[Freeipa-users] what is the sudo rule runasuser local user account

2016-02-04 Thread Rob Verduijn 
Hello,

I've noticed that the sudorule-add-runasuser no longer has en --external option

What is the current method to add a local service account to a sud
rule list so that users may run sudo as that service account (ie
apache or jboss)

Cheers
Rob Verudijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the sudo rule runasuser local user account

2016-02-04 Thread Rob Verduijn 
On Centos7.2 all patches applied I used the command:
ipa-client-install --enable-dns-updates

Rob

2016-02-04 16:45 GMT+01:00 Jakub Hrozek :
> On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:
>> Hello,
>>
>> I've noticed that the sudorule-add-runasuser no longer has en --external 
>> option
>>
>> What is the current method to add a local service account to a sud
>> rule list so that users may run sudo as that service account (ie
>> apache or jboss)
>>
>> Cheers
>> Rob Verudijn
>
> I know I'm not answering your question but how did you configure the
> client side earlier? Did you use the native/legacy sudo ldap driver?
>
> The reason I'm asking this is that sssd only supports users it handles,
> so in the IPA case it only supports IPA users anyway..
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the sudo rule runasuser local user account

2016-02-04 Thread Rob Verduijn 
That does seem to work for me as well,
however I can only add the external user via the web-gui

Any idea how to do this with the command line tools ?

Rob Verduijn

2016-02-04 17:00 GMT+01:00 Baird, Josh <jba...@follett.com>:
> Actually, I use local (external) users in my sudo rules in IPA 4.2 with no 
> problem.
>
> Example:
>
>   Rule name: TestDBAs
>   Description: access for members of the TestDBAs group
>   Enabled: TRUE
>   Command category: all
>   User Groups: testdbas
>   Host Groups: corp_oracle
>   RunAs External User: oracle
>
> In this example, 'oracle' is a local user on the server (not in IPA).  I hope 
> this functionality does not go away.
>
> Thanks,
>
> Josh
>
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
>> boun...@redhat.com] On Behalf Of Rob Verduijn
>> Sent: Thursday, February 04, 2016 10:54 AM
>> To: Jakub Hrozek
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] what is the sudo rule runasuser local user
>> account
>>
>> On Centos7.2 all patches applied I used the command:
>> ipa-client-install --enable-dns-updates
>>
>> Rob
>>
>> 2016-02-04 16:45 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:
>> > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:
>> >> Hello,
>> >>
>> >> I've noticed that the sudorule-add-runasuser no longer has en
>> >> --external option
>> >>
>> >> What is the current method to add a local service account to a sud
>> >> rule list so that users may run sudo as that service account (ie
>> >> apache or jboss)
>> >>
>> >> Cheers
>> >> Rob Verudijn
>> >
>> > I know I'm not answering your question but how did you configure the
>> > client side earlier? Did you use the native/legacy sudo ldap driver?
>> >
>> > The reason I'm asking this is that sssd only supports users it
>> > handles, so in the IPA case it only supports IPA users anyway..
>> >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the sudo rule runasuser local user account

2016-02-04 Thread Rob Verduijn 
hi all,

I tried and figured it out..

ipa sudorule-add-runasuser  --users=

Is the command syntax I was looking for.
I guess that if the --users isn't an ipa user it is automatically
flagged as an external user.

Cheers
Rob Verduijn




2016-02-04 17:33 GMT+01:00 Jakub Hrozek :
> On Thu, Feb 04, 2016 at 04:00:50PM +, Baird, Josh wrote:
>> Actually, I use local (external) users in my sudo rules in IPA 4.2 with no 
>> problem.
>>
>> Example:
>>
>>   Rule name: TestDBAs
>>   Description: access for members of the TestDBAs group
>>   Enabled: TRUE
>>   Command category: all
>>   User Groups: testdbas
>>   Host Groups: corp_oracle
>>   RunAs External User: oracle
>
> ipaSudoRunAsExtUser, ipaSudoRunAsExtGroup and ipaSudoRunAsExtUserGroup
> -- that's the user you want to run sudo as. That's still supported.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the sudo rule runasuser local user account

2016-02-04 Thread Baird, Josh 
Actually, I use local (external) users in my sudo rules in IPA 4.2 with no 
problem.

Example:

  Rule name: TestDBAs
  Description: access for members of the TestDBAs group
  Enabled: TRUE
  Command category: all
  User Groups: testdbas
  Host Groups: corp_oracle
  RunAs External User: oracle

In this example, 'oracle' is a local user on the server (not in IPA).  I hope 
this functionality does not go away.

