<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> And another interesting behaviour. Say a user "netuser" is a member of a user group "netstaff", and a host "bsd.example.com" is a member of a host group "nethosts". We then create an HBAC rule "netstaff_to_nethosts": Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts -- Via Service: Specified Services and Groups -> sshd And we create a SUDO rule "test": Who: Specified Users and Groups -> netuser -- Access this host: bsd.example.com -- Run Commands: Any Command Expected result is this: user "netuser" should be able to SSH to host "bsd.example.com" and successfully issue the command "sudo shutdown -r now". What happens instead: user "netuser" is able to SSH to host "bsd.example.com", but issuing the command "sudo shutdown -r now" produces this output (password is entered correctly): $ shutdown -r now Password: Ying Tong Iddle I Po Password: Do you think like you type? Password: Have you considered trying to match wits with a rutabaga? This is funny, and you can continue trying sudo and getting funny outputs; but the only way for the command to work properly is to change the HBAC rule: Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts -- Via Service: Specified Services and Groups -> ANY SERVICE Is this the correct behavior? I don't remember anything like this in FreeIPA 3.3. <div class="moz-cite-prefix">23-Oct-14 15:21, Orkhan Gasimov пишет: </div> <blockquote cite="mid:5448D695.9020405@mail.ru" type="cite"> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> Yet with FreeIPA v4 we've got another thing to keep in mind regarding FreeBSD - FreeIPA integration: the cron script proposed at FreeBSD forums won't work. Here's what was said in the post: "<span style="color: rgb(20, 20, 20); font-family: verdana, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 20.5333347320557px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none; background-color: rgb(255, 255, 255);">The tricky part was getting <tt style="font-family: monospace; line-height: 14.6666679382324px; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; color: rgb(0, 122, 0); background-color: rgb(255, 255, 255);">sudo</tt><span style="color: rgb(20, 20, 20); font-family: verdana, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 20.5333347320557px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none; background-color: rgb(255, 255, 255);"> to work with host groups. FreeIPA keeps host groups in netgroups, and FreeBSD's support for netgroups is limited. One solution would have been to enable NIS services on the FreeIPA server so that we could use proper netgroups on FreeBSD clients. We didn't like that solution, so instead we wrote a script that pulls all netgroup data from FreeIPA and stores it in <tt style="font-family: monospace; line-height: 14.6666679382324px; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; color: rgb(0, 122, 0); background-color: rgb(255, 255, 255);">/etc/netgroup</tt><span style="color: rgb(20, 20, 20); font-family: verdana, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 20.5333347320557px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none; background-color: rgb(255, 255, 255);">. We run the script every hour via<tt style="font-family: monospace; line-height: 14.6666679382324px; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; color: rgb(0, 122, 0); background-color: rgb(255, 255, 255);"> cron</tt><span style="color: rgb(20, 20, 20); font-family: verdana, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 20.5333347320557px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none; background-color: rgb(255, 255, 255);">." The script looks for host groups in 'cn=hostgroups,cn=accounts,dc=<domain>', and that works with FreeIPA 3.3. But in FreeIPA v4 host groups get in 'cn=ng,cn=compat,dc=<domain>'. So the script needs modification. <div class="moz-cite-prefix">23-Oct-14 12:09, Orkhan Gasimov пишет: </div> <blockquote cite="mid:5448A9C7.9020506@mail.ru" type="cite">I already deployed FreeIPA 4.1 on Fedora 21 server alpha-release. Everything is good as far as FreeIPA server operation is concerned. 23-Oct-14 01:06, William Graboyes пишет: <blockquote type="cite">3) am I insane for wanting to introduce FC21 into my environment? </blockquote> </blockquote> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </body> </html>