Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

2016-04-05 Thread Alexander Bokovoy

On Tue, 05 Apr 2016, Ash Alam wrote:

I wanted to follow up on this. Since sudo needs to be added to sssd.conf
and nsswitch.conf. Is it possible to add the options via
ipa-client-install? I can do the same with chef but this seems like
something that should be done with ipa?

$ ipa-client-install --help|grep sudo
   --no-sudo   do not configure SSSD as data source for sudo

By default IPA 4.x configures SSSD for sudo.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

2016-04-05 Thread Ash Alam
I wanted to follow up on this. Since sudo needs to be added to sssd.conf
and nsswitch.conf. Is it possible to add the options via
ipa-client-install? I can do the same with chef but this seems like
something that should be done with ipa?

Thank You

On Thu, Mar 24, 2016 at 4:51 PM, Christophe TREFOIS <
christophe.tref...@uni.lu> wrote:

> Hi,
>
>
>
> Are you not missing “sudo” in [sssd] and did you restard the services on
> the machine? We found quite a significant cache, which sometimes lead to
> asking passwords.
>
>
>
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html
>
>
>
> You might even have to delete /var/lib/sss/db/ contents and restart sssd.
>
>
>
> Best,
>
>
>
> *From:* freeipa-users-boun...@redhat.com [mailto:
> freeipa-users-boun...@redhat.com] *On Behalf Of *Ash Alam
> *Sent:* jeudi 24 mars 2016 19:50
> *To:* Jakub Hrozek <jhro...@redhat.com>
> *Cc:* freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd
>
>
>
> Based on (How to troubleshoot Sudo)
>
>
>
> - Maybe i miss spoke when i said it fails completely. Rather it keeps
> asking for the users password which it does not accept.
>
> - I do not have sudo in sssd.conf
>
> - I do not have sudoers: sss defined in nsswitch.conf
>
> - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if
> these needs to be defined
>
> - If this is the case then adding them might resolve my issues.
>
> - for the special sudo rule(s). is there any way to track it via the gui?
> I am trying to keep track of all the configs so its not a blackhole for the
> next person.
>
>
>
> - This is what it looks like on the web gui
>
> [image: Inline image 1]
>
>
>
>
>
> - This is what a clients sssd.conf looks like
>
> [domain/x]
>
>
>
> cache_credentials = True
>
> krb5_store_password_if_offline = True
>
> ipa_domain = pp
>
> id_provider = ipa
>
> auth_provider = ipa
>
> access_provider = ipa
>
> ipa_hostname = xx
>
> chpass_provider = ipa
>
> ipa_server = _srv_, x
>
> ldap_tls_cacert = /etc/ipa/ca.crt
>
> [sssd]
>
> services = nss, pam, ssh
>
> config_file_version = 2
>
>
>
> domains = X
>
> [nss]
>
> homedir_substring = /home
>
>
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
>
>
> On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
>
>
> > On 24 Mar 2016, at 17:21, Ash Alam <aa...@paperlesspost.com> wrote:
> >
> > Hello
> >
> > I am looking for some guidance on how to properly do sudo with Freeipa.
> I have read up on what i need to do but i cant seem to get to work
> correctly. Now with sudoers.d i can accomplish this fairly quickly.
> >
> > Example:
> >
> > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
> >
> > What i have configured in Freeipa Sudo Rules:
> >
> > Sudo Option: !authenticate
> > Who: dev (group)
> > Access this host: testing (group)
> > Run Commands: set of commands that are defined.
> >
> > Now when i apply this, it still does not work as it asks for a password
> for the user and then fails. I am hoping to allow a group to only run
> certain commands without requiring password.
> >
>
> You should first find out why sudo fails completely. We have this guide
> that should help you:
> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>
> About asking for passwords -- defining a special sudo rule called
> 'defaults' and then adding '!authenticate' should help:
>  Add a special Sudo rule for default Sudo server configuration:
>ipa sudorule-add defaults
>
>  Set a default Sudo option:
>ipa sudorule-add-option defaults --sudooption '!authenticate'
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

2016-03-24 Thread Christophe TREFOIS
Hi,

Are you not missing “sudo” in [sssd] and did you restard the services on the 
machine? We found quite a significant cache, which sometimes lead to asking 
passwords.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html


You might even have to delete /var/lib/sss/db/ contents and restart sssd.



Best,

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ash Alam
Sent: jeudi 24 mars 2016 19:50
To: Jakub Hrozek <jhro...@redhat.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

Based on (How to troubleshoot Sudo)

- Maybe i miss spoke when i said it fails completely. Rather it keeps asking 
for the users password which it does not accept.
- I do not have sudo in sssd.conf
- I do not have sudoers: sss defined in nsswitch.conf
- Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if these 
needs to be defined
- If this is the case then adding them might resolve my issues.
- for the special sudo rule(s). is there any way to track it via the gui? I am 
trying to keep track of all the configs so its not a blackhole for the next 
person.