Thanks,

Josh

> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Rob Verduijn
> Sent: Thursday, February 04, 2016 10:54 AM
> To: Jakub Hrozek
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] what is the sudo rule runasuser local user
> account
> 
> On Centos7.2 all patches applied I used the command:
> ipa-client-install --enable-dns-updates
> 
> Rob
> 
> 2016-02-04 16:45 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:
> > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:
> >> Hello,
> >>
> >> I've noticed that the sudorule-add-runasuser no longer has en
> >> --external option
> >>
> >> What is the current method to add a local service account to a sud
> >> rule list so that users may run sudo as that service account (ie
> >> apache or jboss)
> >>
> >> Cheers
> >> Rob Verudijn
> >
> > I know I'm not answering your question but how did you configure the
> > client side earlier? Did you use the native/legacy sudo ldap driver?
> >
> > The reason I'm asking this is that sssd only supports users it
> > handles, so in the IPA case it only supports IPA users anyway..
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the sudo rule runasuser local user account

2016-02-04 Thread Baird, Josh 
Yeah, this seems strange:

  --externaluser=STRExternal User the rule applies to (sudorule-find only)
  --runasexternaluser=STR
External User the commands can run as (sudorule-find
only)
  --runasexternalgroup=STR
External Group the commands can run as (sudorule-find
only)

I'm not sure why those commands would be limited to sudorule-find only.

Josh

> -Original Message-
> From: Rob Verduijn [mailto:rob.verdu...@gmail.com]
> Sent: Thursday, February 04, 2016 11:13 AM
> To: Baird, Josh
> Cc: Jakub Hrozek; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] what is the sudo rule runasuser local user
> account
> 
> That does seem to work for me as well,
> however I can only add the external user via the web-gui
> 
> Any idea how to do this with the command line tools ?
> 
> Rob Verduijn
> 
> 2016-02-04 17:00 GMT+01:00 Baird, Josh <jba...@follett.com>:
> > Actually, I use local (external) users in my sudo rules in IPA 4.2 with no
> problem.
> >
> > Example:
> >
> >   Rule name: TestDBAs
> >   Description: access for members of the TestDBAs group
> >   Enabled: TRUE
> >   Command category: all
> >   User Groups: testdbas
> >   Host Groups: corp_oracle
> >   RunAs External User: oracle
> >
> > In this example, 'oracle' is a local user on the server (not in IPA).  I 
> > hope this
> functionality does not go away.
> >
> > Thanks,
> >
> > Josh
> >
> >> -Original Message-
> >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> >> boun...@redhat.com] On Behalf Of Rob Verduijn
> >> Sent: Thursday, February 04, 2016 10:54 AM
> >> To: Jakub Hrozek
> >> Cc: freeipa-users@redhat.com
> >> Subject: Re: [Freeipa-users] what is the sudo rule runasuser local
> >> user account
> >>
> >> On Centos7.2 all patches applied I used the command:
> >> ipa-client-install --enable-dns-updates
> >>
> >> Rob
> >>
> >> 2016-02-04 16:45 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:
> >> > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:
> >> >> Hello,
> >> >>
> >> >> I've noticed that the sudorule-add-runasuser no longer has en
> >> >> --external option
> >> >>
> >> >> What is the current method to add a local service account to a sud
> >> >> rule list so that users may run sudo as that service account (ie
> >> >> apache or jboss)
> >> >>
> >> >> Cheers
> >> >> Rob Verudijn
> >> >
> >> > I know I'm not answering your question but how did you configure
> >> > the client side earlier? Did you use the native/legacy sudo ldap driver?
> >> >
> >> > The reason I'm asking this is that sssd only supports users it
> >> > handles, so in the IPA case it only supports IPA users anyway..
> >> >
> >> > --
> >> > Manage your subscription for the Freeipa-users mailing list:
> >> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >> > Go to http://freeipa.org for more info on the project
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the sudo rule runasuser local user account

2016-02-04 Thread Jakub Hrozek 
On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:
> Hello,
> 
> I've noticed that the sudorule-add-runasuser no longer has en --external 
> option
> 
> What is the current method to add a local service account to a sud
> rule list so that users may run sudo as that service account (ie
> apache or jboss)
> 
> Cheers
> Rob Verudijn

I know I'm not answering your question but how did you configure the
client side earlier? Did you use the native/legacy sudo ldap driver?

The reason I'm asking this is that sssd only supports users it handles,
so in the IPA case it only supports IPA users anyway..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the sudo rule runasuser local user account

2016-02-04 Thread Jakub Hrozek 
On Thu, Feb 04, 2016 at 04:00:50PM +, Baird, Josh wrote:
> Actually, I use local (external) users in my sudo rules in IPA 4.2 with no 
> problem.
> 
> Example:
> 
>   Rule name: TestDBAs
>   Description: access for members of the TestDBAs group
>   Enabled: TRUE
>   Command category: all
>   User Groups: testdbas
>   Host Groups: corp_oracle
>   RunAs External User: oracle

ipaSudoRunAsExtUser, ipaSudoRunAsExtGroup and ipaSudoRunAsExtUserGroup
-- that's the user you want to run sudo as. That's still supported.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project