[Freeipa-users] sudo !requiretty !authenticate

Pavel Březina pbrezina at redhat.com
Thu Jan 8 09:45:42 UTC 2015 

On 01/07/2015 06:32 PM, Craig White wrote:
> Still struggling with this...
>
> $ sudo /sbin/service pe-puppet restart
>   [sudo] password for rundeck:
> Stopping puppet:                                           [  OK  ]
> Starting puppet:                                           [  OK  ]
>
> So it asks for the password even though, via FreeIPA it isn't required...
>
> $ sudo -l
> Matching Defaults entries for rundeck on this host:
>      requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
>      DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
>      PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
>      LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
>      LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
>      LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>      secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>
> User rundeck may run the following commands on this host:
>      (root) ALL
>      (ALL) NOPASSWD: ALL

Hi,
thank you, I was just going to ask you for sudo -l. I believe that the 
problem is that (root) ALL rule takes precedence. Or to be more precise, 
the first rule that matches is always applied, unless sudoOrder 
attribute is present (but that is not supported by IPA, is it?).

Try removing the rule (root) ALL, restarting sssd and wait until the 
cache is refreshed and see if that works.

>
> And all of the info is provided previously/below that should be needed including the sudo debug log in yesterday's email if anyone has the time to help me figure out what is going wrong here.
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Craig White
> Sent: Tuesday, January 06, 2015 10:17 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
>
> -----Original Message-----
> From: Lukas Slebodnik [mailto:lslebodn at redhat.com]
> Sent: Tuesday, January 06, 2015 3:11 AM
> To: Craig White
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
>
> On (06/01/15 10:21), Pavel Březina wrote:
>> On 01/05/2015 07:32 PM, Craig White wrote:
>>> Hi - reply at bottom
>>>
>>> -----Original Message-----
>>> From: Martin Kosek [mailto:mkosek at redhat.com]
>>> Sent: Monday, January 05, 2015 4:33 AM
>>> To: Craig White; freeipa-users at redhat.com; Pavel Brezina
>>> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
>>>
>>> On 01/02/2015 07:47 PM, Craig White wrote:
>>>> Subject pretty much says it all.
>>>>
>>>> Starting to play around with rundeck and was thinking it would be nice if I could create a user that had the ability to sudo, without password, a public key and the ability to run commands.
>>>>
>>>> But the use of 'sudo' gets me an error that says it requires a tty to run sudo. So I tried by creating a sudo rule that has options '!requiretty !authenticate' but it still complains that I need a tty. Is there a FreeIPA method that I am lacking?
>>>>
>>>> Craig White
>>>> System Administrator
>>>> O 623-201-8179   M 602-377-9752
>>>>
>>>> [cid:image001.png at 01CF86FE.42D51630]
>>>>
>>>> SkyTouch Technology     4225 E. Windrose Dr.     Phoenix, AZ 85032
>>>
>>> CCing Pavel to advise.
>>>
>>>  From top of my head - did you try clearing SSSD cache before calling the sudo command again? Did you enter the options in the FreeIPA SUDO entry correctly?
>>> Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value.
>>>
>>> Martin
>>> ----
>>> Thanks Martin
>>>
>>> Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing box but it didn't help.
>>>
>>> $ ipa sudorule-show --all
>>> Rule name: rundeck
>>>    dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local
>>>    Rule name: rundeck
>>>    Enabled: TRUE
>>>    Host category: all
>>>    Command category: all
>>>    RunAs User category: all
>>>    Users: rundeck
>>>    Sudo Option: !requiretty, !authenticate
>>>    ipauniqueid: XXXXXX
>>>    objectclass: ipaassociation, ipasudorule
>>>
>>> At this point, !requiretty and !authenticate are separate options but I have previously tried them as a bundle together but the results are the same...
>>>
>>> sudo: sorry, you must have a tty to run sudo   :-(
>>>
>>> (client system)
>>> # rpm -qa | egrep 'ipa|sssd'
>>> sssd-ldap-1.11.6-30.el6.x86_64
>>> libipa_hbac-1.11.6-30.el6.x86_64
>>> python-sssdconfig-1.11.6-30.el6.noarch
>>> sssd-ipa-1.11.6-30.el6.x86_64
>>> sssd-client-1.11.6-30.el6.x86_64
>>> sssd-common-1.11.6-30.el6.x86_64
>>> sssd-ad-1.11.6-30.el6.x86_64
>>> sssd-1.11.6-30.el6.x86_64
>>> python-iniparse-0.3.1-2.1.el6.noarch
>>> libipa_hbac-python-1.11.6-30.el6.x86_64
>>> sssd-krb5-common-1.11.6-30.el6.x86_64
>>> sssd-krb5-1.11.6-30.el6.x86_64
>>> sssd-common-pac-1.11.6-30.el6.x86_64
>>> ipa-python-3.0.0-42.el6.x86_64
>>> sssd-proxy-1.11.6-30.el6.x86_64
>>> ipa-client-3.0.0-42.el6.x86_64
>>
>> Hi,
>> just to be sure that the problem is indeed in options - the rule
>> without any sudoOption and with only one of them does work, right?
>>
>> Can you send us sudo debug log? You can enable debug log by putting the
>> following line in /etc/sudo.conf:
>>
>> Debug sudo /var/log/sudo.log all at debug
>>
> It will help as well if you provide your sssd and nsswitch configuration files.
> (/etc/nsswitch.conf, /etc/sssd/sssd.conf) We need to be sure that sudo integration with sssd is configured properly.
> ----
> OK - changed the sudo rule to only !authenticate and then logged in manually...
>
> ssh -tt rundeck@$MY_SERVER
>
> thus removing the 'requiretty' problem and then when I ran my sudo command, it still asked me for a password. I have the sudo debug log attached to this email.
>
> I can however, ssh as myself and 'sudo su -' on this server (a different sudo rule without any 'options' so it seems that the problem is sudo options only.
>
> sssd.conf
> [domain/stt.local]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = stt.local
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = app001.stt.local
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, ipa001.stt.local
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
>
> domains = stt-internal.local
> [nss]
> homedir_substring = /home
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
> nsswitch.conf (removed commented/empty lines)
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> hosts:      files dns
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
> netgroup:   files sss
> publickey:  nisplus
> automount:  files sss
> aliases:    files nisplus
> sudoers: files sss
>
>

More information about the Freeipa-users mailing list