[Freeipa-users] sudo !requiretty !authenticate

Craig White CWhite at skytouchtechnology.com
Mon Jan 5 18:32:35 UTC 2015 

Hi - reply at bottom

-----Original Message-----
From: Martin Kosek [mailto:mkosek at redhat.com] 
Sent: Monday, January 05, 2015 4:33 AM
To: Craig White; freeipa-users at redhat.com; Pavel Brezina
Subject: Re: [Freeipa-users] sudo !requiretty !authenticate

On 01/02/2015 07:47 PM, Craig White wrote:
> Subject pretty much says it all.
> 
> Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands.
> 
> But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking?
> 
> Craig White
> System Administrator
> O 623-201-8179   M 602-377-9752
> 
> [cid:image001.png at 01CF86FE.42D51630]
> 
> SkyTouch Technology     4225 E. Windrose Dr.     Phoenix, AZ 85032

CCing Pavel to advise.

>From top of my head - did you try clearing SSSD cache before calling the sudo command again? Did you enter the options in the FreeIPA SUDO entry correctly?
Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value.

Martin
----
Thanks Martin

Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing box but it didn't help.

$ ipa sudorule-show --all
Rule name: rundeck
  dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local
  Rule name: rundeck
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  Users: rundeck
  Sudo Option: !requiretty, !authenticate
  ipauniqueid: XXXXXX
  objectclass: ipaassociation, ipasudorule

At this point, !requiretty and !authenticate are separate options but I have previously tried them as a bundle together but the results are the same...

sudo: sorry, you must have a tty to run sudo   :-(

(client system)
# rpm -qa | egrep 'ipa|sssd'
sssd-ldap-1.11.6-30.el6.x86_64
libipa_hbac-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-ipa-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.11.6-30.el6.x86_64
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
ipa-python-3.0.0-42.el6.x86_64
sssd-proxy-1.11.6-30.el6.x86_64
ipa-client-3.0.0-42.el6.x86_64

More information about the Freeipa-users mailing list