<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.23580"></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face=Arial>More information:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">[root@puppet01 ~]# cat
/etc/sssd/sssd.conf<BR>[domain/example.com]</FONT></SPAN></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">cache_credentials = True<BR>krb5_realm =
EXAMPLE.COM</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">ipa_domain = example.com<BR>id_provider =
ipa<BR>auth_provider = ipa<BR>access_provider = ipa<BR>ipa_hostname =
puppet01.example.com<BR>chpass_provider = ipa<BR>ipa_server = ipa01.example.com,
ipa02.example.com<BR>ldap_tls_cacert = /etc/ipa/ca.crt<BR>ldap_network_timeout =
2<BR>ldap_opt_timeout = 2<BR>ldap_search_timeout = 2<BR>ldap_user_extra_attrs =
email:mail, firstname:givenname, lastname:sn, ou<BR>[sssd]<BR>services = nss,
sudo, pam, ssh<BR>config_file_version = 2</FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">domains = example.com<BR>[nss]<BR>filter_users =
root,apache,postgres,oracle,tomcat,puppet,foreman,foreman-proxy<BR>filter_groups
= root,apache,postgres,oracle,tomcat,puppet,foreman-proxy<BR>homedir_substring =
/home</FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">[pam]</FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">[sudo]</FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">[autofs]</FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">[ssh]<BR></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face=Arial>We don't use _srv_ as we have no control over the DNS
servers.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">[root@puppet01 ~]# cat /etc/nsswitch.conf | grep -v
\#</FONT></SPAN></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2><BR><FONT face="Courier New">passwd: files
sss<BR>shadow: files
sss<BR>group: files sss</FONT></FONT></SPAN></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">hosts: files
dns</FONT></SPAN></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2><BR><FONT face="Courier New">bootparams: nisplus [NOTFOUND=return]
files</FONT></FONT></SPAN></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">ethers:
files<BR>netmasks: files<BR>networks:
files<BR>protocols:
files<BR>rpc:
files<BR>services: files sss</FONT></SPAN></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">netgroup: files sss</FONT></SPAN></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">publickey: nisplus</FONT></SPAN></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">automount: files<BR>aliases:
files nisplus<BR>sudoers: files sss</FONT></SPAN></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face="Courier New">[root@puppet01 ~]#<BR></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=473513511-04082015><FONT color=#0000ff
size=2 face=Arial>The client runs sudo successfully for other rules that are in
place.</DIV></FONT></SPAN><BR>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> freeipa-users-bounces@redhat.com
[mailto:freeipa-users-bounces@redhat.com] <B>On Behalf Of </B>Innes,
Duncan<BR><B>Sent:</B> 04 August 2015 12:10<BR><B>To:</B>
freeipa-users@redhat.com<BR><B>Subject:</B> Re: [Freeipa-users] FreeIPA and sudo
Defaults<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=075530511-04082015><FONT color=#0000ff
size=2 face=Arial>Information:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=075530511-04082015><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=075530511-04082015><FONT color=#0000ff
size=2 face=Arial>IPA server and client both running on RHEL 6.7 fully
patched.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=075530511-04082015><FONT color=#0000ff
size=2 face=Arial>IPA server version:
ipa-server-3.0.0-47.el6.x86_64</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=075530511-04082015><FONT color=#0000ff
size=2 face=Arial>sssd client version:
sssd-1.12.4-47.el6.x86_64</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=075530511-04082015>IPA
server hosts dozens of sudo rules that work as expected. This is the first
rule, however, that needs the !requiretty in the Defaults for the
user.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=075530511-04082015></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=075530511-04082015>Thanks</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=075530511-04082015><BR>D</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV><BR></DIV>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> freeipa-users-bounces@redhat.com
[mailto:freeipa-users-bounces@redhat.com] <B>On Behalf Of </B>Innes,
Duncan<BR><B>Sent:</B> 04 August 2015 10:58<BR><B>To:</B>
freeipa-users@redhat.com<BR><B>Subject:</B> [Freeipa-users] FreeIPA and sudo
Defaults<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015>Hi
folks,</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=768303609-04082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015>Struggling with
creating a sudo rule in IPA that will allow my foreman-proxy to run specific
commands. When I put the following into
/etc/sudoers.d/foreman:</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=768303609-04082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face="Courier New"><SPAN
class=768303609-04082015>[root@puppet01 ~]# cat
/etc/sudoers.d/foreman<BR>foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *,
/usr/bin/puppet kick *<BR>Defaults:foreman-proxy !requiretty<BR>innesd ALL =
NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *<BR>Defaults:innesd
!requiretty<BR>[root@puppet01 ~]#</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015><BR><FONT
face="Courier New">[innesd@puppet01 ~]$ sudo -l<BR>Matching Defaults entries for
innesd on this host:<BR>
!requiretty</FONT></SPAN></FONT></DIV>
<DIV><FONT size=2 face="Courier New"></FONT> </DIV>
<DIV><FONT size=2 face="Courier New"><SPAN class=768303609-04082015>User innesd
may run the following commands on this host:<BR> (root)
NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick
*<BR> (root) /bin/su<BR>[innesd@puppet01
