[Freeipa-users] sudo questions

[Sigbjorn Lie]

Hi,

I've been testing the sudo integration with IPA and I came across some 
questions:

1. When I disable or delete a sudo rule, it's not removed from the 
ou=sudoers until I restart the directory server. Am I doing something 
wrong? (389-ds-base-1.2.10.2-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)

2. Perhaps the documentation should mention creating a rule called 
"defaults" to put default options for all sudo rules in. Or even better 
having one created by default with a fresh IPA installation. It took me 
a few seconds to figure out where to put default options for all sudo rules.

3. sudo integration with SSSD does not work when anonymous LDAP 
authentication is disabled at the server. Enabling verbose logging in 
SSSD seem to suggest that it's attempting  anonymous auth only. 
(sssd-1.8.4-14.fc17.x86_64)

4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make 
sudo display these options as errors when sudo debugging is enabled 
(sudoers_debug 1 in /etc/ldap.conf or /etc/sudo-ldap.conf):
sudo: unknown defaults entry `env_keep '

5. It would be great to have a set of sudo commands and a set of sudo 
command groups installed by default.

6. Adding a sudo command having multiple commands listed (such as: 
"/sbin/route, /sbin/ifconfig, /bin/ping 
<https://lieipa01.ix.nixtra.com/ipa/ui/#/sbin/route,%20/sbin/ifconfig,%20/bin/ping,%20/sbin/dhclient,%20/usr/bin/net,%20/sbin/iptables,%20/usr/bin/%20rfcomm,%20/usr/bin/wvdial,%20/sbin/iwconfig,%20/sbin/mii-tool>") 
is allowed in IPA and does list it correctly as allowed commands when 
doing "sudo -l", however attempting to execute one of the commands in 
the list using sudo fails.

I did my testing with IPA server 2.2 in CentOS 6.3.



Regards,
Siggi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121009/04585421/attachment.htm>