[Freeipa-users] sudo and NIS domain name
Dean Hunter
deanhunter at comcast.net
Sat May 3 15:39:17 UTC 2014
On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:
> On (01/05/14 15:53), Dean Hunter wrote:
> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
> >>
> >> >
> >> > I just noticed that I had been incorrectly setting the NIS domain
> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to
> >> > be successfully retrieving and using sudo rules from FreeIPA. Is
> >> > sudo still using NIS-style netgroups? Is there still a requirement
> >> > to set the NIS domain name?
> >>
> >>
> >> I think NIS domain is needed for netgroups. If you are not using
> >> netgroups in the sudo rules but just user groups you should be fine.
> >> Is this the case with you?
> >> If not please provide the logs and config.
> >>
> >
> >I am not aware of using netgroups, either the IPA object or any other
> >kind. I just remember that when I was first configuring sudo to
> >retrieve rules from IPA it would not work until I set nisdomainname
> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the
> >manual:
> >
> >
> > Even though sudo uses NIS-style netgroups, it is not necessary
> > to have a NIS server installed. Netgroups require that a NIS
> > domain be named in their configuration, so sudo requires that a
> > NIS domain be named for netgroups. However, that NIS domain does
> > not actually need to exist.
> >
> >
> >With Fedora 20 I can no longer find the emulation of rc.local that
> >existed in Fedora 19. I did find fedora-domainname.service and started
> >and enabled it but neglected to configure /etc/sysconfig/network. Yet
> >IPA sudo rules appear to work.
> >
> Hope It helps you
> http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
>
> LS
Thank you. Now that you point it out, I remember that this thread is
where I first learned about fedora-domainname.service. I see:
You would also need to set NIS domain name, otherwise SUDO will
not correctly recognize SUDO rules targeted on host groups,
instead of hosts:
which explains when sudo would need the NIS domain name. Since my sudo
rules address user groups I guess there is no requirement for NIS domain
name since they are working just fine:
ipa sudorule-add desktop-admins --desc "Desktop
Administrators"
ipa sudorule-mod desktop-admins --cmdcat all
ipa sudorule-add-host desktop-admins --hostgroups desktops
ipa sudorule-add-option desktop-admins --sudooption "!
authenticate"
ipa sudorule-add-runasuser desktop-admins --users root
ipa sudorule-add-runasgroup desktop-admins --groups root
ipa sudorule-add-user desktop-admins --groups
desktop-admins
ipa sudorule-add server-admins --desc "Server
Administrators"
ipa sudorule-mod server-admins --cmdcat all
ipa sudorule-add-host server-admins --hostgroups servers
ipa sudorule-add-option server-admins --sudooption "!
authenticate"
ipa sudorule-add-runasuser server-admins --users root
ipa sudorule-add-runasgroup server-admins --groups root
ipa sudorule-add-user server-admins --groups
server-admins
However, I was really asking whether there had been a change in
sssd/sudo behavior as it was my recollection that my sudo rules did not
work at all in early IPA 3.n releases unless the NIS domain name was
configured.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140503/92d4fcf1/attachment.htm>
More information about the Freeipa-users
mailing list