- This is what it looks like on the web gui
[Inline image 1]


- This is what a clients sssd.conf looks like
[domain/x]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = pp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = xx
chpass_provider = ipa
ipa_server = _srv_, x
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = X
[nss]
homedir_substring = /home

[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]

On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek 
<jhro...@redhat.com<mailto:jhro...@redhat.com>> wrote:

> On 24 Mar 2016, at 17:21, Ash Alam 
> <aa...@paperlesspost.com<mailto:aa...@paperlesspost.com>> wrote:
>
> Hello
>
> I am looking for some guidance on how to properly do sudo with Freeipa. I 
> have read up on what i need to do but i cant seem to get to work correctly. 
> Now with sudoers.d i can accomplish this fairly quickly.
>
> Example:
>
> %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
>
> What i have configured in Freeipa Sudo Rules:
>
> Sudo Option: !authenticate
> Who: dev (group)
> Access this host: testing (group)
> Run Commands: set of commands that are defined.
>
> Now when i apply this, it still does not work as it asks for a password for 
> the user and then fails. I am hoping to allow a group to only run certain 
> commands without requiring password.
>

You should first find out why sudo fails completely. We have this guide that 
should help you:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

About asking for passwords -- defining a special sudo rule called 'defaults' 
and then adding '!authenticate' should help:
 Add a special Sudo rule for default Sudo server configuration:
   ipa sudorule-add defaults

 Set a default Sudo option:
   ipa sudorule-add-option defaults --sudooption '!authenticate'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

2016-03-24 Thread Ash Alam
I should clarify. I was just following the fedora/ipa docs. My Ipa servers
are Centos 7.2 and Ipa 4.2. Clients are Centos 6.6 and 3.0.0

$ rpm -q sssd ipa-client
sssd-1.11.6-30.el6_6.3.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64

On Thu, Mar 24, 2016 at 3:04 PM, Rob Crittenden  wrote:

> Ash Alam wrote:
>
>> Based on (How to troubleshoot Sudo)
>>
>> - Maybe i miss spoke when i said it fails completely. Rather it keeps
>> asking for the users password which it does not accept.
>> - I do not have sudo in sssd.conf
>> - I do not have sudoers: sss defined in nsswitch.conf
>> - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if
>> these needs to be defined
>> - If this is the case then adding them might resolve my issues.
>> - for the special sudo rule(s). is there any way to track it via the
>> gui? I am trying to keep track of all the configs so its not a blackhole
>> for the next person.
>>
>
> It would help to know the release of Fedora you're using, the rpm version
> of ipa-client and sssd.
>
> If you are using Fedora freeipa docs they are extremely old, at best F-18.
> Use the RHEL docs.
>
> rob
>
>
>> - This is what it looks like on the web gui
>> Inline image 1
>>
>>
>> - This is what a clients sssd.conf looks like
>> [domain/x]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = pp
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = xx
>> chpass_provider = ipa
>> ipa_server = _srv_, x
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> [sssd]
>> services = nss, pam, ssh
>> config_file_version = 2
>>
>> domains = X
>> [nss]
>> homedir_substring = /home
>>
>> [pam]
>> [sudo]
>> [autofs]
>> [ssh]
>> [pac]
>> [ifp]
>>
>> On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek > > wrote:
>>
>>
>> > On 24 Mar 2016, at 17:21, Ash Alam > > wrote:
>> >
>> > Hello
>> >
>> > I am looking for some guidance on how to properly do sudo with
>> Freeipa. I have read up on what i need to do but i cant seem to get to work
>> correctly. Now with sudoers.d i can accomplish this fairly quickly.
>> >
>> > Example:
>> >
>> > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
>> >
>> > What i have configured in Freeipa Sudo Rules:
>> >
>> > Sudo Option: !authenticate
>> > Who: dev (group)
>> > Access this host: testing (group)
>> > Run Commands: set of commands that are defined.
>> >
>> > Now when i apply this, it still does not work as it asks for a
>> password for the user and then fails. I am hoping to allow a group to only
>> run certain commands without requiring password.
>> >
>>
>> You should first find out why sudo fails completely. We have this
>> guide that should help you:
>> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>>
>> About asking for passwords -- defining a special sudo rule called
>> 'defaults' and then adding '!authenticate' should help:
>>   Add a special Sudo rule for default Sudo server configuration:
>> ipa sudorule-add defaults
>>
>>   Set a default Sudo option:
>> ipa sudorule-add-option defaults --sudooption '!authenticate'
>>
>>
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

2016-03-24 Thread Rob Crittenden

Ash Alam wrote:

Based on (How to troubleshoot Sudo)

- Maybe i miss spoke when i said it fails completely. Rather it keeps
asking for the users password which it does not accept.
- I do not have sudo in sssd.conf
- I do not have sudoers: sss defined in nsswitch.conf
- Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if
these needs to be defined
- If this is the case then adding them might resolve my issues.
- for the special sudo rule(s). is there any way to track it via the
gui? I am trying to keep track of all the configs so its not a blackhole
for the next person.


It would help to know the release of Fedora you're using, the rpm 
version of ipa-client and sssd.


