[Freeipa-users] Sudo Commands and groups confusion

Natxo Asenjo natxo.asenjo at gmail.com
Wed Jun 12 14:19:52 UTC 2013 

On Wed, Jun 12, 2013 at 1:56 AM, Sina Owolabi <shinacalypse at gmail.com> wrote:
> Hi
> Please help me understand what I am doing wrong:
>
> Im using two RHEL6.4 ipa servers in a multi-master configuration
> Instead of creating multiple sudocmdgroups and sudo rules, I tried to subset
> what I could see in the /etc/sudoers files and have nested command groups
> and rules, to be applied to certain users and hostgroups as needed.
> I have a hostgroup called allservers, which applies to all servers.
>
> The allservers hostgroup is a member of sudo rule admin-commands, which I
> created for specific users to be able to run admin commands on all servers.
> I have added as members, multiple sudogroups, each of which have a number of
> commands inside of them. Despite this, I find that sudo does not allow me to
> run any command as the users added to the admin-command rule. Please help me
> see where my logic is broken, and what to do to fix. Thanks a lot in
> advance.

we have deployed sudo accross all our ipa nodes with cfengine. The
configuration you need is this:

/etc/sudo-ldap.conf (permissions 640)

TLS_CACERT /etc/ipa/ca.crt
TLS_REQCERT demand
SASL_MECH GSSAPI
BASE dc=domain,dc=tld
URI ldaps://kdc1.domain.tld ldaps://kdc2.domain.tld
ROOTUSE_SASL on
SUDOERS_BASE ou=sudoers,dc=,dc=domain,dc=tld
SUDOERS_DEBUG 0

if you need debugging, change SUDOERS_DEBUG to 1

in /etc/nsswitch.conf, you need to have this:

sudoers:   files ldap

sudo needs a nisdomain defined, so in all the nodes you can edit the
/etc/sysconfig/network file and add something like this:

NISDOMAIN=domain.tld

after which a reboot is needed. When you log in the node, in the shell
you enter

$ nisdomainname

and you need to see your ipa domain name in there.

If you have a configuration management system modify these files for
you, do not forget to restore the selinux context in /etc if selinux is
enabled.

After that, create a sudo rule. This is our admins sudo rule:

$ ipa sudorule-show admins
  Rule name: admins
  Description: admins may run any command on anyhost
  Enabled: TRUE
  Host category: all
  Command category: all
  User Groups: admins
  Sudo Option: !authenticate

It works. I have not yet created other sudo rules limited to a set of
hosts/commands, but it should be straight forward.

-- 
natxo

More information about the Freeipa-users mailing list