[Freeipa-users] How to use sudo rules on ubuntu

Fri Aug 29 08:27:19 UTC 2014

On Fri, Aug 29, 2014 at 09:30:55AM +0300, Tevfik Ceydeliler wrote:
> 
> Here is my configuration adn client output. I dont know what is wrong

Please keep the freeipa-users list in the CC list; other users might run
into the same problem.

> =======================================================
> Server Side:
> [root at srv ~]# ipa sudorule-find
> -------------------
> 1 Sudo Rule matched
> -------------------
>   Rule name: log-reading
>   Enabled: TRUE
>   Users: kduser1, user1
>   Hosts: clnt2.ipa.grp, clnt.ipa.grp
>   Sudo Allow Commands: /usr/bin/less, /usr/bin/vi, /usr/bin/yum,
> /usr/bin/apt-
>                        get
>   Sudo Option: !authenticate
> ----------------------------
> Number of entries returned 1
> ----------------------------
> 
> 
> And client side:
> 1. nsswitch.con:
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         compat sss
> group:          compat sss
> shadow:         compat
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns
> networks:       files
> 
> protocols:      sss files
> services:       sss files
> ethers:         sss files
> rpc:            sss files
> 
> netgroup:       nis sss
> sudoers:        files sss
> sudoers_debug:  1
> 
> 2. sssd.conf:
> 
> [domain/ipa.grp]
> krb5_realm = IPA.GRP
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.grp
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = clnt.ipa.grp
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, srv.ipa.grp
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> domains = ipa.grp
> [nss]
> homedir_substring = /home
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
> ldap_sasl_mech = GSSAPI
> ldap=sasl_authid = host/cnlt2.ipa.grp
> ldap_sasl_realm = IPA.GRP
> ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
> sudo_provider = ldap
> ldap_uri = ldap://srv.ipa.grp
> krb5_server = srv.ipa.grp

These options belong to the [domain] section, you put them into the
[pac] section.

> 
> When I try to use sudo:
> 
> user1 at clnt:~$ sudo -i user1 vi apt-get update
> [sudo] password for user1:
> Sorry, user user1 is not allowed to execute '/bin/bash -c user1 vi apt-get
> update' as root on clnt.ipa.grp.
> user1 at clnt:~$
> 
> =======================================================
> On 28-08-2014 17:21, Jakub Hrozek wrote:
> >On Thu, Aug 28, 2014 at 02:53:35PM +0300, Tevfik Ceydeliler wrote:
> >>After configuration, for example, I try to create policiy about sudo
> >>command, let's say I want to run "apt-get" command bu sudoas client
> >>
> >>How can I use it in client side?
> >>Any example?
> >I still don't understand what you mean, did you check out the 'ipa
> >sudorule-add-runasuser' command?
> 
> -- 
> 
> 
> <br>
> <img src="http://www.yasar.com.tr/banner/yhbanner.jpg"> </img>
> <br><br>
> Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.