[Freeipa-users] sudo !requiretty !authenticate

Lukas Slebodnik lslebodn at redhat.com
Tue Jan 6 10:10:31 UTC 2015 

On (06/01/15 10:21), Pavel Březina wrote:
>On 01/05/2015 07:32 PM, Craig White wrote:
>>Hi - reply at bottom
>>
>>-----Original Message-----
>>From: Martin Kosek [mailto:mkosek at redhat.com]
>>Sent: Monday, January 05, 2015 4:33 AM
>>To: Craig White; freeipa-users at redhat.com; Pavel Brezina
>>Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
>>
>>On 01/02/2015 07:47 PM, Craig White wrote:
>>>Subject pretty much says it all.
>>>
>>>Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands.
>>>
>>>But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking?
>>>
>>>Craig White
>>>System Administrator
>>>O 623-201-8179   M 602-377-9752
>>>
>>>[cid:image001.png at 01CF86FE.42D51630]
>>>
>>>SkyTouch Technology     4225 E. Windrose Dr.     Phoenix, AZ 85032
>>
>>CCing Pavel to advise.
>>
>> From top of my head - did you try clearing SSSD cache before calling the sudo command again? Did you enter the options in the FreeIPA SUDO entry correctly?
>>Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value.
>>
>>Martin
>>----
>>Thanks Martin
>>
>>Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing box but it didn't help.
>>
>>$ ipa sudorule-show --all
>>Rule name: rundeck
>>   dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local
>>   Rule name: rundeck
>>   Enabled: TRUE
>>   Host category: all
>>   Command category: all
>>   RunAs User category: all
>>   Users: rundeck
>>   Sudo Option: !requiretty, !authenticate
>>   ipauniqueid: XXXXXX
>>   objectclass: ipaassociation, ipasudorule
>>
>>At this point, !requiretty and !authenticate are separate options but I have previously tried them as a bundle together but the results are the same...
>>
>>sudo: sorry, you must have a tty to run sudo   :-(
>>
>>(client system)
>># rpm -qa | egrep 'ipa|sssd'
>>sssd-ldap-1.11.6-30.el6.x86_64
>>libipa_hbac-1.11.6-30.el6.x86_64
>>python-sssdconfig-1.11.6-30.el6.noarch
>>sssd-ipa-1.11.6-30.el6.x86_64
>>sssd-client-1.11.6-30.el6.x86_64
>>sssd-common-1.11.6-30.el6.x86_64
>>sssd-ad-1.11.6-30.el6.x86_64
>>sssd-1.11.6-30.el6.x86_64
>>python-iniparse-0.3.1-2.1.el6.noarch
>>libipa_hbac-python-1.11.6-30.el6.x86_64
>>sssd-krb5-common-1.11.6-30.el6.x86_64
>>sssd-krb5-1.11.6-30.el6.x86_64
>>sssd-common-pac-1.11.6-30.el6.x86_64
>>ipa-python-3.0.0-42.el6.x86_64
>>sssd-proxy-1.11.6-30.el6.x86_64
>>ipa-client-3.0.0-42.el6.x86_64
>
>Hi,
>just to be sure that the problem is indeed in options - the rule without any
>sudoOption and with only one of them does work, right?
>
>Can you send us sudo debug log? You can enable debug log by putting the
>following line in /etc/sudo.conf:
>
>Debug sudo /var/log/sudo.log all at debug
>
It will help as well if you provide your sssd and nsswitch configuration files.
(/etc/nsswitch.conf, /etc/sssd/sssd.conf)
We need to be sure that sudo integration with sssd is configured properly.

LS

More information about the Freeipa-users mailing list