-style netgroups, it is not necessary
>> >to have a NIS server installed. Netgroups require that a NIS
>> >domain be named in their configuration, so sudo requires that a
>> >NIS domain be named for netgroups. However, that NIS domain does
>> >not actually need to exist.
>> >
>> >
>> >With Fedora 20 I can no longer find the emulation of rc.local that
>> >existed in Fedora 19.  I did find fedora-domainname.service and started
>> >and enabled it but neglected to configure /etc/sysconfig/network.  Yet
>> >IPA sudo rules appear to work.
>> >
>> Hope It helps you
>>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
>>
>> LS
>
>
>Thank you.  Now that you point it out, I remember that this thread is
>where I first learned about fedora-domainname.service.  I see:
>
>You would also need to set NIS domain name, otherwise SUDO will
>not correctly recognize SUDO rules targeted on host groups,
  ^^
  This is important part
>instead of hosts:
>
>which explains when sudo would need the NIS domain name.  Since my sudo
>rules address user groups I guess there is no requirement for NIS domain
>name since they are working just fine:
Your sudo rules use host groups.

>
>ipa sudorule-adddesktop-admins --desc "Desktop
>Administrators"
>ipa sudorule-moddesktop-admins --cmdcat all
>ipa sudorule-add-host   desktop-admins --hostgroups desktops
>ipa sudorule-add-option desktop-admins --sudooption "!
>authenticate"
>ipa sudorule-add-runasuser  desktop-admins --users root
>ipa sudorule-add-runasgroup desktop-admins --groups root
>ipa sudorule-add-user   desktop-admins --groups
>desktop-admins
>
>ipa sudorule-addserver-admins  --desc "Server
>Administrators"
>ipa sudorule-modserver-admins  --cmdcat all
>ipa sudorule-add-host   server-admins  --hostgroups servers
hostgroups are reason why you need to configure NIS domain name.
hostgroups are also available as netgroups in compat tree and sudo reads
information from netgroups.

>ipa sudorule-add-option server-admins  --sudooption "!
>authenticate"
>ipa sudorule-add-runasuser  server-admins  --users root
>ipa sudorule-add-runasgroup server-admins  --groups root
>ipa sudorule-add-user   server-admins  --groups
>server-admins
>
>However, I was really asking whether there had been a change in
>sssd/sudo behavior as it was my recollection that my sudo rules did not
>work at all in early IPA 3.n releases unless the NIS domain name was
>configured.
>

LS


I hear you and that is what I expected.  However, the actual behavior
seems to have changed with 3.3.4 and now 3.3.5.

[dean@desktop  ~]$ domainname --nis
domainname: Local domain name not set

[dean@desktop  ~]$ sudo -l
Matching Defaults entries for dean on desktop:
 requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE INPUTRC
 KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS
 LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
 LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
 LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET
 XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User dean may run the following commands on desktop:
 (root : root) NOPASSWD: A

Re: [Freeipa-users] sudo and NIS domain name

2014-05-04 Thread Dean Hunter

On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote:

