[Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

Ash Alam aalam at paperlesspost.com
Tue Apr 5 15:09:27 UTC 2016 

I wanted to follow up on this. Since sudo needs to be added to sssd.conf
and nsswitch.conf. Is it possible to add the options via
ipa-client-install? I can do the same with chef but this seems like
something that should be done with ipa?

Thank You

On Thu, Mar 24, 2016 at 4:51 PM, Christophe TREFOIS <
christophe.trefois at uni.lu> wrote:

> Hi,
>
>
>
> Are you not missing “sudo” in [sssd] and did you restard the services on
> the machine? We found quite a significant cache, which sometimes lead to
> asking passwords.
>
>
>
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html
>
>
>
> You might even have to delete /var/lib/sss/db/ contents and restart sssd.
>
>
>
> Best,
>
>
>
> *From:* freeipa-users-bounces at redhat.com [mailto:
> freeipa-users-bounces at redhat.com] *On Behalf Of *Ash Alam
> *Sent:* jeudi 24 mars 2016 19:50
> *To:* Jakub Hrozek <jhrozek at redhat.com>
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd
>
>
>
> Based on (How to troubleshoot Sudo)
>
>
>
> - Maybe i miss spoke when i said it fails completely. Rather it keeps
> asking for the users password which it does not accept.
>
> - I do not have sudo in sssd.conf
>
> - I do not have sudoers: sss defined in nsswitch.conf
>
> - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if
> these needs to be defined
>
> - If this is the case then adding them might resolve my issues.
>
> - for the special sudo rule(s). is there any way to track it via the gui?
> I am trying to keep track of all the configs so its not a blackhole for the
> next person.
>
>
>
> - This is what it looks like on the web gui
>
> [image: Inline image 1]
>
>
>
>
>
> - This is what a clients sssd.conf looks like
>
> [domain/xxxxx]
>
>
>
> cache_credentials = True
>
> krb5_store_password_if_offline = True
>
> ipa_domain = pp
>
> id_provider = ipa
>
> auth_provider = ipa
>
> access_provider = ipa
>
> ipa_hostname = xxxxxx
>
> chpass_provider = ipa
>
> ipa_server = _srv_, xxxxx
>
> ldap_tls_cacert = /etc/ipa/ca.crt
>
> [sssd]
>
> services = nss, pam, ssh
>
> config_file_version = 2
>
>
>
> domains = XXXXX
>
> [nss]
>
> homedir_substring = /home
>
>
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
>
>
> On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
>
> > On 24 Mar 2016, at 17:21, Ash Alam <aalam at paperlesspost.com> wrote:
> >
> > Hello
> >
> > I am looking for some guidance on how to properly do sudo with Freeipa.
> I have read up on what i need to do but i cant seem to get to work
> correctly. Now with sudoers.d i can accomplish this fairly quickly.
> >
> > Example:
> >
> > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
> >
> > What i have configured in Freeipa Sudo Rules:
> >
> > Sudo Option: !authenticate
> > Who: dev (group)
> > Access this host: testing (group)
> > Run Commands: set of commands that are defined.
> >
> > Now when i apply this, it still does not work as it asks for a password
> for the user and then fails. I am hoping to allow a group to only run
> certain commands without requiring password.
> >
>
> You should first find out why sudo fails completely. We have this guide
> that should help you:
> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>
> About asking for passwords -- defining a special sudo rule called
> 'defaults' and then adding '!authenticate' should help:
>  Add a special Sudo rule for default Sudo server configuration:
>    ipa sudorule-add defaults
>
>  Set a default Sudo option:
>    ipa sudorule-add-option defaults --sudooption '!authenticate'
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160405/fbbd676c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14858 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160405/fbbd676c/attachment.png>

More information about the Freeipa-users mailing list