[Freeipa-users] freeipa and sudo

Pavel Březina pbrezina at redhat.com
Wed Sep 11 09:27:02 UTC 2013 

On 09/09/2013 05:53 PM, Dean Hunter wrote:
> On Mon, 2013-09-09 at 11:35 +0200, Pavel Březina wrote:
>> On 09/09/2013 12:26 AM, Dean Hunter wrote:
>> > On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote:
>> >> On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
>> >> > On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:
>> >> >
>> >> > > On 09/07/2013 02:11 PM, Christian Horn wrote:
>> >> > > > On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
>> >> > > >> Are [1] and[2] still the current and best sources of information for
>> >> > > >> configuring sudo for use with the current release of FreeIPA on Fedora
>> >> > > >> 19?
>> >> > > >>
>> >> > > >> 1.
>> >> > > >>http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
>> >> > > >> 2.
>> >> > > >>http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>> >> > > > There is also the Identity_Management_Guide as part of the RHEL
>> >> > > > product documentation:
>> >> > > >https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
>> >> > > This and the pdf above are the latest word in this area.
>> >> > >
>> >> > > > Christian
>> >> > > >
>> >> > > > _______________________________________________
>> >> > > > Freeipa-users mailing list
>> >> > > >Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>   <mailto:Freeipa-users at redhat.com>
>> >> > > >https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> > >
>> >> > >
>> >> >
>> >> > Some sudo rules are causing:
>> >> >
>> >> >   [dean at desktop2 ~]$ sudo id
>> >> >   sudo: internal error, tried to erealloc3(0)
>> >>
>> >> This is a known bug:
>> >>https://bugzilla.redhat.com/show_bug.cgi?id=1000389
>> >>
>> >> I think the sudo rules are just missing the sudoHost attribute.
>> >>
>> >> >
>> >> > , but others do not.  In the trial and error process of determining
>> >> > which rule specifications are causing the error, I have been restarting
>> >> > the virtual machine I am using as the sudo client between tests.  Is
>> >> > there a better way to clear the SSSD cache between trials to make sure I
>> >> > am testing the most recent rule change?
>> >>
>> >> Unfortunately right now the only way is to rm the sssd cache which would
>> >> also remove any cached credentials. I thought there was an RFE open to
>> >> track the enhancement to make sss_cache invalidate and refresh sudo
>> >> rules, but I can't find it now in the SSSD trac, so I filed another one:
>> >>https://fedorahosted.org/sssd/ticket/2081
>> >>
>> >> Worst case, we mark it as a duplicate.
>> >>
>> >> _______________________________________________
>> >> Freeipa-users mailing list
>> >>Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>   <mailto:Freeipa-users at redhat.com>
>> >>https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> > I saw bug report 1000389, but I could not understand it or whether it
>> > applied to me.
>> >
>> > I discovered that sudo rules for which I specified a host group caused
>> > the error.  Rules with a host category of "all" instead of the host
>> > group did not cause the error.  Is this what 1000389 says?
>> >
>> >    ipa sudorule-add            server-admins  --desc "Server Administrators"
>> >    ipa sudorule-mod            server-admins  --cmdcat all
>> > # ipa sudorule-add-host       server-admins  --hostgroups servers
>> >    ipa sudorule-mod            server-admins  --hostcat all
>> >    ipa sudorule-add-option     server-admins  --sudooption '!authenticate'
>> >    ipa sudorule-add-runasuser  server-admins  --users root
>> >    ipa sudorule-add-runasgroup server-admins  --groups root
>> >    ipa sudorule-add-user       server-admins  --groups server-admins
>>
>> Does the machine where sudo prints this error belongs to the hostgroup
>> 'servers'? If the answer is *no* then you are hitting 1000389.
>
> Yes, the virtual machine where the sudo internal error occurs is a
> member of the hostgroup.  So I guess this is a new error and should be
> reported?

FYI Dean reported https://bugzilla.redhat.com/show_bug.cgi?id=1006611

I still think it is the same bug as 1000389, however with slightly 
different back trace. I'll follow up in BZ.

>
>> > This problem exists with the latest updates on both Fedora 18 and Fedora 19.
>> >
>> > I also discovered that libsss_sudo.so is missing from  Fedora 18
>> > installations.
>>
>> It needs to be installed separately by installing libsss_sudo package.
>
> Yes, I did find the package and installed it.
>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list