Re: [Freeipa-users] what is the sudo rule runasuser local user account
hi all, I tried and figured it out.. ipa sudorule-add-runasuser --users= Is the command syntax I was looking for. I guess that if the --users isn't an ipa user it is automatically flagged as an external user. Cheers Rob Verduijn 2016-02-04 17:33 GMT+01:00 Jakub Hrozek : > On Thu, Feb 04, 2016 at 04:00:50PM +, Baird, Josh wrote: >> Actually, I use local (external) users in my sudo rules in IPA 4.2 with no >> problem. >> >> Example: >> >> Rule name: TestDBAs >> Description: access for members of the TestDBAs group >> Enabled: TRUE >> Command category: all >> User Groups: testdbas >> Host Groups: corp_oracle >> RunAs External User: oracle > > ipaSudoRunAsExtUser, ipaSudoRunAsExtGroup and ipaSudoRunAsExtUserGroup > -- that's the user you want to run sudo as. That's still supported. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] what is the sudo rule runasuser local user account
On Thu, Feb 04, 2016 at 04:00:50PM +, Baird, Josh wrote: > Actually, I use local (external) users in my sudo rules in IPA 4.2 with no > problem. > > Example: > > Rule name: TestDBAs > Description: access for members of the TestDBAs group > Enabled: TRUE > Command category: all > User Groups: testdbas > Host Groups: corp_oracle > RunAs External User: oracle ipaSudoRunAsExtUser, ipaSudoRunAsExtGroup and ipaSudoRunAsExtUserGroup -- that's the user you want to run sudo as. That's still supported. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] what is the sudo rule runasuser local user account
Yeah, this seems strange: --externaluser=STRExternal User the rule applies to (sudorule-find only) --runasexternaluser=STR External User the commands can run as (sudorule-find only) --runasexternalgroup=STR External Group the commands can run as (sudorule-find only) I'm not sure why those commands would be limited to sudorule-find only. Josh > -Original Message- > From: Rob Verduijn [mailto:rob.verdu...@gmail.com] > Sent: Thursday, February 04, 2016 11:13 AM > To: Baird, Josh > Cc: Jakub Hrozek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] what is the sudo rule runasuser local user > account > > That does seem to work for me as well, > however I can only add the external user via the web-gui > > Any idea how to do this with the command line tools ? > > Rob Verduijn > > 2016-02-04 17:00 GMT+01:00 Baird, Josh : > > Actually, I use local (external) users in my sudo rules in IPA 4.2 with no > problem. > > > > Example: > > > > Rule name: TestDBAs > > Description: access for members of the TestDBAs group > > Enabled: TRUE > > Command category: all > > User Groups: testdbas > > Host Groups: corp_oracle > > RunAs External User: oracle > > > > In this example, 'oracle' is a local user on the server (not in IPA). I > > hope this > functionality does not go away. > > > > Thanks, > > > > Josh > > > >> -Original Message- > >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > >> boun...@redhat.com] On Behalf Of Rob Verduijn > >> Sent: Thursday, February 04, 2016 10:54 AM > >> To: Jakub Hrozek > >> Cc: freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] what is the sudo rule runasuser local > >> user account > >> > >> On Centos7.2 all patches applied I used the command: > >> ipa-client-install --enable-dns-updates > >> > >> Rob > >> > >> 2016-02-04 16:45 GMT+01:00 Jakub Hrozek : > >> > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote: > >> >> Hello, > >> >> > >> >> I've noticed that the sudorule-add-runasuser no longer has en > >> >> --external option > >> >> > >> >> What is the current method to add a local service account to a sud > >> >> rule list so that users may run sudo as that service account (ie > >> >> apache or jboss) > >> >> > >> >> Cheers > >> >> Rob Verudijn > >> > > >> > I know I'm not answering your question but how did you configure > >> > the client side earlier? Did you use the native/legacy sudo ldap driver? > >> > > >> > The reason I'm asking this is that sssd only supports users it > >> > handles, so in the IPA case it only supports IPA users anyway.. > >> > > >> > -- > >> > Manage your subscription for the Freeipa-users mailing list: > >> > https://www.redhat.com/mailman/listinfo/freeipa-users > >> > Go to http://freeipa.org for more info on the project > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] what is the sudo rule runasuser local user account
