[Freeipa-users] another sudo su question

KodaK sakodak at gmail.com
Tue Jul 17 18:40:47 UTC 2012 

On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal <dpal at redhat.com> wrote:
> On 07/17/2012 11:50 AM, KodaK wrote:
>> I've been banging my head on this for a couple of days, and I can't
>> find anything in the docs or by searching.
>>
>> I'm trying to do what I think should be pretty simple:  I have a group
>> of users and an application account, all in IPA.  I want users in that
>> group to be able to "sudo su - appacct".
>>
>> What I've found is that I probably can't do it exactly like that, so
>> now I'm trying "sudo -i appacct", but I can't get that to work either.
>>
>> My rule is set up like this:
>>
>> rule name:  become-appacct
>> sudo option:  -i appacct       (I'm not sure this is right.)
>> user groups:  admins, appgroup
>> host groups:  apphostgroup
>>
>> Everything else is blank.  Note that this is just the current
>> configuration, I've tried a bunch of iterations.
>>
>> Any help?
>>
>> Thanks,
>>
>> --Jason
>>
> If you are using IPA it internally has a different schema for sudo than
> the one published on the sudo web site
> http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=install/share/65ipasudo.ldif;h=7a85c8659c33794d3127d208452dcb54ad34d59e;hb=HEAD
>
> It is then transformed into a traditional sudo schema using the compat tree.
>
> So what you need to do is make sure you create the right sudo rule.
>
> Your sudo rule should use:
> user groups: admins, appgroup
> host groups: apphostgroup
> command: sudo -i

Thanks.  I had some fighting to do to get sudo to talk to ldap on this
box, but I have that going now.

If I understand you correctly, I've created a rule like you've
suggested.  however, I get:

Sorry, user jebalicki is not allowed to execute '/bin/bash -c
cdcadmin' as root on slncdcl01.unix.magellanhealth.com.

(I've given up on obfuscation.)

Here's the debug output:


[jebalicki at slncdcl01 ~]$ sudo -i cdcadmin
LDAP Config Summary
===================
uri              ldap://slpidml01.unix.magellanhealth.com
ldap://slpidml02.unix.magellanhealth.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=unix,dc=magellanhealth,dc=com
bindpw           xxxxxxxxxxxxxxx
bind_timelimit   5000
timelimit        15
ssl              start_tls
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
===================
sudo: ldap_initialize(ld, ldap://slpidml01.unix.magellanhealth.com
ldap://slpidml02.unix.magellanhealth.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search
'(|(sudoUser=jebalicki)(sudoUser=%jebalicki)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%unixadmins)(sudoUser=ALL))'
sudo: found:cn=become-cdcadmin,ou=sudoers,dc=unix,dc=magellanhealth,dc=com
sudo: ldap sudoHost '+cdchosts' ... MATCH!
sudo: ldap sudoRunAsUser 'cdcadmin' ... not
sudo: found:cn=test rule,ou=sudoers,dc=unix,dc=magellanhealth,dc=com
sudo: ldap sudoHost '+tdswebhosts' ... not
sudo: ldap sudoHost '+cdchosts' ... MATCH!
sudo: ldap sudoCommand '/bin/cat' ... not
sudo: found:cn=tds-web-restart,ou=sudoers,dc=unix,dc=magellanhealth,dc=com
sudo: ldap sudoHost '+tdswebhosts' ... not
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x00
[sudo] password for jebalicki:
Sorry, user jebalicki is not allowed to execute '/bin/bash -c
cdcadmin' as root on slncdcl01.unix.magellanhealth.com.
[jebalicki at slncdcl01 ~]$

And here's the rule:

[root at slpidml01 ~]# ipa sudorule-show become-cdcadmin
ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml
ipa: INFO: Forwarding 'sudorule_show' to server
u'http://slpidml01.unix.magellanhealth.com/ipa/xml'
  Rule name: become-cdcadmin
  Enabled: TRUE
  User Groups: admins, stsg
  Host Groups: cdchosts
  Sudo Allow Commands: sudo -i
  RunAs Users: cdcadmin
[root at slpidml01 ~]#

> If appacct is a user managed by IPA then he should be selected as "run
> as" user.
> If this account is not managed by IPA it should be an "external" user
>
> Use UI or CLI to add it. Doing it via ldap would not work unless you use
> the internal schema.
>
> objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation
>
>
> STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $
>
>
> cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $
>
>
> ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $
>            sudoNotBefore $ sudoNotAfter $$ sudoOrder ) X-ORIGIN 'IPA v2' )
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

More information about the Freeipa-users mailing list