[Freeipa-users] How to use sudo rules on ubuntu

Tevfik Ceydeliler tevfik.ceydeliler at astron.yasar.com.tr
Fri Aug 29 08:54:42 UTC 2014 

ok sorry.
On 29-08-2014 11:27, Jakub Hrozek wrote:
> On Fri, Aug 29, 2014 at 09:30:55AM +0300, Tevfik Ceydeliler wrote:
>> Here is my configuration adn client output. I dont know what is wrong
> Please keep the freeipa-users list in the CC list; other users might run
> into the same problem.
>
>> =======================================================
>> Server Side:
>> [root at srv ~]# ipa sudorule-find
>> -------------------
>> 1 Sudo Rule matched
>> -------------------
>>    Rule name: log-reading
>>    Enabled: TRUE
>>    Users: kduser1, user1
>>    Hosts: clnt2.ipa.grp, clnt.ipa.grp
>>    Sudo Allow Commands: /usr/bin/less, /usr/bin/vi, /usr/bin/yum,
>> /usr/bin/apt-
>>                         get
>>    Sudo Option: !authenticate
>> ----------------------------
>> Number of entries returned 1
>> ----------------------------
>>
>>
>> And client side:
>> 1. nsswitch.con:
>>
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd:         compat sss
>> group:          compat sss
>> shadow:         compat
>>
>> hosts:          files mdns4_minimal [NOTFOUND=return] dns
>> networks:       files
>>
>> protocols:      sss files
>> services:       sss files
>> ethers:         sss files
>> rpc:            sss files
>>
>> netgroup:       nis sss
>> sudoers:        files sss
>> sudoers_debug:  1
>>
>> 2. sssd.conf:
>>
>> [domain/ipa.grp]
>> krb5_realm = IPA.GRP
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = ipa.grp
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = clnt.ipa.grp
>> chpass_provider = ipa
>> ipa_dyndns_update = True
>> ipa_server = _srv_, srv.ipa.grp
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> [sssd]
>> services = nss, pam, ssh, sudo
>> config_file_version = 2
>> domains = ipa.grp
>> [nss]
>> homedir_substring = /home
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>> ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
>> ldap_sasl_mech = GSSAPI
>> ldap=sasl_authid = host/cnlt2.ipa.grp
>> ldap_sasl_realm = IPA.GRP
>> ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
>> sudo_provider = ldap
>> ldap_uri = ldap://srv.ipa.grp
>> krb5_server = srv.ipa.grp
> These options belong to the [domain] section, you put them into the
> [pac] section.
>
>> When I try to use sudo:
>>
>> user1 at clnt:~$ sudo -i user1 vi apt-get update
>> [sudo] password for user1:
>> Sorry, user user1 is not allowed to execute '/bin/bash -c user1 vi apt-get
>> update' as root on clnt.ipa.grp.
>> user1 at clnt:~$
>>
>> =======================================================
>> On 28-08-2014 17:21, Jakub Hrozek wrote:
>>> On Thu, Aug 28, 2014 at 02:53:35PM +0300, Tevfik Ceydeliler wrote:
>>>> After configuration, for example, I try to create policiy about sudo
>>>> command, let's say I want to run "apt-get" command bu sudoas client
>>>>
>>>> How can I use it in client side?
>>>> Any example?
>>> I still don't understand what you mean, did you check out the 'ipa
>>> sudorule-add-runasuser' command?
>> -- 
>>
>>
>> <br>
>> <img src="http://www.yasar.com.tr/banner/yhbanner.jpg"> </img>
>> <br><br>
>> Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.

-- 


<br>
<img src="http://www.yasar.com.tr/banner/yhbanner.jpg"> </img>
<br><br>
Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140829/811cafe0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.png
Type: image/png
Size: 15216 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140829/811cafe0/attachment.png>

More information about the Freeipa-users mailing list