That does seem to work for me as well, however I can only add the external user via the web-gui Any idea how to do this with the command line tools ? Rob Verduijn 2016-02-04 17:00 GMT+01:00 Baird, Josh : > Actually, I use local (external) users in my sudo rules in IPA 4.2 with no > problem. > > Example: > > Rule name: TestDBAs > Description: access for members of the TestDBAs group > Enabled: TRUE > Command category: all > User Groups: testdbas > Host Groups: corp_oracle > RunAs External User: oracle > > In this example, 'oracle' is a local user on the server (not in IPA). I hope > this functionality does not go away. > > Thanks, > > Josh > >> -Original Message- >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >> boun...@redhat.com] On Behalf Of Rob Verduijn >> Sent: Thursday, February 04, 2016 10:54 AM >> To: Jakub Hrozek >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] what is the sudo rule runasuser local user >> account >> >> On Centos7.2 all patches applied I used the command: >> ipa-client-install --enable-dns-updates >> >> Rob >> >> 2016-02-04 16:45 GMT+01:00 Jakub Hrozek : >> > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote: >> >> Hello, >> >> >> >> I've noticed that the sudorule-add-runasuser no longer has en >> >> --external option >> >> >> >> What is the current method to add a local service account to a sud >> >> rule list so that users may run sudo as that service account (ie >> >> apache or jboss) >> >> >> >> Cheers >> >> Rob Verudijn >> > >> > I know I'm not answering your question but how did you configure the >> > client side earlier? Did you use the native/legacy sudo ldap driver? >> > >> > The reason I'm asking this is that sssd only supports users it >> > handles, so in the IPA case it only supports IPA users anyway.. >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] what is the sudo rule runasuser local user account
Actually, I use local (external) users in my sudo rules in IPA 4.2 with no problem. Example: Rule name: TestDBAs Description: access for members of the TestDBAs group Enabled: TRUE Command category: all User Groups: testdbas Host Groups: corp_oracle RunAs External User: oracle In this example, 'oracle' is a local user on the server (not in IPA). I hope this functionality does not go away. Thanks, Josh > -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Rob Verduijn > Sent: Thursday, February 04, 2016 10:54 AM > To: Jakub Hrozek > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] what is the sudo rule runasuser local user > account > > On Centos7.2 all patches applied I used the command: > ipa-client-install --enable-dns-updates > > Rob > > 2016-02-04 16:45 GMT+01:00 Jakub Hrozek : > > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote: > >> Hello, > >> > >> I've noticed that the sudorule-add-runasuser no longer has en > >> --external option > >> > >> What is the current method to add a local service account to a sud > >> rule list so that users may run sudo as that service account (ie > >> apache or jboss) > >> > >> Cheers > >> Rob Verudijn > > > > I know I'm not answering your question but how did you configure the > > client side earlier? Did you use the native/legacy sudo ldap driver? > > > > The reason I'm asking this is that sssd only supports users it > > handles, so in the IPA case it only supports IPA users anyway.. > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] what is the sudo rule runasuser local user account
On Centos7.2 all patches applied I used the command: ipa-client-install --enable-dns-updates That configures the client for sudo as well if I'm not mistaken. Rob Verduijn 2016-02-04 16:45 GMT+01:00 Jakub Hrozek : > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote: >> Hello, >> >> I've noticed that the sudorule-add-runasuser no longer has en --external >> option >> >> What is the current method to add a local service account to a sud >> rule list so that users may run sudo as that service account (ie >> apache or jboss) >> >> Cheers >> Rob Verudijn > > I know I'm not answering your question but how did you configure the > client side earlier? Did you use the native/legacy sudo ldap driver? > > The reason I'm asking this is that sssd only supports users it handles, > so in the IPA case it only supports IPA users anyway.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] what is the sudo rule runasuser local user account
On Centos7.2 all patches applied I used the command: ipa-client-install --enable-dns-updates Rob 2016-02-04 16:45 GMT+01:00 Jakub Hrozek : > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote: >> Hello, >> >> I've noticed that the sudorule-add-runasuser no longer has en --external >> option >> >> What is the current method to add a local service account to a sud >> rule list so that users may run sudo as that service account (ie >> apache or jboss) >> >> Cheers >> Rob Verudijn > > I know I'm not answering your question but how did you configure the > client side earlier? Did you use the native/legacy sudo ldap driver? > > The reason I'm asking this is that sssd only supports users it handles, > so in the IPA case it only supports IPA users anyway.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] what is the sudo rule runasuser local user account
On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote: > Hello, > > I've noticed that the sudorule-add-runasuser no longer has en --external > option > > What is the current method to add a local service account to a sud > rule list so that users may run sudo as that service account (ie > apache or jboss) > > Cheers > Rob Verudijn I know I'm not answering your question but how did you configure the client side earlier? Did you use the native/legacy sudo ldap driver? The reason I'm asking this is that sssd only supports users it handles, so in the IPA case it only supports IPA users anyway.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project