If you are using Fedora freeipa docs they are extremely old, at best 
F-18. Use the RHEL docs.


rob



- This is what it looks like on the web gui
Inline image 1


- This is what a clients sssd.conf looks like
[domain/x]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = pp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = xx
chpass_provider = ipa
ipa_server = _srv_, x
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = X
[nss]
homedir_substring = /home

[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]

On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek > wrote:


> On 24 Mar 2016, at 17:21, Ash Alam > wrote:
>
> Hello
>
> I am looking for some guidance on how to properly do sudo with Freeipa. I 
have read up on what i need to do but i cant seem to get to work correctly. Now 
with sudoers.d i can accomplish this fairly quickly.
>
> Example:
>
> %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
>
> What i have configured in Freeipa Sudo Rules:
>
> Sudo Option: !authenticate
> Who: dev (group)
> Access this host: testing (group)
> Run Commands: set of commands that are defined.
>
> Now when i apply this, it still does not work as it asks for a password 
for the user and then fails. I am hoping to allow a group to only run certain 
commands without requiring password.
>

You should first find out why sudo fails completely. We have this
guide that should help you:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

About asking for passwords -- defining a special sudo rule called
'defaults' and then adding '!authenticate' should help:
  Add a special Sudo rule for default Sudo server configuration:
ipa sudorule-add defaults

  Set a default Sudo option:
ipa sudorule-add-option defaults --sudooption '!authenticate'






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

2016-03-24 Thread Ash Alam
Based on (How to troubleshoot Sudo)

- Maybe i miss spoke when i said it fails completely. Rather it keeps
asking for the users password which it does not accept.
- I do not have sudo in sssd.conf
- I do not have sudoers: sss defined in nsswitch.conf
- Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if
these needs to be defined
- If this is the case then adding them might resolve my issues.
- for the special sudo rule(s). is there any way to track it via the gui? I
am trying to keep track of all the configs so its not a blackhole for the
next person.

- This is what it looks like on the web gui
[image: Inline image 1]


- This is what a clients sssd.conf looks like
[domain/x]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = pp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = xx
chpass_provider = ipa
ipa_server = _srv_, x
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = X
[nss]
homedir_substring = /home

[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]

On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek  wrote:

>
> > On 24 Mar 2016, at 17:21, Ash Alam  wrote:
> >
> > Hello
> >
> > I am looking for some guidance on how to properly do sudo with Freeipa.
> I have read up on what i need to do but i cant seem to get to work
> correctly. Now with sudoers.d i can accomplish this fairly quickly.
> >
> > Example:
> >
> > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
> >
> > What i have configured in Freeipa Sudo Rules:
> >
> > Sudo Option: !authenticate
> > Who: dev (group)
> > Access this host: testing (group)
> > Run Commands: set of commands that are defined.
> >
> > Now when i apply this, it still does not work as it asks for a password
> for the user and then fails. I am hoping to allow a group to only run
> certain commands without requiring password.
> >
>
> You should first find out why sudo fails completely. We have this guide
> that should help you:
> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>
> About asking for passwords -- defining a special sudo rule called
> 'defaults' and then adding '!authenticate' should help:
>  Add a special Sudo rule for default Sudo server configuration:
>ipa sudorule-add defaults
>
>  Set a default Sudo option:
>ipa sudorule-add-option defaults --sudooption '!authenticate'
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

2016-03-24 Thread Brad Bendy
What's your config look like in the GUI? Long as you assign the users
to the group and everything it should work. Your sssd.conf file shows
sudo in there as well?

On Thu, Mar 24, 2016 at 9:21 AM, Ash Alam  wrote:
> Hello
>
> I am looking for some guidance on how to properly do sudo with Freeipa. I
> have read up on what i need to do but i cant seem to get to work correctly.
> Now with sudoers.d i can accomplish this fairly quickly.
>
> Example:
>
> %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
>
> What i have configured in Freeipa Sudo Rules:
>
> Sudo Option: !authenticate
> Who: dev (group)
> Access this host: testing (group)
> Run Commands: set of commands that are defined.
>
> Now when i apply this, it still does not work as it asks for a password for
> the user and then fails. I am hoping to allow a group to only run certain
> commands without requiring password.
>
> Thank You
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

2016-03-24 Thread Jakub Hrozek

> On 24 Mar 2016, at 17:21, Ash Alam  wrote:
> 
> Hello
> 
> I am looking for some guidance on how to properly do sudo with Freeipa. I 
> have read up on what i need to do but i cant seem to get to work correctly. 
> Now with sudoers.d i can accomplish this fairly quickly.
> 
> Example:
> 
> %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
> 
> What i have configured in Freeipa Sudo Rules:
> 
> Sudo Option: !authenticate
> Who: dev (group)
> Access this host: testing (group)
> Run Commands: set of commands that are defined.
> 
> Now when i apply this, it still does not work as it asks for a password for 
> the user and then fails. I am hoping to allow a group to only run certain 
> commands without requiring password.
> 

You should first find out why sudo fails completely. We have this guide that 
should help you:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

About asking for passwords -- defining a special sudo rule called 'defaults' 
and then adding '!authenticate' should help:
 Add a special Sudo rule for default Sudo server configuration:
   ipa sudorule-add defaults

 Set a default Sudo option:
   ipa sudorule-add-option defaults --sudooption '!authenticate'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project