[Freeipa-users] sudo questions
Dmitri Pal
dpal at redhat.com
Mon Oct 8 23:13:26 UTC 2012
On 10/08/2012 06:04 PM, Sigbjorn Lie wrote:
> Hi,
Thank you for the report!
>
> I've been testing the sudo integration with IPA and I came across some
> questions:
>
> 1. When I disable or delete a sudo rule, it's not removed from the
> ou=sudoers until I restart the directory server. Am I doing something
> wrong? (389-ds-base-1.2.10.2-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)
>
This might be a bug in the compat plugin. The internal tree is reflected
into the standard sudo schema that is supposed to be kept in sync with
the internal tree. However I would be surprised if there is actually a bug.
> 2. Perhaps the documentation should mention creating a rule called
> "defaults" to put default options for all sudo rules in. Or even
> better having one created by default with a fresh IPA installation. It
> took me a few seconds to figure out where to put default options for
> all sudo rules.
Can you please open an RFE in trac?
https://fedorahosted.org/freeipa
>
> 3. sudo integration with SSSD does not work when anonymous LDAP
> authentication is disabled at the server. Enabling verbose logging in
> SSSD seem to suggest that it's attempting anonymous auth only.
> (sssd-1.8.4-14.fc17.x86_64)
Which integration you are trying? The one that was tech preview in 1.8?
The one that makes SSSD cache sudo rules? It was significantly rewritten
in 1.9. Can you please try with 1.9?
>
> 4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make
> sudo display these options as errors when sudo debugging is enabled
> (sudoers_debug 1 in /etc/ldap.conf or /etc/sudo-ldap.conf):
> sudo: unknown defaults entry `env_keep '
Yes. This is a known issue already filed as a ticket.
>
> 5. It would be great to have a set of sudo commands and a set of sudo
> command groups installed by default.
Can you make a proposal about what groups would you like to see in an RFE?
https://fedorahosted.org/freeipa
>
> 6. Adding a sudo command having multiple commands listed (such as:
> "/sbin/route, /sbin/ifconfig, /bin/ping
> <https://lieipa01.ix.nixtra.com/ipa/ui/#/sbin/route,%20/sbin/ifconfig,%20/bin/ping,%20/sbin/dhclient,%20/usr/bin/net,%20/sbin/iptables,%20/usr/bin/%20rfcomm,%20/usr/bin/wvdial,%20/sbin/iwconfig,%20/sbin/mii-tool>")
> is allowed in IPA and does list it correctly as allowed commands when
> doing "sudo -l", however attempting to execute one of the commands in
> the list using sudo fails.
>
Can you please try SSSD 1.9?
> I did my testing with IPA server 2.2 in CentOS 6.3.
>
>
>
> Regards,
> Siggi
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121008/2ea21335/attachment.htm>
More information about the Freeipa-users
mailing list