> On (03/05/14 10:39), Dean Hunter wrote:
> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:
> >
> >> On (01/05/14 15:53), Dean Hunter wrote:
> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
> >> >> 
> >> >> > 
> >> >> > I just noticed that I had been incorrectly setting the NIS domain
> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to
> >> >> > be successfully retrieving and using sudo rules from FreeIPA.  Is
> >> >> > sudo still using NIS-style netgroups?  Is there still a requirement
> >> >> > to set the NIS domain name? 
> >> >> 
> >> >> 
> >> >> I think NIS domain is needed for netgroups. If you are not using
> >> >> netgroups in the sudo rules but just user groups you should be fine.
> >> >> Is this the case with you?
> >> >> If not please provide the logs and config.
> >> >> 
> >> >
> >> >I am not aware of using netgroups, either the IPA object or any other
> >> >kind.  I just remember that when I was first configuring sudo to
> >> >retrieve rules from IPA it would not work until I set nisdomainname
> >> >in /etc/rc.d/rc.local.  Here is the quote from section 14.4 of the
> >> >manual:
> >> >
> >> >
> >> >Even though sudo uses NIS-style netgroups, it is not necessary
> >> >to have a NIS server installed. Netgroups require that a NIS
> >> >domain be named in their configuration, so sudo requires that a
> >> >NIS domain be named for netgroups. However, that NIS domain does
> >> >not actually need to exist.
> >> >
> >> >
> >> >With Fedora 20 I can no longer find the emulation of rc.local that
> >> >existed in Fedora 19.  I did find fedora-domainname.service and started
> >> >and enabled it but neglected to configure /etc/sysconfig/network.  Yet
> >> >IPA sudo rules appear to work.
> >> >
> >> Hope It helps you
> >> http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
> >> 
> >> LS
> >
> >
> >Thank you.  Now that you point it out, I remember that this thread is
> >where I first learned about fedora-domainname.service.  I see:
> >
> >You would also need to set NIS domain name, otherwise SUDO will
> >not correctly recognize SUDO rules targeted on host groups,
>  ^^
>  This is important part
> >instead of hosts:
> >
> >which explains when sudo would need the NIS domain name.  Since my sudo
> >rules address user groups I guess there is no requirement for NIS domain
> >name since they are working just fine:
> Your sudo rules use host groups.
> 
> >
> >ipa sudorule-adddesktop-admins --desc "Desktop
> >Administrators"
> >ipa sudorule-moddesktop-admins --cmdcat all
> >ipa sudorule-add-host   desktop-admins --hostgroups desktops
> >ipa sudorule-add-option desktop-admins --sudooption "!
> >authenticate"
> >ipa sudorule-add-runasuser  desktop-admins --users root
> >ipa sudorule-add-runasgroup desktop-admins --groups root
> >ipa sudorule-add-user   desktop-admins --groups
> >desktop-admins
> >
> >ipa sudorule-addserver-admins  --desc "Server
> >Administrators"
> >ipa sudorule-modserver-admins  --cmdcat all
> >ipa sudorule-add-host   server-admins  --hostgroups servers
> hostgroups are reason why you need to configure NIS domain name.
> hostgroups are also available as netgroups in compat tree and sudo reads
> information from netgroups.
> 
> >ipa sudorule-add-option server-admins  --sudooption "!
> >authenticate"
> >ipa sudorule-add-runasuser  server-admins  --users root
> >ipa sudorule-add-runasgroup server-admins  --groups root
> >ipa sudorule-add-user   server-admins  --groups
> >server-admins
> >
> >However, I was really asking whether there had been a change in
> >sssd/sudo behavior as it was my recollection that my sudo rules did not
> >work at all in early IPA 3.n releases unless the NIS domain name was
> >configured.
> >
> 
> LS


I hear you and that is what I expected.  However, the actual behavior
seems to have changed with 3.3.4 and now 3.3.5.

[dean@desktop ~]$ domainname --nis
domainname: Local domain name not set

[dean@desktop ~]$ sudo -l
Matching Defaults entries for dean on desktop:
requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE INPUTRC
KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME

Re: [Freeipa-users] sudo and NIS domain name

2014-05-03 Thread Lukas Slebodnik

On (03/05/14 10:39), Dean Hunter wrote:
>On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:
>
>> On (01/05/14 15:53), Dean Hunter wrote:
>> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
>> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
>> >> 
>> >> > 
>> >> > I just noticed that I had been incorrectly setting the NIS domain
>> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to
>> >> > be successfully retrieving and using sudo rules from FreeIPA.  Is
>> >> > sudo still using NIS-style netgroups?  Is there still a requirement
>> >> > to set the NIS domain name? 
>> >> 
>> >> 
>> >> I think NIS domain is needed for netgroups. If you are not using
>> >> netgroups in the sudo rules but just user groups you should be fine.
>> >> Is this the case with you?
>> >> If not please provide the logs and config.
>> >> 
>> >
>> >I am not aware of using netgroups, either the IPA object or any other
>> >kind.  I just remember that when I was first configuring sudo to
>> >retrieve rules from IPA it would not work until I set nisdomainname
>> >in /etc/rc.d/rc.local.  Here is the quote from section 14.4 of the
>> >manual:
>> >
>> >
>> >Even though sudo uses NIS-style netgroups, it is not necessary
>> >to have a NIS server installed. Netgroups require that a NIS
>> >domain be named in their configuration, so sudo requires that a
>> >NIS domain be named for netgroups. However, that NIS domain does
>> >not actually need to exist.
>> >
>> >
>> >With Fedora 20 I can no longer find the emulation of rc.local that
>> >existed in Fedora 19.  I did find fedora-domainname.service and started
>> >and enabled it but neglected to configure /etc/sysconfig/network.  Yet
>> >IPA sudo rules appear to work.
>> >
>> Hope It helps you
>> http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
>> 
>> LS
>
>
>Thank you.  Now that you point it out, I remember that this thread is
>where I first learned about fedora-domainname.service.  I see:
>
>You would also need to set NIS domain name, otherwise SUDO will
>not correctly recognize SUDO rules targeted on host groups,
 ^^
 This is important part
>instead of hosts:
>
>which explains when sudo would need the NIS domain name.  Since my sudo
>rules address user groups I guess there is no requirement for NIS domain
>name since they are working just fine:
Your sudo rules use host groups.

