[Freeipa-users] freeipa and sudo
Dean Hunter
deanhunter at comcast.net
Sun Sep 8 22:26:27 UTC 2013
On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote:
> On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
> > On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:
> >
> > > On 09/07/2013 02:11 PM, Christian Horn wrote:
> > > > On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> > > >> Are [1] and[2] still the current and best sources of information for
> > > >> configuring sudo for use with the current release of FreeIPA on Fedora
> > > >> 19?
> > > >>
> > > >> 1.
> > > >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> > > >> 2.
> > > >> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> > > > There is also the Identity_Management_Guide as part of the RHEL
> > > > product documentation:
> > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> > > This and the pdf above are the latest word in this area.
> > >
> > > > Christian
> > > >
> > > > _______________________________________________
> > > > Freeipa-users mailing list
> > > > Freeipa-users at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > >
> > >
> >
> > Some sudo rules are causing:
> >
> > [dean at desktop2 ~]$ sudo id
> > sudo: internal error, tried to erealloc3(0)
>
> This is a known bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1000389
>
> I think the sudo rules are just missing the sudoHost attribute.
>
> >
> > , but others do not. In the trial and error process of determining
> > which rule specifications are causing the error, I have been restarting
> > the virtual machine I am using as the sudo client between tests. Is
> > there a better way to clear the SSSD cache between trials to make sure I
> > am testing the most recent rule change?
>
> Unfortunately right now the only way is to rm the sssd cache which would
> also remove any cached credentials. I thought there was an RFE open to
> track the enhancement to make sss_cache invalidate and refresh sudo
> rules, but I can't find it now in the SSSD trac, so I filed another one:
> https://fedorahosted.org/sssd/ticket/2081
>
> Worst case, we mark it as a duplicate.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
I saw bug report 1000389, but I could not understand it or whether it
applied to me.
I discovered that sudo rules for which I specified a host group caused
the error. Rules with a host category of "all" instead of the host
group did not cause the error. Is this what 1000389 says?
ipa sudorule-add server-admins --desc "Server
Administrators"
ipa sudorule-mod server-admins --cmdcat all
# ipa sudorule-add-host server-admins --hostgroups servers
ipa sudorule-mod server-admins --hostcat all
ipa sudorule-add-option server-admins --sudooption '!
authenticate'
ipa sudorule-add-runasuser server-admins --users root
ipa sudorule-add-runasgroup server-admins --groups root
ipa sudorule-add-user server-admins --groups server-admins
This problem exists with the latest updates on both Fedora 18 and Fedora
19.
I also discovered that libsss_sudo.so is missing from Fedora 18
installations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130908/b15f0d53/attachment.htm>
More information about the Freeipa-users
mailing list