[Freeipa-users] A crazy idea maybe, migration to Free-IPA 4.1.

Thu Oct 23 13:30:29 UTC 2014

And another interesting behaviour.

Say a user "netuser" is a member of a user group "netstaff",
and a host "bsd.example.com" is a member of a host group "nethosts".
We then create an HBAC rule "netstaff_to_nethosts":

Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts -- 
Via Service: Specified Services and Groups -> sshd

And we create a SUDO rule "test":

Who: Specified Users and Groups -> netuser -- Access this host: 
bsd.example.com -- Run Commands: Any Command

Expected result is this: user "netuser" should be able to SSH to host 
"bsd.example.com" and successfully issue the command "sudo shutdown -r now".

What happens instead: user "netuser" is able to SSH to host 
"bsd.example.com", but issuing the command "sudo shutdown -r now" 
produces this output (password is entered correctly):

$ shutdown -r now
Password:
Ying Tong Iddle I Po
Password:
Do you think like you type?
Password:
Have you considered trying to match wits with a rutabaga?

This is funny, and you can continue trying sudo and getting funny 
outputs; but the only way for the command to work properly is to change 
the HBAC rule:

Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts -- 
Via Service: Specified Services and Groups -> ANY SERVICE

Is this the correct behavior? I don't remember anything like this in 
FreeIPA 3.3.

23-Oct-14 15:21, Orkhan Gasimov пишет:
> Yet with FreeIPA v4 we've got another thing to keep in mind regarding 
> FreeBSD - FreeIPA integration: the cron script proposed at FreeBSD 
> forums won't work.
> Here's what was said in the post:
>
> "The tricky part was gettingsudoto work with host groups. FreeIPA 
> keeps host groups in netgroups, and FreeBSD's support for netgroups is 
> limited. One solution would have been to enable NIS services on the 
> FreeIPA server so that we could use proper netgroups on FreeBSD 
> clients. We didn't like that solution, so instead we wrote a script 
> that pulls all netgroup data from FreeIPA and stores it 
> in/etc/netgroup. We run the script every hour viacron."
>
> The script looks for host groups in 
> 'cn=hostgroups,cn=accounts,dc=<domain>', and that works with FreeIPA 
> 3.3. But in FreeIPA v4 host groups get in 
> 'cn=ng,cn=compat,dc=<domain>'. So the script needs modification.
>
> 23-Oct-14 12:09, Orkhan Gasimov пишет:
>> I already deployed FreeIPA 4.1 on Fedora 21 server alpha-release.
>> Everything is good as far as FreeIPA server operation is concerned.
>>
>>
>> 23-Oct-14 01:06, William Graboyes пишет:
>>> 3) am I insane for wanting to introduce FC21 into my environment?
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141023/a1de86fa/attachment.htm>