>
>ipa sudorule-adddesktop-admins --desc "Desktop
>Administrators"
>ipa sudorule-moddesktop-admins --cmdcat all
>ipa sudorule-add-host   desktop-admins --hostgroups desktops
>ipa sudorule-add-option desktop-admins --sudooption "!
>authenticate"
>ipa sudorule-add-runasuser  desktop-admins --users root
>ipa sudorule-add-runasgroup desktop-admins --groups root
>ipa sudorule-add-user   desktop-admins --groups
>desktop-admins
>
>ipa sudorule-addserver-admins  --desc "Server
>Administrators"
>ipa sudorule-modserver-admins  --cmdcat all
>ipa sudorule-add-host   server-admins  --hostgroups servers
hostgroups are reason why you need to configure NIS domain name.
hostgroups are also available as netgroups in compat tree and sudo reads
information from netgroups.

>ipa sudorule-add-option server-admins  --sudooption "!
>authenticate"
>ipa sudorule-add-runasuser  server-admins  --users root
>ipa sudorule-add-runasgroup server-admins  --groups root
>ipa sudorule-add-user   server-admins  --groups
>server-admins
>
>However, I was really asking whether there had been a change in
>sssd/sudo behavior as it was my recollection that my sudo rules did not
>work at all in early IPA 3.n releases unless the NIS domain name was
>configured.
>

LS

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo and NIS domain name

2014-05-03 Thread Dean Hunter

On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:

> On (01/05/14 15:53), Dean Hunter wrote:
> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
> >> 
> >> > 
> >> > I just noticed that I had been incorrectly setting the NIS domain
> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to
> >> > be successfully retrieving and using sudo rules from FreeIPA.  Is
> >> > sudo still using NIS-style netgroups?  Is there still a requirement
> >> > to set the NIS domain name? 
> >> 
> >> 
> >> I think NIS domain is needed for netgroups. If you are not using
> >> netgroups in the sudo rules but just user groups you should be fine.
> >> Is this the case with you?
> >> If not please provide the logs and config.
> >> 
> >
> >I am not aware of using netgroups, either the IPA object or any other
> >kind.  I just remember that when I was first configuring sudo to
> >retrieve rules from IPA it would not work until I set nisdomainname
> >in /etc/rc.d/rc.local.  Here is the quote from section 14.4 of the
> >manual:
> >
> >
> >Even though sudo uses NIS-style netgroups, it is not necessary
> >to have a NIS server installed. Netgroups require that a NIS
> >domain be named in their configuration, so sudo requires that a
> >NIS domain be named for netgroups. However, that NIS domain does
> >not actually need to exist.
> >
> >
> >With Fedora 20 I can no longer find the emulation of rc.local that
> >existed in Fedora 19.  I did find fedora-domainname.service and started
> >and enabled it but neglected to configure /etc/sysconfig/network.  Yet
> >IPA sudo rules appear to work.
> >
> Hope It helps you
> http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
> 
> LS

Thank you.  Now that you point it out, I remember that this thread is
where I first learned about fedora-domainname.service.  I see:

You would also need to set NIS domain name, otherwise SUDO will
not correctly recognize SUDO rules targeted on host groups,
instead of hosts:

which explains when sudo would need the NIS domain name.  Since my sudo
rules address user groups I guess there is no requirement for NIS domain
name since they are working just fine:

ipa sudorule-adddesktop-admins --desc "Desktop
Administrators"
ipa sudorule-moddesktop-admins --cmdcat all
ipa sudorule-add-host   desktop-admins --hostgroups desktops
ipa sudorule-add-option desktop-admins --sudooption "!
authenticate"
ipa sudorule-add-runasuser  desktop-admins --users root  
ipa sudorule-add-runasgroup desktop-admins --groups root
ipa sudorule-add-user   desktop-admins --groups
desktop-admins

ipa sudorule-addserver-admins  --desc "Server
Administrators"
ipa sudorule-modserver-admins  --cmdcat all
ipa sudorule-add-host   server-admins  --hostgroups servers
ipa sudorule-add-option server-admins  --sudooption "!
authenticate"
ipa sudorule-add-runasuser  server-admins  --users root  
ipa sudorule-add-runasgroup server-admins  --groups root
ipa sudorule-add-user   server-admins  --groups
server-admins

