[Freeipa-users] FreeIPA and sudo Defaults

[Jakub Hrozek]

On Tue, Aug 04, 2015 at 10:57:34AM +0100, Innes, Duncan wrote:
> Hi folks,
>  
> Struggling with creating a sudo rule in IPA that will allow my
> foreman-proxy to run specific commands.  When I put the following into
> /etc/sudoers.d/foreman:
>  
> [root at puppet01 ~]# cat /etc/sudoers.d/foreman
> foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet
> kick *
> Defaults:foreman-proxy !requiretty
> innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
> Defaults:innesd !requiretty
> [root at puppet01 ~]#
> 
> [innesd at puppet01 ~]$ sudo -l
> Matching Defaults entries for innesd on this host:
>     !requiretty
>  
> User innesd may run the following commands on this host:
>     (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick
> *
>     (root) /bin/su
> [innesd at puppet01 ~]$
> 
> Both my user and the foreman-proxy can run the relevant commands both on
> the command line and remotely.
>  
> IT Security are not happy with local sudo rules being condifured around
> the network, so I'm trying to create the same configuration via IPA.
>  
> When I try to get the same rule into IPA, my user can run the command in
> a tty, but the foreman-proxy user is refused.  This looks to be down to
> the lack of !requiretty coming through for the users:
>  
> [root at ipa01 ~]# ipa sudorule-show foreman-proxy
>   Rule name: foreman-proxy
>   Enabled: TRUE
>   User category: all
>   Hosts: puppet02.example.com, puppet01.example.com,
>          puppet03.example.com, puppet04.example.com
>   Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick *
>   Sudo Option: !authenticate, !requiretty
> [root at ipa01 ~]#

I'm adding Pavel Brezina who might have some hints.