~]$<BR></SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015>Both my user and the
foreman-proxy can run the relevant commands both on the command line and
remotely.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=768303609-04082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015>IT Security are not
happy with local sudo rules being condifured around the network, so I'm trying
to create the same configuration via IPA.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=768303609-04082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015>When I try to get
the same rule into IPA, my user can run the command in a tty, but the
foreman-proxy user is refused. This looks to be down to the lack of
!requiretty coming through for the users:</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=768303609-04082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face="Courier New"><SPAN class=768303609-04082015>[root@ipa01
~]# ipa sudorule-show foreman-proxy<BR> Rule name: foreman-proxy<BR>
Enabled: TRUE<BR> User category: all<BR> Hosts:
puppet02.example.com,
puppet01.example.com,<BR>
puppet03.example.com, puppet04.example.com</SPAN></FONT></DIV>
<DIV><FONT size=2 face="Courier New"><SPAN class=768303609-04082015> Sudo
Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick *<BR> Sudo
Option: !authenticate, !requiretty<BR>[root@ipa01 ~]#<BR></DIV></SPAN></FONT>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015>and once I've
removed the #includedir option from my local sudoers file, I get the following
as my user:</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=768303609-04082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face="Courier New"><SPAN
class=768303609-04082015>[innesd@puppet01 ~]$ sudo -l<BR>User innesd may run the
following commands on this host:<BR> (root)
/bin/su<BR> (root) NOPASSWD: /usr/bin/puppet cert *,
/usr/bin/puppet kick *<BR>[innesd@puppet01 ~]$<BR></SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015>where the noticeable
difference is that the !requiretty isn't listed under any "Matching Defaults
entries" for my user. With the rule set up like this, I can run the
command in a tty, but the foreman-proxy user is denied when the command is run
without a tty.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=768303609-04082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015>How do I go about
setting the Defaults for the foreman-proxy user? Once my testing is done,
I'd like to move the rule to run only against the foreman-proxy external user
rather than all users.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=768303609-04082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015>And a small
follow-up question: how long should I expect it to take for a change to the sudo
rule on my IPA server to become available on the client? I keep doing
sss_cache -E to clear the cache, but it still seems to take it's own sweet time
to be changed on the client. It's not a huge wait - just a bit of a pain
when I'm testing these changes.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=768303609-04082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015>Thanks in
advance,</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=768303609-04082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=768303609-04082015>Duncan
Innes</DIV></SPAN></FONT><BR clear=both>This message has been checked for
viruses and spam by the Virgin Money email scanning system powered by
Messagelabs.<BR><BR>This e-mail is intended to be confidential to the recipient.
If you receive a copy in error, please inform the sender and then delete this
message.<BR><BR>Virgin Money plc - Registered in England and Wales (Company no.
6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3
4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and
regulated by the Financial Conduct Authority and the Prudential Regulation
Authority.<BR><BR>The following companies also trade as Virgin Money. They are
both authorised and regulated by the Financial Conduct Authority, are registered
in England and Wales and have their registered office at Jubilee House,
Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service
Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited
(Company no. 3000482).<BR><BR>For further details of Virgin Money group
companies please visit our website at virginmoney.com<BR><BR clear=both>This
message has been checked for viruses and spam by the Virgin Money email scanning
system powered by Messagelabs.<BR><BR clear=both>This message has been checked
for viruses and spam by the Virgin Money email scanning system powered by
Messagelabs.<BR><BR>This e-mail is intended to be confidential to the recipient.
If you receive a copy in error, please inform the sender and then delete this
message.<BR><BR>Virgin Money plc - Registered in England and Wales (Company no.
6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3
4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and
regulated by the Financial Conduct Authority and the Prudential Regulation
Authority.<BR><BR>The following companies also trade as Virgin Money. They are
both authorised and regulated by the Financial Conduct Authority, are registered
in England and Wales and have their registered office at Jubilee House,
Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service
Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited
(Company no. 3000482).<BR><BR>For further details of Virgin Money group
companies please visit our website at virginmoney.com<BR><BR clear=both>This
message has been checked for viruses and spam by the Virgin Money email scanning
system powered by Messagelabs.<BR><br clear="both">
This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs.<BR>
<BR>
This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message.<BR>
<BR>
Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.<BR>
<BR>
The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).<BR>
<BR>
For further details of Virgin Money group companies please visit our website at virginmoney.com<BR>
</BODY></HTML>