However, I was really asking whether there had been a change in
sssd/sudo behavior as it was my recollection that my sudo rules did not
work at all in early IPA 3.n releases unless the NIS domain name was
configured.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo and NIS domain name

2014-05-03 Thread Lukas Slebodnik

On (01/05/14 15:53), Dean Hunter wrote:
>On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
>> On 05/01/2014 04:07 PM, Dean Hunter wrote:
>> 
>> > 
>> > I just noticed that I had been incorrectly setting the NIS domain
>> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to
>> > be successfully retrieving and using sudo rules from FreeIPA.  Is
>> > sudo still using NIS-style netgroups?  Is there still a requirement
>> > to set the NIS domain name? 
>> 
>> 
>> I think NIS domain is needed for netgroups. If you are not using
>> netgroups in the sudo rules but just user groups you should be fine.
>> Is this the case with you?
>> If not please provide the logs and config.
>> 
>
>I am not aware of using netgroups, either the IPA object or any other
>kind.  I just remember that when I was first configuring sudo to
>retrieve rules from IPA it would not work until I set nisdomainname
>in /etc/rc.d/rc.local.  Here is the quote from section 14.4 of the
>manual:
>
>
>Even though sudo uses NIS-style netgroups, it is not necessary
>to have a NIS server installed. Netgroups require that a NIS
>domain be named in their configuration, so sudo requires that a
>NIS domain be named for netgroups. However, that NIS domain does
>not actually need to exist.
>
>
>With Fedora 20 I can no longer find the emulation of rc.local that
>existed in Fedora 19.  I did find fedora-domainname.service and started
>and enabled it but neglected to configure /etc/sysconfig/network.  Yet
>IPA sudo rules appear to work.
>
Hope It helps you
http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html

LS

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo and NIS domain name

2014-05-01 Thread Dean Hunter

On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
> On 05/01/2014 04:07 PM, Dean Hunter wrote:
> 
> > 
> > I just noticed that I had been incorrectly setting the NIS domain
> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to
> > be successfully retrieving and using sudo rules from FreeIPA.  Is
> > sudo still using NIS-style netgroups?  Is there still a requirement
> > to set the NIS domain name? 
> 
> 
> I think NIS domain is needed for netgroups. If you are not using
> netgroups in the sudo rules but just user groups you should be fine.
> Is this the case with you?
> If not please provide the logs and config.
> 

I am not aware of using netgroups, either the IPA object or any other
kind.  I just remember that when I was first configuring sudo to
retrieve rules from IPA it would not work until I set nisdomainname
in /etc/rc.d/rc.local.  Here is the quote from section 14.4 of the
manual:

Even though sudo uses NIS-style netgroups, it is not necessary
to have a NIS server installed. Netgroups require that a NIS
domain be named in their configuration, so sudo requires that a
NIS domain be named for netgroups. However, that NIS domain does
not actually need to exist.

With Fedora 20 I can no longer find the emulation of rc.local that
existed in Fedora 19.  I did find fedora-domainname.service and started
and enabled it but neglected to configure /etc/sysconfig/network.  Yet
IPA sudo rules appear to work.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo and NIS domain name

2014-05-01 Thread Dmitri Pal


On 05/01/2014 04:07 PM, Dean Hunter wrote:
I just noticed that I had been incorrectly setting the NIS domain name 
since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to be 
successfully retrieving and using sudo rules from FreeIPA. Is sudo 
still using NIS-style netgroups?  Is there still a requirement to set 
the NIS domain name?


I think NIS domain is needed for netgroups. If you are not using 
netgroups in the sudo rules but just user groups you should be fine.

Is this the case with you?
If not please provide the logs and config.



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] sudo and NIS domain name

2014-05-01 Thread Dean Hunter

I just noticed that I had been incorrectly setting the NIS domain name
since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to be
successfully retrieving and using sudo rules from FreeIPA.  Is sudo
still using NIS-style netgroups?  Is there still a requirement to set
the NIS domain name?
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo and NIS domain name

Re: [Freeipa-users] sudo and NIS domain name

Re: [Freeipa-users] sudo and NIS domain name

Re: [Freeipa-users] sudo and NIS domain name

Re: [Freeipa-users] sudo and NIS domain name

Re: [Freeipa-users] sudo and NIS domain name

Re: [Freeipa-users] sudo and NIS domain name

Re: [Freeipa-users] sudo and NIS domain name

Re: [Freeipa-users] sudo and NIS domain name

Re: [Freeipa-users] sudo and NIS domain name

Re: [Freeipa-users] sudo and NIS domain name

[Freeipa-users] sudo and NIS domain name

12 matches

Site Navigation

Mail list logo

Footer information