Re: [Freeipa-users] Sudo rules w/ external users (RHEL7)
On Tue, 14 Apr 2015, Martin Kosek wrote: On 04/13/2015 05:37 PM, Alexander Bokovoy wrote: On Mon, 13 Apr 2015, Gould, Joshua wrote: I’ve looked at the docs and it looks as if I can specify an external user who can have sudo rights via IPA. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo The issue being that when I try to add my AD Trust user, it doesn’t allow the @ sign. (ex. gould@test.osuwmc). If I modify the sudo rule to allow all users, I can see that it allows my AD account sudo rights. $ sudo –l User gould@test.osuwmc may run the following commands on this host: (ALL : ALL) ALL How can I configure the rule to allow certain AD users to be able to execute certain sudo rules? Through external users' groups mechanism we use for any other AD users mapping in HBAC and SUDO. These are not local (not defined in IPA but defined on the host) groups and users but rather AD groups and users. ipa group-add --external gould_group_ext ipa group-add-member gould_group_ext --external=gould@test.osuwmc ipa group-add gould_group ipa group-add-member gould_group --groups=gould_group_ext And now make sudo rule that allows users of gould_group to run needed commands. SSSD will pull in all membership information for gould_group, including AD users. Theoretically, adding AD users as *external* users to the SUDO rule should work, given they are stored as a bare string, no? See example of such rule below.. # ipa sudorule-show test --all --raw dn: ipaUniqueID=01405730-e273-11e4-9df6-001a4a104e33,cn=sudorules,cn=sudo,dc=f21 cn: test ipaenabledflag: TRUE hostcategory: all externaluser: foouser ipaUniqueID: 01405730-e273-11e4-9df6-001a4a104e33 memberallowcmd: ipaUniqueID=11281796-e273-11e4-abfe-001a4a104e33,cn=sudocmds,cn=sudo,dc=f21 objectClass: ipasudorule objectClass: ipaassociation The change in FreeIPA would be then only a matter of allowing users with '@' in 'externaluser' attribute You lose validation of the user name here (we do validate that AD user in question exists). And externaluser* options are deprecated. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo rules w/ external users (RHEL7)
On Mon, 13 Apr 2015, Gould, Joshua wrote: On 4/13/15, 11:37 AM, Alexander Bokovoy aboko...@redhat.com wrote: Through external users' groups mechanism we use for any other AD users mapping in HBAC and SUDO. These are not local (not defined in IPA but defined on the host) groups and users but rather AD groups and users. ipa group-add --external gould_group_ext ipa group-add-member gould_group_ext --external=gould@test.osuwmc ipa group-add gould_group ipa group-add-member gould_group --groups=gould_group_ext And now make sudo rule that allows users of gould_group to run needed commands. SSSD will pull in all membership information for gould_group, including AD users. Just curious, but if we don¹t plan on using any IPA native users, could you skip the last two commands and add gould_group_ext to the sudo rule? No. gould_group_ext has no POSIX attributes and thus is not visible to sudo. I¹ve seen this same basic example used for HBAC, but it never was clear to me why the IPA group needed to be added if you¹re only concerned with AD users? Does it need to be added or do the examples include the IPA group because they assume that you¹ll be wanting to use a mix of AD and IPA users for HBAC and sudo? A schema IPA uses for storing group membership requires existence of an object in LDAP. AD users and groups don't exist in IPA LDAP and thus cannot be addressed directly. For doing this we create a real LDAP object which has reference to AD user/group's SID as a string. SSSD knows about this arrangement and properly pulls information from this LDAP object whenever it is encountered as a member of POSIX group. As result, you can see AD user or group as a member of a POSIX group but we need a helper object to allow this magic to work. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo rules w/ external users (RHEL7)
On 4/13/15, 11:37 AM, Alexander Bokovoy aboko...@redhat.com wrote: Through external users' groups mechanism we use for any other AD users mapping in HBAC and SUDO. These are not local (not defined in IPA but defined on the host) groups and users but rather AD groups and users. ipa group-add --external gould_group_ext ipa group-add-member gould_group_ext --external=gould@test.osuwmc ipa group-add gould_group ipa group-add-member gould_group --groups=gould_group_ext And now make sudo rule that allows users of gould_group to run needed commands. SSSD will pull in all membership information for gould_group, including AD users. Just curious, but if we don¹t plan on using any IPA native users, could you skip the last two commands and add gould_group_ext to the sudo rule? I¹ve seen this same basic example used for HBAC, but it never was clear to me why the IPA group needed to be added if you¹re only concerned with AD users? Does it need to be added or do the examples include the IPA group because they assume that you¹ll be wanting to use a mix of AD and IPA users for HBAC and sudo? Joshua -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo rules w/ external users (RHEL7)
On Mon, 13 Apr 2015, Gould, Joshua wrote: I’ve looked at the docs and it looks as if I can specify an external user who can have sudo rights via IPA. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo The issue being that when I try to add my AD Trust user, it doesn’t allow the @ sign. (ex. gould@test.osuwmc). If I modify the sudo rule to allow all users, I can see that it allows my AD account sudo rights. $ sudo –l User gould@test.osuwmc may run the following commands on this host: (ALL : ALL) ALL How can I configure the rule to allow certain AD users to be able to execute certain sudo rules? Through external users' groups mechanism we use for any other AD users mapping in HBAC and SUDO. These are not local (not defined in IPA but defined on the host) groups and users but rather AD groups and users. ipa group-add --external gould_group_ext ipa group-add-member gould_group_ext --external=gould@test.osuwmc ipa group-add gould_group ipa group-add-member gould_group --groups=gould_group_ext And now make sudo rule that allows users of gould_group to run needed commands. SSSD will pull in all membership information for gould_group, including AD users. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
