[Freeipa-users] sudo rules user and host group bugs?
KodaK
sakodak at gmail.com
Wed Jun 5 20:47:27 UTC 2013
Sorry, for some reason gmail makes me forget about "reply all."
On Wed, Jun 5, 2013 at 2:45 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 06/05/2013 11:20 AM, KodaK wrote:
>
> I know this has been discussed before, but I didn't see anything with a
> cursory search.
>
> There are bugs when using user and host groups with sudo rules. I have to
> split out my users and hosts into individual entries. I'm running ipa
> 3.0.0-26 on RHEL.
>
> All I really want to know is if this is fixed upstream.
>
>
> I am not sure I recall a bug you are referring to. A quick scan against
> the open tickets does not reveal anything like what you describe.
> Can you provide the description of the issue or point to the earlier
> thread on the matter?
>
>
I'm going off of memory on seeing the previous bug. It very well could be
a false memory.
I have a rule like this:
[jebalicki at mo0033802 ~]$ ipa sudorule-show esolutions-sandbox-root-access
Rule name: esolutions-sandbox-root-access
Enabled: TRUE
Users: slfries, awellard
Hosts: slnessbxl01.unix.magellanhealth.com
Sudo Allow Commands: /bin/su -
This works. However, if I change the rule to use hostgroups instead of
listing the hosts individually the rule will not work.
The groups still exist and look like this:
[jebalicki at mo0033802 ~]$ ipa hostgroup-show esolutions-sandbox-hosts
Host-group: esolutions-sandbox-hosts
Description: esolutions sandbox hosts
Member hosts: slnessbxl01.unix.magellanhealth.com
Member of HBAC rule: esolutions-sandbox-access
[jebalicki at mo0033802 ~]$ ipa group-show esolutions
Group name: esolutions
Description: esolutions group
GID: 1115600250
Member users: awellard, slfries
Member of HBAC rule: esolutions-sandbox-access
Client machine is pretty much default-out-of-the-box IRT IPA configuration,
here's the installer output (installs during kickstart):
[root at slnessbxl01 ~]# cat ks-post.log
Discovery was successful!
Hostname: slnessbxl01.unix.magellanhealth.com
Realm: UNIX.MAGELLANHEALTH.COM <http://unix.magellanhealth.com/>
DNS Domain: UNIX.MAGELLANHEALTH.COM <http://unix.magellanhealth.com/>
IPA Server: slpidml01.unix.magellanhealth.com
BaseDN: dc=unix,dc=magellanhealth,dc=com
Synchronizing time with KDC...
Enrolled in IPA realm UNIX.MAGELLANHEALTH.COM<http://unix.magellanhealth.com/>
Created /etc/ipa/default.conf
New SSSD config will be created.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm
UNIX.MAGELLANHEALTH.COM<http://unix.magellanhealth.com/>
Warning: Hostname (slnessbxl01.unix.magellanhealth.com) not found in DNS
DNS server record set to: slnessbxl01.unix.magellanhealth.com ->
10.200.12.104
SSSD enabled
NTP enabled
Client configuration complete.
[root at slnessbxl01 ~]# rpm -qa | grep ipa
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
[root at slnessbxl01 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)
[root at slnessbxl01 ~]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130605/3969884a/attachment.htm>
More information about the Freeipa-users
mailing list