[Freeipa-users] sudo !requiretty !authenticate
Craig White
CWhite at skytouchtechnology.com
Wed Jan 7 17:32:27 UTC 2015
Still struggling with this...
$ sudo /sbin/service pe-puppet restart
[sudo] password for rundeck:
Stopping puppet: [ OK ]
Starting puppet: [ OK ]
So it asks for the password even though, via FreeIPA it isn't required...
$ sudo -l
Matching Defaults entries for rundeck on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User rundeck may run the following commands on this host:
(root) ALL
(ALL) NOPASSWD: ALL
And all of the info is provided previously/below that should be needed including the sudo debug log in yesterday's email if anyone has the time to help me figure out what is going wrong here.
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Craig White
Sent: Tuesday, January 06, 2015 10:17 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
-----Original Message-----
From: Lukas Slebodnik [mailto:lslebodn at redhat.com]
Sent: Tuesday, January 06, 2015 3:11 AM
To: Craig White
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
On (06/01/15 10:21), Pavel Březina wrote:
>On 01/05/2015 07:32 PM, Craig White wrote:
>>Hi - reply at bottom
>>
>>-----Original Message-----
>>From: Martin Kosek [mailto:mkosek at redhat.com]
>>Sent: Monday, January 05, 2015 4:33 AM
>>To: Craig White; freeipa-users at redhat.com; Pavel Brezina
>>Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
>>
>>On 01/02/2015 07:47 PM, Craig White wrote:
>>>Subject pretty much says it all.
>>>
>>>Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands.
>>>
>>>But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking?
>>>
>>>Craig White
>>>System Administrator
>>>O 623-201-8179 M 602-377-9752
>>>
>>>[cid:image001.png at 01CF86FE.42D51630]
>>>
>>>SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032
>>
>>CCing Pavel to advise.
>>
>> From top of my head - did you try clearing SSSD cache before calling the sudo command again? Did you enter the options in the FreeIPA SUDO entry correctly?
>>Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value.
>>
>>Martin
>>----
>>Thanks Martin
>>
>>Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing box but it didn't help.
>>
>>$ ipa sudorule-show --all
>>Rule name: rundeck
>> dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local
>> Rule name: rundeck
>> Enabled: TRUE
>> Host category: all
>> Command category: all
>> RunAs User category: all
>> Users: rundeck
>> Sudo Option: !requiretty, !authenticate
>> ipauniqueid: XXXXXX
>> objectclass: ipaassociation, ipasudorule
>>
>>At this point, !requiretty and !authenticate are separate options but I have previously tried them as a bundle together but the results are the same...
>>
>>sudo: sorry, you must have a tty to run sudo :-(
>>
>>(client system)
>># rpm -qa | egrep 'ipa|sssd'
>>sssd-ldap-1.11.6-30.el6.x86_64
>>libipa_hbac-1.11.6-30.el6.x86_64
>>python-sssdconfig-1.11.6-30.el6.noarch
>>sssd-ipa-1.11.6-30.el6.x86_64
>>sssd-client-1.11.6-30.el6.x86_64
>>sssd-common-1.11.6-30.el6.x86_64
>>sssd-ad-1.11.6-30.el6.x86_64
>>sssd-1.11.6-30.el6.x86_64
>>python-iniparse-0.3.1-2.1.el6.noarch
>>libipa_hbac-python-1.11.6-30.el6.x86_64
>>sssd-krb5-common-1.11.6-30.el6.x86_64
>>sssd-krb5-1.11.6-30.el6.x86_64
>>sssd-common-pac-1.11.6-30.el6.x86_64
>>ipa-python-3.0.0-42.el6.x86_64
>>sssd-proxy-1.11.6-30.el6.x86_64
>>ipa-client-3.0.0-42.el6.x86_64
>
>Hi,
>just to be sure that the problem is indeed in options - the rule
>without any sudoOption and with only one of them does work, right?
>
>Can you send us sudo debug log? You can enable debug log by putting the
>following line in /etc/sudo.conf:
>
>Debug sudo /var/log/sudo.log all at debug
>
It will help as well if you provide your sssd and nsswitch configuration files.
(/etc/nsswitch.conf, /etc/sssd/sssd.conf) We need to be sure that sudo integration with sssd is configured properly.
----
OK - changed the sudo rule to only !authenticate and then logged in manually...
ssh -tt rundeck@$MY_SERVER
thus removing the 'requiretty' problem and then when I ran my sudo command, it still asked me for a password. I have the sudo debug log attached to this email.
I can however, ssh as myself and 'sudo su -' on this server (a different sudo rule without any 'options' so it seems that the problem is sudo options only.
sssd.conf
[domain/stt.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = stt.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = app001.stt.local
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa001.stt.local
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = stt-internal.local
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
nsswitch.conf (removed commented/empty lines)
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
sudoers: files sss
More information about the Freeipa-users
mailing list