Re: [Freeipa-users] FreeIPA and sudo Defaults
On 08/04/2015 11:57 AM, Innes, Duncan wrote: Hi folks, Struggling with creating a sudo rule in IPA that will allow my foreman-proxy to run specific commands. When I put the following into /etc/sudoers.d/foreman: [root@puppet01 ~]# cat /etc/sudoers.d/foreman foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:foreman-proxy !requiretty innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:innesd !requiretty [root@puppet01 ~]# [innesd@puppet01 ~]$ sudo -l Matching Defaults entries for innesd on this host: !requiretty User innesd may run the following commands on this host: (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick * (root) /bin/su [innesd@puppet01 ~]$ Both my user and the foreman-proxy can run the relevant commands both on the command line and remotely. IT Security are not happy with local sudo rules being condifured around the network, so I'm trying to create the same configuration via IPA. When I try to get the same rule into IPA, my user can run the command in a tty, but the foreman-proxy user is refused. This looks to be down to the lack of !requiretty coming through for the users: [root@ipa01 ~]# ipa sudorule-show foreman-proxy Rule name: foreman-proxy Enabled: TRUE User category: all Hosts: puppet02.example.com, puppet01.example.com, puppet03.example.com, puppet04.example.com Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * Sudo Option: !authenticate, !requiretty [root@ipa01 ~]# and once I've removed the #includedir option from my local sudoers file, I get the following as my user: [innesd@puppet01 ~]$ sudo -l User innesd may run the following commands on this host: (root) /bin/su (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * [innesd@puppet01 ~]$ where the noticeable difference is that the !requiretty isn't listed under any "Matching Defaults entries" for my user. With the rule set up like this, I can run the command in a tty, but the foreman-proxy user is denied when the command is run without a tty. How do I go about setting the Defaults for the foreman-proxy user? Once my testing is done, I'd like to move the rule to run only against the foreman-proxy external user rather than all users. Can you also provide sudo logs please? And a small follow-up question: how long should I expect it to take for a change to the sudo rule on my IPA server to become available on the client? I keep doing sss_cache -E to clear the cache, but it still seems to take it's own sweet time to be changed on the client. It's not a huge wait - just a bit of a pain when I'm testing these changes. Please, set entry_cache_sudo_timeout = 0 in your domain for testing purpose. You can also look at ldap_sudo_full_refresh_interval and ldap_sudo_smart_refresh_interval that says how often sssd searches for new/modified rules. Thanks in advance, Duncan Innes -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sudo Defaults
On Tue, Aug 04, 2015 at 10:57:34AM +0100, Innes, Duncan wrote: > Hi folks, > > Struggling with creating a sudo rule in IPA that will allow my > foreman-proxy to run specific commands. When I put the following into > /etc/sudoers.d/foreman: > > [root@puppet01 ~]# cat /etc/sudoers.d/foreman > foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet > kick * > Defaults:foreman-proxy !requiretty > innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * > Defaults:innesd !requiretty > [root@puppet01 ~]# > > [innesd@puppet01 ~]$ sudo -l > Matching Defaults entries for innesd on this host: > !requiretty > > User innesd may run the following commands on this host: > (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick > * > (root) /bin/su > [innesd@puppet01 ~]$ > > Both my user and the foreman-proxy can run the relevant commands both on > the command line and remotely. > > IT Security are not happy with local sudo rules being condifured around > the network, so I'm trying to create the same configuration via IPA. > > When I try to get the same rule into IPA, my user can run the command in > a tty, but the foreman-proxy user is refused. This looks to be down to > the lack of !requiretty coming through for the users: > > [root@ipa01 ~]# ipa sudorule-show foreman-proxy > Rule name: foreman-proxy > Enabled: TRUE > User category: all > Hosts: puppet02.example.com, puppet01.example.com, > puppet03.example.com, puppet04.example.com > Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * > Sudo Option: !authenticate, !requiretty > [root@ipa01 ~]# I'm adding Pavel Brezina who might have some hints. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sudo Defaults
More information: [root@puppet01 ~]# cat /etc/sssd/sssd.conf [domain/example.com] cache_credentials = True krb5_realm = EXAMPLE.COM ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = puppet01.example.com chpass_provider = ipa ipa_server = ipa01.example.com, ipa02.example.com ldap_tls_cacert = /etc/ipa/ca.crt ldap_network_timeout = 2 ldap_opt_timeout = 2 ldap_search_timeout = 2 ldap_user_extra_attrs = email:mail, firstname:givenname, lastname:sn, ou [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = example.com [nss] filter_users = root,apache,postgres,oracle,tomcat,puppet,foreman,foreman-proxy filter_groups = root,apache,postgres,oracle,tomcat,puppet,foreman-proxy homedir_substring = /home [pam] [sudo] [autofs] [ssh] We don't use _srv_ as we have no control over the DNS servers. [root@puppet01 ~]# cat /etc/nsswitch.conf | grep -v \# passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: nisplus automount: files aliases:files nisplus sudoers:files sss [root@puppet01 ~]# The client runs sudo successfully for other rules that are in place. From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Innes, Duncan Sent: 04 August 2015 12:10 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA and sudo Defaults Information: IPA server and client both running on RHEL 6.7 fully patched. IPA server version: ipa-server-3.0.0-47.el6.x86_64 sssd client version: sssd-1.12.4-47.el6.x86_64 