[Freeipa-users] A crazy idea maybe, migration to Free-IPA 4.1.
Orkhan Gasimov
orkhan-azeri at mail.ru
Thu Oct 23 13:30:29 UTC 2014
And another interesting behaviour.
Say a user "netuser" is a member of a user group "netstaff",
and a host "bsd.example.com" is a member of a host group "nethosts".
We then create an HBAC rule "netstaff_to_nethosts":
Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts --
Via Service: Specified Services and Groups -> sshd
And we create a SUDO rule "test":
Who: Specified Users and Groups -> netuser -- Access this host:
bsd.example.com -- Run Commands: Any Command
Expected result is this: user "netuser" should be able to SSH to host
"bsd.example.com" and successfully issue the command "sudo shutdown -r now".
What happens instead: user "netuser" is able to SSH to host
"bsd.example.com", but issuing the command "sudo shutdown -r now"
produces this output (password is entered correctly):
$ shutdown -r now
Password:
Ying Tong Iddle I Po
Password:
Do you think like you type?
Password:
Have you considered trying to match wits with a rutabaga?
This is funny, and you can continue trying sudo and getting funny
outputs; but the only way for the command to work properly is to change
the HBAC rule:
Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts --
Via Service: Specified Services and Groups -> ANY SERVICE
Is this the correct behavior? I don't remember anything like this in
FreeIPA 3.3.
23-Oct-14 15:21, Orkhan Gasimov пишет:
> Yet with FreeIPA v4 we've got another thing to keep in mind regarding
> FreeBSD - FreeIPA integration: the cron script proposed at FreeBSD
> forums won't work.
> Here's what was said in the post:
>
> "The tricky part was gettingsudoto work with host groups. FreeIPA
> keeps host groups in netgroups, and FreeBSD's support for netgroups is
> limited. One solution would have been to enable NIS services on the
> FreeIPA server so that we could use proper netgroups on FreeBSD
> clients. We didn't like that solution, so instead we wrote a script
> that pulls all netgroup data from FreeIPA and stores it
> in/etc/netgroup. We run the script every hour viacron."
>
> The script looks for host groups in
> 'cn=hostgroups,cn=accounts,dc=<domain>', and that works with FreeIPA
> 3.3. But in FreeIPA v4 host groups get in
> 'cn=ng,cn=compat,dc=<domain>'. So the script needs modification.
>
> 23-Oct-14 12:09, Orkhan Gasimov пишет:
>> I already deployed FreeIPA 4.1 on Fedora 21 server alpha-release.
>> Everything is good as far as FreeIPA server operation is concerned.
>>
>>
>> 23-Oct-14 01:06, William Graboyes пишет:
>>> 3) am I insane for wanting to introduce FC21 into my environment?
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141023/a1de86fa/attachment.htm>
More information about the Freeipa-users
mailing list