[Freeipa-users] Sudo Commands and groups confusion
Natxo Asenjo
natxo.asenjo at gmail.com
Wed Jun 12 14:19:52 UTC 2013
On Wed, Jun 12, 2013 at 1:56 AM, Sina Owolabi <shinacalypse at gmail.com> wrote:
> Hi
> Please help me understand what I am doing wrong:
>
> Im using two RHEL6.4 ipa servers in a multi-master configuration
> Instead of creating multiple sudocmdgroups and sudo rules, I tried to subset
> what I could see in the /etc/sudoers files and have nested command groups
> and rules, to be applied to certain users and hostgroups as needed.
> I have a hostgroup called allservers, which applies to all servers.
>
> The allservers hostgroup is a member of sudo rule admin-commands, which I
> created for specific users to be able to run admin commands on all servers.
> I have added as members, multiple sudogroups, each of which have a number of
> commands inside of them. Despite this, I find that sudo does not allow me to
> run any command as the users added to the admin-command rule. Please help me
> see where my logic is broken, and what to do to fix. Thanks a lot in
> advance.
we have deployed sudo accross all our ipa nodes with cfengine. The
configuration you need is this:
/etc/sudo-ldap.conf (permissions 640)
TLS_CACERT /etc/ipa/ca.crt
TLS_REQCERT demand
SASL_MECH GSSAPI
BASE dc=domain,dc=tld
URI ldaps://kdc1.domain.tld ldaps://kdc2.domain.tld
ROOTUSE_SASL on
SUDOERS_BASE ou=sudoers,dc=,dc=domain,dc=tld
SUDOERS_DEBUG 0
if you need debugging, change SUDOERS_DEBUG to 1
in /etc/nsswitch.conf, you need to have this:
sudoers: files ldap
sudo needs a nisdomain defined, so in all the nodes you can edit the
/etc/sysconfig/network file and add something like this:
NISDOMAIN=domain.tld
after which a reboot is needed. When you log in the node, in the shell
you enter
$ nisdomainname
and you need to see your ipa domain name in there.
If you have a configuration management system modify these files for
you, do not forget to restore the selinux context in /etc if selinux is
enabled.
After that, create a sudo rule. This is our admins sudo rule:
$ ipa sudorule-show admins
Rule name: admins
Description: admins may run any command on anyhost
Enabled: TRUE
Host category: all
Command category: all
User Groups: admins
Sudo Option: !authenticate
It works. I have not yet created other sudo rules limited to a set of
hosts/commands, but it should be straight forward.
--
natxo
More information about the Freeipa-users
mailing list