IPA server hosts dozens of sudo rules that work as expected. This is the first rule, however, that needs the !requiretty in the Defaults for the user. Thanks D From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Innes, Duncan Sent: 04 August 2015 10:58 To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA and sudo Defaults Hi folks, Struggling with creating a sudo rule in IPA that will allow my foreman-proxy to run specific commands. When I put the following into /etc/sudoers.d/foreman: [root@puppet01 ~]# cat /etc/sudoers.d/foreman foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:foreman-proxy !requiretty innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:innesd !requiretty [root@puppet01 ~]# [innesd@puppet01 ~]$ sudo -l Matching Defaults entries for innesd on this host: !requiretty User innesd may run the following commands on this host: (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick * (root) /bin/su [innesd@puppet01 ~]$ Both my user and the foreman-proxy can run the relevant commands both on the command line and remotely. IT Security are not happy with local sudo rules being condifured around the network, so I'm trying to create the same configuration via IPA. When I try to get the same rule into IPA, my user can run the command in a tty, but the foreman-proxy user is refused. This looks to be down to the lack of !requiretty coming through for the users: [root@ipa01 ~]# ipa sudorule-show foreman-proxy Rule name: foreman-proxy Enabled: TRUE User category: all Hosts: puppet02.example.com, puppet01.example.com, puppet03.example.com, puppet04.example.com Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * Sudo Option: !authenticate, !requiretty [root@ipa01 ~]# and once I've removed the #includedir option from my local sudoers file, I get the following as my user: [innesd@puppet01 ~]$ sudo -l User innesd may run the following commands on this host: (root) /bin/su (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * [innesd@puppet01 ~]$ where the noticeable difference is that the !requiretty isn't listed under any "Matching Defaults entries" for my user. With the rule set up like this, I can run the command in a tty, but the foreman-proxy user is denied when the command is run without a tty. How do I go about setting the Defaults for the foreman-proxy user? Once my testing is done, I'd like to move the rule to run only against the foreman-proxy external user rather than all users. And a small follow-up question: how long should I expect it to take for a change to the sudo rule on my IPA server to become available on the client? I keep doing sss_cache -E to clear the cache, but it still seems to take it's own sweet time to be changed on the client. It's not a huge wait - just a bit of a pain when I'm testing these changes. Thanks in advance, Duncan Innes This message has been checked for viruses
Re: [Freeipa-users] FreeIPA and sudo Defaults
Information: IPA server and client both running on RHEL 6.7 fully patched. IPA server version: ipa-server-3.0.0-47.el6.x86_64 sssd client version: sssd-1.12.4-47.el6.x86_64 IPA server hosts dozens of sudo rules that work as expected. This is the first rule, however, that needs the !requiretty in the Defaults for the user. Thanks D From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Innes, Duncan Sent: 04 August 2015 10:58 To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA and sudo Defaults Hi folks, Struggling with creating a sudo rule in IPA that will allow my foreman-proxy to run specific commands. When I put the following into /etc/sudoers.d/foreman: [root@puppet01 ~]# cat /etc/sudoers.d/foreman foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:foreman-proxy !requiretty innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:innesd !requiretty [root@puppet01 ~]# [innesd@puppet01 ~]$ sudo -l Matching Defaults entries for innesd on this host: !requiretty User innesd may run the following commands on this host: (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick * (root) /bin/su [innesd@puppet01 ~]$ Both my user and the foreman-proxy can run the relevant commands both on the command line and remotely. IT Security are not happy with local sudo rules being condifured around the network, so I'm trying to create the same configuration via IPA. When I try to get the same rule into IPA, my user can run the command in a tty, but the foreman-proxy user is refused. This looks to be down to the lack of !requiretty coming through for the users: [root@ipa01 ~]# ipa sudorule-show foreman-proxy Rule name: foreman-proxy Enabled: TRUE User category: all Hosts: puppet02.example.com, puppet01.example.com, puppet03.example.com, puppet04.example.com Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * Sudo Option: !authenticate, !requiretty [root@ipa01 ~]# and once I've removed the #includedir option from my local sudoers file, I get the following as my user: [innesd@puppet01 ~]$ sudo -l User innesd may run the following commands on this host: (root) /bin/su (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * [innesd@puppet01 ~]$ where the noticeable difference is that the !requiretty isn't listed under any "Matching Defaults entries" for my user. With the rule set up like this, I can run the command in a tty, but the foreman-proxy user is denied when the command is run without a tty. How do I go about setting the Defaults for the foreman-proxy user? Once my testing is done, I'd like to move the rule to run only against the foreman-proxy external user rather than all users. And a small follow-up question: how long should I expect it to take for a change to the sudo rule on my IPA server to become available on the client? I keep doing sss_cache -E to clear the cache, but it still seems to take it's own sweet time to be changed on the client. It's not a huge wait - just a bit of a pain when I'm testing these changes. Thanks in advance, Duncan Innes This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential